From 5fc1c3d71c9d6d6ea6d3e2be39bacabeb224c70b Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Sun, 15 Dec 2024 02:52:27 +0800
Subject: [PATCH] services/keycloak: init

---
 flake/nixpkgs.nix                            |  1 +
 nixos/hosts/suwako-vie0/default.nix          |  1 +
 nixos/modules/networking/ports.nix           |  1 +
 nixos/profiles/services/keycloak/default.nix | 32 ++++++++++++++++++++
 nixos/profiles/services/ntfy/default.nix     |  2 +-
 5 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 nixos/profiles/services/keycloak/default.nix

diff --git a/flake/nixpkgs.nix b/flake/nixpkgs.nix
index 4caff6a..d6c8684 100644
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -46,6 +46,7 @@ in
               "cargo-bootstrap"
               "dotnet-sdk"
               "go"
+              "keycloak"
               "libreoffice"
               "rustc-bootstrap"
               "rustc-bootstrap-wrapper"
diff --git a/nixos/hosts/suwako-vie0/default.nix b/nixos/hosts/suwako-vie0/default.nix
index d27d46c..1e2bd73 100644
--- a/nixos/hosts/suwako-vie0/default.nix
+++ b/nixos/hosts/suwako-vie0/default.nix
@@ -9,6 +9,7 @@
     suites.server
     ++ (with profiles; [
       services.caddy
+      services.keycloak
       services.ntfy
       services.postgresql
     ])
diff --git a/nixos/modules/networking/ports.nix b/nixos/modules/networking/ports.nix
index 03c8818..20b5cac 100644
--- a/nixos/modules/networking/ports.nix
+++ b/nixos/modules/networking/ports.nix
@@ -17,6 +17,7 @@ in
       # local ports
       enthalpy-gost = 3000;
       ntfy = 4000;
+      keycloak = 4010;
 
       # public ports
       enthalpy-ipsec = 13000;
diff --git a/nixos/profiles/services/keycloak/default.nix b/nixos/profiles/services/keycloak/default.nix
new file mode 100644
index 0000000..161c6d7
--- /dev/null
+++ b/nixos/profiles/services/keycloak/default.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  mylib,
+  ...
+}:
+{
+  services.keycloak = {
+    enable = true;
+    database = {
+      type = "postgresql";
+      passwordFile = "${pkgs.writeText "keycloak-db-password" "keycloak"}";
+    };
+    settings = {
+      http-enabled = true;
+      http-host = "127.0.0.1";
+      http-port = config.networking.ports.keycloak;
+      proxy-headers = "xforwarded";
+      hostname = "keycloak.rebmit.moe";
+    };
+  };
+
+  systemd.services.keycloak.serviceConfig = mylib.misc.serviceHardened // {
+    MemoryDenyWriteExecute = false;
+  };
+
+  services.caddy.virtualHosts."keycloak.rebmit.moe" = {
+    extraConfig = ''
+      reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
+    '';
+  };
+}
diff --git a/nixos/profiles/services/ntfy/default.nix b/nixos/profiles/services/ntfy/default.nix
index 8bfbd7e..897c014 100644
--- a/nixos/profiles/services/ntfy/default.nix
+++ b/nixos/profiles/services/ntfy/default.nix
@@ -9,7 +9,7 @@
     enable = true;
     settings = {
       base-url = "https://ntfy.rebmit.moe";
-      listen-http = "[::1]:${toString config.networking.ports.ntfy}";
+      listen-http = "127.0.0.1:${toString config.networking.ports.ntfy}";
       auth-default-access = "deny-all";
       behind-proxy = true;
     };