Add SOPS secrets for Keycloak database password and update configuration

2025-12-10 02:12:06 -06:00
parent 2cd3afe2b3
commit 303cd2db36
1 changed files with 13 additions and 6 deletions
--- a/modules/servers/keycloak.nix
+++ b/modules/servers/keycloak.nix
@@ -16,17 +16,20 @@ in
      owner = "keycloak";
      group = "keycloak";
    };
+    sops.secrets."keycloak/db_password" = {
+      sopsFile = ../../secrets/secrets.yaml;
+      owner = "keycloak";
+      group = "keycloak";
+    };
    services.keycloak = {
      inherit (cfg) enable;
      database = {
        type = "postgresql";
-        host = config.my.postgresSocket;
+        host = "localhost";
+        createLocally = false;
        username = "keycloak";
        name = "keycloak";
-      };
-      initialAdmin = {
-        user = "admin";
-        passwordFile = config.sops.secrets."keycloak/admin_password".path;
+        passwordFile = config.sops.secrets."keycloak/db_password".path;
      };
      settings = {
        hostname = cfg.host;
@@ -35,7 +38,11 @@ in
        "http-enabled" = true;
        "http-port" = cfg.port;
        "proxy" = "edge";
-        "frontend-url" = cfg.url;
+      };
+    };
+    systemd.services.keycloak = {
+      serviceConfig = {
+        EnvironmentFile = config.sops.secrets."keycloak/admin_password".path;
      };
    };
    services.nginx.virtualHosts.${cfg.host} =