From d8a1802b3ed804fb26c50a6f23036aede1ac1182 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sat, 25 Dec 2021 17:06:15 +0300
Subject: feat(whitby): Configure initial Keycloak setup

Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.

Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
---
 ops/machines/whitby/default.nix | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

(limited to 'ops/machines/whitby/default.nix')

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index dbd8c61640..045e037fda 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -23,6 +23,7 @@ in {
     "${depot.path}/ops/modules/tvl-slapd/default.nix"
     "${depot.path}/ops/modules/tvl-sso/default.nix"
     "${depot.path}/ops/modules/www/atward.tvl.fyi.nix"
+    "${depot.path}/ops/modules/www/auth.tvl.fyi.nix"
     "${depot.path}/ops/modules/www/b.tvl.fyi.nix"
     "${depot.path}/ops/modules/www/cache.tvl.su.nix"
     "${depot.path}/ops/modules/www/cl.tvl.fyi.nix"
@@ -210,6 +211,7 @@ in {
       gerrit-queue.file = secretFile "gerrit-queue";
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
+      keycloak-db.file = secretFile "keycloak-db";
       nix-cache-priv.file = secretFile "nix-cache-priv";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
@@ -417,8 +419,9 @@ in {
   services.postgresqlBackup = {
     enable = true;
     databases = [
-      "tvldb"
+      "keycloak"
       "panettone"
+      "tvldb"
     ];
   };
 
@@ -546,9 +549,39 @@ in {
       }];
     };
   };
+
   # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
   systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana";
 
+  services.keycloak = {
+    enable = true;
+    httpPort = "5925"; # "kycl"
+    frontendUrl = "https://auth.tvl.fyi/auth/";
+
+    database = {
+      type = "postgresql";
+      passwordFile = "/run/agenix/keycloak-db";
+      createLocally = false;
+    };
+
+    # Configure Keycloak to look at forwarded headers from the reverse
+    # proxy.
+    extraConfig = {
+      "subsystem=undertow" = {
+        "server=default-server" = {
+          "http-listener=default" = {
+            proxy-address-forwarding = "true";
+          };
+        };
+      };
+    };
+  };
+
+  # Allow Keycloak access to the LDAP module by forcing in the JVM
+  # configuration
+  systemd.services.keycloak.environment.PREPEND_JAVA_OPTS =
+    "--add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED";
+
   security.sudo.extraRules = [
     {
       groups = ["wheel"];
-- 
cgit 1.4.1