use merge to segment the complex nginx proxy settings

2026-02-05 05:32:46 -06:00
parent 2a290f2fe2
commit 08cc3379ad
7 changed files with 357 additions and 337 deletions
--- a/modules/servers/keycloak.nix
+++ b/modules/servers/keycloak.nix
@@ -10,35 +10,38 @@ let
 in
 {
  options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
-  config = lib.mkIf (cfg.enable && config.my.secureHost) {
-    sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml;
-    sops.secrets.keycloak = {
-      sopsFile = ../../secrets/env.yaml;
-      restartUnits = [ "keycloak.service" ];
-    };
-    services.keycloak = {
-      inherit (cfg) enable;
-      database = {
-        type = "postgresql";
-        host = "localhost";
-        createLocally = false;
-        username = "keycloak";
-        name = "keycloak";
-        passwordFile = config.sops.secrets.postgres-password.path;
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable && config.my.secureHost) {
+      sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml;
+      sops.secrets.keycloak = {
+        sopsFile = ../../secrets/env.yaml;
+        restartUnits = [ "keycloak.service" ];
      };
-      settings = {
-        hostname = cfg.host;
-        hostname-strict = true;
-        hostname-strict-https = false;
-        http-enabled = true;
-        http-port = cfg.port;
-        http-host = cfg.ip;
-        proxy-headers = "xforwarded";
+      services.keycloak = {
+        inherit (cfg) enable;
+        database = {
+          type = "postgresql";
+          host = "localhost";
+          createLocally = false;
+          username = "keycloak";
+          name = "keycloak";
+          passwordFile = config.sops.secrets.postgres-password.path;
+        };
+        settings = {
+          hostname = cfg.host;
+          hostname-strict = true;
+          hostname-strict-https = false;
+          http-enabled = true;
+          http-port = cfg.port;
+          http-host = cfg.ip;
+          proxy-headers = "xforwarded";
+        };
      };
-    };
-    systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
-    services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) (
-      inputs.self.lib.proxyReverseFix cfg
-    );
-  };
+      systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
+      my.servers.keycloak.useDefaultProxy = false;
+      services.nginx.virtualHosts.${cfg.host} = inputs.self.lib.proxyReverseFix cfg;
+    })
+  ];
 }