jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jawz:weekly-2025-12-15
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28
..
compare: jawz:303cd2db36e4917b034f727cef923fe304a78f2c
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28

4 Commits
weekly-202 ... 303cd2db36

Author SHA1 Message Date
Danilo Reyes
303cd2db36 Add SOPS secrets for Keycloak database password and update configuration 2025-12-10 02:12:06 -06:00
Danilo Reyes
2cd3afe2b3 Rename Keycloak database configuration key from 'databaseName' to 'name' 2025-12-10 02:06:28 -06:00
Danilo Reyes
92492b6323 Update Keycloak database configuration to use 'databaseName' instead of 'database' 2025-12-10 02:04:17 -06:00
Danilo Reyes
6d5ae474c6 keycloak init 2025-12-10 02:00:12 -06:00
4 changed files with 124 additions and 33 deletions
Expand all files Collapse all files

39
TODO.md Normal file
View File

@@ -0,0 +1,39 @@
# Keycloak SSO Rollout (Server)
## Compatible services to cover (assume up-to-date versions)
- Gitea (OAuth2/OIDC)
- Nextcloud (Social Login app)
- Paperless-ngx (OIDC)
- Mealie (OIDC v1+)
- Jellyfin (OIDC plugin)
- Kavita (OIDC-capable builds)
- Readeck (OIDC-capable builds)
- Audiobookshelf (OIDC-capable builds)
- Matrix Synapse intentionally excluded (see below) but natively OIDC if needed
## Explicit exclusions (no SSO for now)
- Syncplay
- Matrix/Synapse
- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
- qbittorrent
- sabnzbd
- metube
- multi-scrobbler
- microbin
- ryot
- maloja
- plex
- atticd
## Phased rollout plan
1) Base identity
- Add Keycloak deployment/module and realm/client defaults.
2) Gateway/proxy auth
- Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
3) Native OIDC wiring
- Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
4) Per-service rollout
- Enable per app in priority order; document client IDs/secrets and callback URLs.
5) Verification
- Smoke-test login flows and cache any needed public keys/metadata.

