Compare commits
4 Commits
weekly-202
...
303cd2db36
| Author | SHA1 | Date | |
|---|---|---|---|
|
303cd2db36 | ||
|
|
2cd3afe2b3 | ||
|
|
92492b6323 | ||
|
|
6d5ae474c6 |
39
TODO.md
Normal file
39
TODO.md
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
# Keycloak SSO Rollout (Server)
|
||||||
|
|
||||||
|
## Compatible services to cover (assume up-to-date versions)
|
||||||
|
- Gitea (OAuth2/OIDC)
|
||||||
|
- Nextcloud (Social Login app)
|
||||||
|
- Paperless-ngx (OIDC)
|
||||||
|
- Mealie (OIDC v1+)
|
||||||
|
- Jellyfin (OIDC plugin)
|
||||||
|
- Kavita (OIDC-capable builds)
|
||||||
|
- Readeck (OIDC-capable builds)
|
||||||
|
- Audiobookshelf (OIDC-capable builds)
|
||||||
|
- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
|
||||||
|
|
||||||
|
## Explicit exclusions (no SSO for now)
|
||||||
|
- Syncplay
|
||||||
|
- Matrix/Synapse
|
||||||
|
- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
|
||||||
|
- qbittorrent
|
||||||
|
- sabnzbd
|
||||||
|
- metube
|
||||||
|
- multi-scrobbler
|
||||||
|
- microbin
|
||||||
|
- ryot
|
||||||
|
- maloja
|
||||||
|
- plex
|
||||||
|
- atticd
|
||||||
|
|
||||||
|
## Phased rollout plan
|
||||||
|
1) Base identity
|
||||||
|
- Add Keycloak deployment/module and realm/client defaults.
|
||||||
|
2) Gateway/proxy auth
|
||||||
|
- Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
|
||||||
|
3) Native OIDC wiring
|
||||||
|
- Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
|
||||||
|
4) Per-service rollout
|
||||||
|
- Enable per app in priority order; document client IDs/secrets and callback URLs.
|
||||||
|
5) Verification
|
||||||
|
- Smoke-test login flows and cache any needed public keys/metadata.
|
||||||
|
|
||||||
51
modules/servers/keycloak.nix
Normal file
51
modules/servers/keycloak.nix
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
setup = import ../factories/mkserver.nix { inherit lib config; };
|
||||||
|
cfg = config.my.servers.keycloak;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
|
||||||
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
|
sops.secrets."keycloak/admin_password" = {
|
||||||
|
sopsFile = ../../secrets/secrets.yaml;
|
||||||
|
owner = "keycloak";
|
||||||
|
group = "keycloak";
|
||||||
|
};
|
||||||
|
sops.secrets."keycloak/db_password" = {
|
||||||
|
sopsFile = ../../secrets/secrets.yaml;
|
||||||
|
owner = "keycloak";
|
||||||
|
group = "keycloak";
|
||||||
|
};
|
||||||
|
services.keycloak = {
|
||||||
|
inherit (cfg) enable;
|
||||||
|
database = {
|
||||||
|
type = "postgresql";
|
||||||
|
host = "localhost";
|
||||||
|
createLocally = false;
|
||||||
|
username = "keycloak";
|
||||||
|
name = "keycloak";
|
||||||
|
passwordFile = config.sops.secrets."keycloak/db_password".path;
|
||||||
|
};
|
||||||
|
settings = {
|
||||||
|
hostname = cfg.host;
|
||||||
|
"hostname-strict" = true;
|
||||||
|
"hostname-strict-https" = false;
|
||||||
|
"http-enabled" = true;
|
||||||
|
"http-port" = cfg.port;
|
||||||
|
"proxy" = "edge";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.keycloak = {
|
||||||
|
serviceConfig = {
|
||||||
|
EnvironmentFile = config.sops.secrets."keycloak/admin_password".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts.${cfg.host} =
|
||||||
|
lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg);
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -40,6 +40,7 @@ let
|
|||||||
"sonarqube"
|
"sonarqube"
|
||||||
"gitea"
|
"gitea"
|
||||||
"atticd"
|
"atticd"
|
||||||
|
"keycloak"
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user