Compare commits
4 Commits
weekly-202
...
303cd2db36
| Author | SHA1 | Date | |
|---|---|---|---|
|
303cd2db36 | ||
|
|
2cd3afe2b3 | ||
|
|
92492b6323 | ||
|
|
6d5ae474c6 |
39
TODO.md
Normal file
39
TODO.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# Keycloak SSO Rollout (Server)
|
||||
|
||||
## Compatible services to cover (assume up-to-date versions)
|
||||
- Gitea (OAuth2/OIDC)
|
||||
- Nextcloud (Social Login app)
|
||||
- Paperless-ngx (OIDC)
|
||||
- Mealie (OIDC v1+)
|
||||
- Jellyfin (OIDC plugin)
|
||||
- Kavita (OIDC-capable builds)
|
||||
- Readeck (OIDC-capable builds)
|
||||
- Audiobookshelf (OIDC-capable builds)
|
||||
- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
|
||||
|
||||
## Explicit exclusions (no SSO for now)
|
||||
- Syncplay
|
||||
- Matrix/Synapse
|
||||
- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
|
||||
- qbittorrent
|
||||
- sabnzbd
|
||||
- metube
|
||||
- multi-scrobbler
|
||||
- microbin
|
||||
- ryot
|
||||
- maloja
|
||||
- plex
|
||||
- atticd
|
||||
|
||||
## Phased rollout plan
|
||||
1) Base identity
|
||||
- Add Keycloak deployment/module and realm/client defaults.
|
||||
2) Gateway/proxy auth
|
||||
- Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
|
||||
3) Native OIDC wiring
|
||||
- Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
|
||||
4) Per-service rollout
|
||||
- Enable per app in priority order; document client IDs/secrets and callback URLs.
|
||||
5) Verification
|
||||
- Smoke-test login flows and cache any needed public keys/metadata.
|
||||
|
||||
66
flake.lock
generated
66
flake.lock
generated
@@ -216,11 +216,11 @@
|
||||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765495779,
|
||||
"narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=",
|
||||
"lastModified": 1763759067,
|
||||
"narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "5635c32d666a59ec9a55cab87e898889869f7b71",
|
||||
"rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -234,11 +234,11 @@
|
||||
"nixpkgs-lib": "nixpkgs-lib_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765495779,
|
||||
"narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=",
|
||||
"lastModified": 1763759067,
|
||||
"narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "5635c32d666a59ec9a55cab87e898889869f7b71",
|
||||
"rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -404,11 +404,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765605144,
|
||||
"narHash": "sha256-RM2xs+1HdHxesjOelxoA3eSvXShC8pmBvtyTke4Ango=",
|
||||
"lastModified": 1765170903,
|
||||
"narHash": "sha256-O8VTGey1xxiRW+Fpb+Ps9zU7ShmxUA1a7cMTcENCVNg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "90b62096f099b73043a747348c11dbfcfbdea949",
|
||||
"rev": "20561be440a11ec57a89715480717baf19fe6343",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -495,11 +495,11 @@
|
||||
"xdph": "xdph"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765741609,
|
||||
"narHash": "sha256-mBDW/2NPaxXw68ledipQYSL6GGU+/CCsObondH22+no=",
|
||||
"lastModified": 1765141510,
|
||||
"narHash": "sha256-IjlKl72fJ40zZFiag9VTF37249jHCRHAE4RP7bI0OXA=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "Hyprland",
|
||||
"rev": "7ccc57eb7cacded5e7a8835b705bba48963d3cb3",
|
||||
"rev": "a5b7c91329313503e8864761f24ef43fb630f35c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -788,11 +788,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765764448,
|
||||
"narHash": "sha256-GHM40ltWiRnGYvhcLRaNWXZoyGUOL4FgB0U7muHjn9s=",
|
||||
"lastModified": 1765073338,
|
||||
"narHash": "sha256-UGkNtTs0E1SzskcUkkkWoh3vfZwPiHrk0SMRoQL86oE=",
|
||||
"owner": "fufexan",
|
||||
"repo": "nix-gaming",
|
||||
"rev": "7f4e526e0a1badaaea208a0180199d1d26596fa3",
|
||||
"rev": "7480cfb8bba3e352edf2c9334ff4b7c3ac84eb87",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -903,11 +903,11 @@
|
||||
},
|
||||
"nixpkgs-small": {
|
||||
"locked": {
|
||||
"lastModified": 1765750102,
|
||||
"narHash": "sha256-0VK0PKOmryh4V2aBakcTpgshQZ7qRsRRwDm7Eqhs1ZI=",
|
||||
"lastModified": 1765178948,
|
||||
"narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8e8751ad07080fe4d5737a0430cd5c1d3ba5c005",
|
||||
"rev": "f376a52d0dc796aec60b5606a2676240ff1565b9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -919,11 +919,11 @@
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1765472234,
|
||||
"narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
|
||||
"lastModified": 1764950072,
|
||||
"narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
|
||||
"rev": "f61125a668a320878494449750330ca58b78c557",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -935,11 +935,11 @@
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1765762245,
|
||||
"narHash": "sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk=",
|
||||
"lastModified": 1764983851,
|
||||
"narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d",
|
||||
"rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -978,11 +978,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765790735,
|
||||
"narHash": "sha256-KZqns0oFKXtBpmhk7QIsoMQLFepTGVt+2adnTMSDCus=",
|
||||
"lastModified": 1765185832,
|
||||
"narHash": "sha256-z8duEjztk7g+Zm4DbZfAAYMAqb+ooaNPuOBhpvx7TiU=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nur",
|
||||
"rev": "88f0edd08dde26877c8e407ccdb2ed6d1449a7a5",
|
||||
"rev": "7be17d29475559cb8d7e35b5ed185b5a8ed8d7b6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -1085,11 +1085,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765684837,
|
||||
"narHash": "sha256-fJCnsYcpQxxy/wit9EBOK33c0Z9U4D3Tvo3gf2mvHos=",
|
||||
"lastModified": 1765079830,
|
||||
"narHash": "sha256-i9GMbBLkeZ7MVvy7+aAuErXkBkdRylHofrAjtpUPKt8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "94d8af61d8a603d33d1ed3500a33fcf35ae7d3bc",
|
||||
"rev": "aeb517262102f13683d7a191c7e496b34df8d24c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -1119,11 +1119,11 @@
|
||||
"tinted-zed": "tinted-zed"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1765478257,
|
||||
"narHash": "sha256-GMCAQgs+h4aHhLP3LF6JxI5uNg+fLPlRhHwRrJJ+3+Y=",
|
||||
"lastModified": 1765065096,
|
||||
"narHash": "sha256-abrrONk8vzRtY6fHEkjZOyRJpKHjPlFqMBE0+/DxfAU=",
|
||||
"owner": "danth",
|
||||
"repo": "stylix",
|
||||
"rev": "a7fb3944d1fb4daa073ba82e1a9d34b5f05adb9f",
|
||||
"rev": "84d9d55885d463d461234f3aac07b2389a2577d8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
51
modules/servers/keycloak.nix
Normal file
51
modules/servers/keycloak.nix
Normal file
@@ -0,0 +1,51 @@
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
setup = import ../factories/mkserver.nix { inherit lib config; };
|
||||
cfg = config.my.servers.keycloak;
|
||||
in
|
||||
{
|
||||
options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
|
||||
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
sops.secrets."keycloak/admin_password" = {
|
||||
sopsFile = ../../secrets/secrets.yaml;
|
||||
owner = "keycloak";
|
||||
group = "keycloak";
|
||||
};
|
||||
sops.secrets."keycloak/db_password" = {
|
||||
sopsFile = ../../secrets/secrets.yaml;
|
||||
owner = "keycloak";
|
||||
group = "keycloak";
|
||||
};
|
||||
services.keycloak = {
|
||||
inherit (cfg) enable;
|
||||
database = {
|
||||
type = "postgresql";
|
||||
host = "localhost";
|
||||
createLocally = false;
|
||||
username = "keycloak";
|
||||
name = "keycloak";
|
||||
passwordFile = config.sops.secrets."keycloak/db_password".path;
|
||||
};
|
||||
settings = {
|
||||
hostname = cfg.host;
|
||||
"hostname-strict" = true;
|
||||
"hostname-strict-https" = false;
|
||||
"http-enabled" = true;
|
||||
"http-port" = cfg.port;
|
||||
"proxy" = "edge";
|
||||
};
|
||||
};
|
||||
systemd.services.keycloak = {
|
||||
serviceConfig = {
|
||||
EnvironmentFile = config.sops.secrets."keycloak/admin_password".path;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts.${cfg.host} =
|
||||
lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg);
|
||||
};
|
||||
}
|
||||
@@ -40,6 +40,7 @@ let
|
||||
"sonarqube"
|
||||
"gitea"
|
||||
"atticd"
|
||||
"keycloak"
|
||||
];
|
||||
in
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user