added keycloak service

hosts/servers/alexandria/services.nix

@@ -7,6 +7,11 @@
       owner = "paperless";
       group = "hosted";
     };
+    keycloakpg-pass = {
+      file = ../../../secrets/keycloakpg-pass.age;
+      owner = "user";
+      group = "hosted";
+    };
   };
 
   services = {
@@ -33,6 +38,24 @@
       group = "hosted";
     };
 
+    keycloak = {
+      enable = true;
+      database = {
+        type = "postgresql";
+        createLocally = true;
+        username = "keycloak";
+        passwordFile = config.age.secrets.keycloakpg-pass.path;
+      };
+      settings = {
+        hostname = "baduhai.me";
+        http-relative-path = "/cloak";
+        http-port = lib.toInt "${config.ports.keycloak}";
+        proxy = "passthrough";
+        http-enabled = true;
+        initialAdminPassword = "changeme";
+      };
+    };
+
     minecraft-server = {
       enable = true;
       eula = true;
@@ -57,7 +80,13 @@
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
       virtualHosts = {
-        "baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; root = inputs.homepage; };
+        "baduhai.me" = {
+          useACMEHost = "baduhai.me";
+          forceSSL = true;
+          kTLS = true;
+          root = inputs.homepage;
+          locations."/cloak/".proxyPass = "http://127.0.0.1:${config.ports.keycloak}/cloak/";
+        };
         "bazarr.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${config.ports.bazaar}"; };
         "bitwarden.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${config.ports.vaultwarden}"; };
         "cinny.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${config.ports.cinny}"; };
@@ -73,8 +102,8 @@
         "sonarr.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${config.ports.sonarr}"; };
         "sync.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${config.ports.syncthing}"; };
         "whoogle.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${config.ports.whoogle}"; };
+      };
     };
-  };
 
     paperless = {
       enable = true;
@@ -88,6 +117,8 @@
       };
     };
 
+    postgresql.enable = true;
+
     qbittorrent = {
       enable = true;
       user = "user";

hosts/servers/alexandria/variables.nix

@@ -22,6 +22,7 @@ in
     jellyfin            = mkStringOption "8096";
     whoogle             = mkStringOption "8007";
     qbittorrent         = mkStringOption "8008";
+    keycloak            = mkStringOption "8009";
     sonarr              = mkStringOption "8989";
     jackett             = mkStringOption "9117";
   };

secrets/keycloakpg-pass.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 SP9f6A DH+OPIjNpoPzAR2lBcWK6pGxLxVOT5GYO+cv8RFiShY
+tYmZD4rjyyZ7f+AKO7F4awGhkMTaMtLy/m2GixEKoD0
+-> ssh-ed25519 J6tVTA t+dbGkgho9+2EVD0e1E6wpHYX4LkoeOOckrIv3IjrhA
+Rp2W2+AzY55aFLiHuyDf2sX5aKm2lKV2b2oWBxdia3c
+-> =]sa>-grease _0gk(L an-* 0=Q"|=
+sVKQXYirZvI
+--- JGBE8D8b1ji7xqeoF2stjMAWR/JsIWTEPFbhCx4n+Sg
+²BK”jd)~O¥-·t§¦ìQ;¼ÅÑžØÁ™Kúá6bóBN ÑÓÉlD<6C>è÷Û=^Ó¢àܪä=YH

secrets/secrets.nix

@@ -1,13 +1,14 @@
 let
   io = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCIrKJk5zWzWEHvLMPMK8T3PyeBjsCsqzxPN+OrXfhA";
   desktops = [ io ];
-  
+
   alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA";
   servers = [ alexandria ];
-  
+
   all-hosts = desktops ++ servers;
 in
 {
   "cloudflare-creds.age".publicKeys = all-hosts;
+  "keycloakpg-pass.age".publicKeys = all-hosts;
   "paperless-pass.age".publicKeys = all-hosts;
 }