66
flake.lock generated
View File

@@ -216,11 +216,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1765495779, "lastModified": 1763759067,
"narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=", "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "5635c32d666a59ec9a55cab87e898889869f7b71", "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -234,11 +234,11 @@
"nixpkgs-lib": "nixpkgs-lib_2" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1765495779, "lastModified": 1763759067,
"narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=", "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "5635c32d666a59ec9a55cab87e898889869f7b71", "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -404,11 +404,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765605144, "lastModified": 1765170903,
"narHash": "sha256-RM2xs+1HdHxesjOelxoA3eSvXShC8pmBvtyTke4Ango=", "narHash": "sha256-O8VTGey1xxiRW+Fpb+Ps9zU7ShmxUA1a7cMTcENCVNg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "90b62096f099b73043a747348c11dbfcfbdea949", "rev": "20561be440a11ec57a89715480717baf19fe6343",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -495,11 +495,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1765741609, "lastModified": 1765141510,
"narHash": "sha256-mBDW/2NPaxXw68ledipQYSL6GGU+/CCsObondH22+no=", "narHash": "sha256-IjlKl72fJ40zZFiag9VTF37249jHCRHAE4RP7bI0OXA=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "Hyprland", "repo": "Hyprland",
"rev": "7ccc57eb7cacded5e7a8835b705bba48963d3cb3", "rev": "a5b7c91329313503e8864761f24ef43fb630f35c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -788,11 +788,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765764448, "lastModified": 1765073338,
"narHash": "sha256-GHM40ltWiRnGYvhcLRaNWXZoyGUOL4FgB0U7muHjn9s=", "narHash": "sha256-UGkNtTs0E1SzskcUkkkWoh3vfZwPiHrk0SMRoQL86oE=",
"owner": "fufexan", "owner": "fufexan",
"repo": "nix-gaming", "repo": "nix-gaming",
"rev": "7f4e526e0a1badaaea208a0180199d1d26596fa3", "rev": "7480cfb8bba3e352edf2c9334ff4b7c3ac84eb87",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -903,11 +903,11 @@
}, },
"nixpkgs-small": { "nixpkgs-small": {
"locked": { "locked": {
"lastModified": 1765750102, "lastModified": 1765178948,
"narHash": "sha256-0VK0PKOmryh4V2aBakcTpgshQZ7qRsRRwDm7Eqhs1ZI=", "narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8e8751ad07080fe4d5737a0430cd5c1d3ba5c005", "rev": "f376a52d0dc796aec60b5606a2676240ff1565b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -919,11 +919,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1765472234, "lastModified": 1764950072,
"narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=", "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b", "rev": "f61125a668a320878494449750330ca58b78c557",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -935,11 +935,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1765762245, "lastModified": 1764983851,
"narHash": "sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk=", "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d", "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -978,11 +978,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765790735, "lastModified": 1765185832,
"narHash": "sha256-KZqns0oFKXtBpmhk7QIsoMQLFepTGVt+2adnTMSDCus=", "narHash": "sha256-z8duEjztk7g+Zm4DbZfAAYMAqb+ooaNPuOBhpvx7TiU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nur", "repo": "nur",
"rev": "88f0edd08dde26877c8e407ccdb2ed6d1449a7a5", "rev": "7be17d29475559cb8d7e35b5ed185b5a8ed8d7b6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1085,11 +1085,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765684837, "lastModified": 1765079830,
"narHash": "sha256-fJCnsYcpQxxy/wit9EBOK33c0Z9U4D3Tvo3gf2mvHos=", "narHash": "sha256-i9GMbBLkeZ7MVvy7+aAuErXkBkdRylHofrAjtpUPKt8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "94d8af61d8a603d33d1ed3500a33fcf35ae7d3bc", "rev": "aeb517262102f13683d7a191c7e496b34df8d24c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1119,11 +1119,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1765478257, "lastModified": 1765065096,
"narHash": "sha256-GMCAQgs+h4aHhLP3LF6JxI5uNg+fLPlRhHwRrJJ+3+Y=", "narHash": "sha256-abrrONk8vzRtY6fHEkjZOyRJpKHjPlFqMBE0+/DxfAU=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "a7fb3944d1fb4daa073ba82e1a9d34b5f05adb9f", "rev": "84d9d55885d463d461234f3aac07b2389a2577d8",
"type": "github" "type": "github"
}, },
"original": { "original": {

51
modules/servers/keycloak.nix Normal file
View File

@@ -0,0 +1,51 @@
{
lib,
config,
inputs,
...
}:
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.keycloak;
in
{
options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets."keycloak/admin_password" = {
sopsFile = ../../secrets/secrets.yaml;
owner = "keycloak";
group = "keycloak";
};
sops.secrets."keycloak/db_password" = {
sopsFile = ../../secrets/secrets.yaml;
owner = "keycloak";
group = "keycloak";
};
services.keycloak = {
inherit (cfg) enable;
database = {
type = "postgresql";
host = "localhost";
createLocally = false;
username = "keycloak";
name = "keycloak";
passwordFile = config.sops.secrets."keycloak/db_password".path;
};
settings = {
hostname = cfg.host;
"hostname-strict" = true;
"hostname-strict-https" = false;
"http-enabled" = true;
"http-port" = cfg.port;
"proxy" = "edge";
};
};
systemd.services.keycloak = {
serviceConfig = {
EnvironmentFile = config.sops.secrets."keycloak/admin_password".path;
};
};
services.nginx.virtualHosts.${cfg.host} =
lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg);
};
}

1
modules/servers/postgres.nix
View File

@@ -40,6 +40,7 @@ let
"sonarqube" "sonarqube"
"gitea" "gitea"
"atticd" "atticd"
"keycloak"
]; ];
in in
{ {