From 303cd2db36e4917b034f727cef923fe304a78f2c Mon Sep 17 00:00:00 2001
From: Danilo Reyes <danilo.reyes.251@proton.me>
Date: Wed, 10 Dec 2025 02:12:06 -0600
Subject: [PATCH] Add SOPS secrets for Keycloak database password and update
 configuration

---
 modules/servers/keycloak.nix | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix
index b172128..2aab379 100644
--- a/modules/servers/keycloak.nix
+++ b/modules/servers/keycloak.nix
@@ -16,17 +16,20 @@ in
       owner = "keycloak";
       group = "keycloak";
     };
+    sops.secrets."keycloak/db_password" = {
+      sopsFile = ../../secrets/secrets.yaml;
+      owner = "keycloak";
+      group = "keycloak";
+    };
     services.keycloak = {
       inherit (cfg) enable;
       database = {
         type = "postgresql";
-        host = config.my.postgresSocket;
+        host = "localhost";
+        createLocally = false;
         username = "keycloak";
         name = "keycloak";
-      };
-      initialAdmin = {
-        user = "admin";
-        passwordFile = config.sops.secrets."keycloak/admin_password".path;
+        passwordFile = config.sops.secrets."keycloak/db_password".path;
       };
       settings = {
         hostname = cfg.host;
@@ -35,7 +38,11 @@ in
         "http-enabled" = true;
         "http-port" = cfg.port;
         "proxy" = "edge";
-        "frontend-url" = cfg.url;
+      };
+    };
+    systemd.services.keycloak = {
+      serviceConfig = {
+        EnvironmentFile = config.sops.secrets."keycloak/admin_password".path;
       };
     };
     services.nginx.virtualHosts.${cfg.host} =