services/keycloak: init

flake/nixpkgs.nix

@@ -46,6 +46,7 @@ in
               "cargo-bootstrap"
               "dotnet-sdk"
               "go"
+              "keycloak"
               "libreoffice"
               "rustc-bootstrap"
               "rustc-bootstrap-wrapper"

nixos/hosts/suwako-vie0/default.nix

@@ -9,6 +9,7 @@
     suites.server
     ++ (with profiles; [
       services.caddy
+      services.keycloak
       services.ntfy
       services.postgresql
     ])

nixos/modules/networking/ports.nix

@@ -17,6 +17,7 @@ in
       # local ports
       enthalpy-gost = 3000;
       ntfy = 4000;
+      keycloak = 4010;
 
       # public ports
       enthalpy-ipsec = 13000;

nixos/profiles/services/keycloak/default.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  mylib,
+  ...
+}:
+{
+  services.keycloak = {
+    enable = true;
+    database = {
+      type = "postgresql";
+      passwordFile = "${pkgs.writeText "keycloak-db-password" "keycloak"}";
+    };
+    settings = {
+      http-enabled = true;
+      http-host = "127.0.0.1";
+      http-port = config.networking.ports.keycloak;
+      proxy-headers = "xforwarded";
+      hostname = "keycloak.rebmit.moe";
+    };
+  };
+
+  systemd.services.keycloak.serviceConfig = mylib.misc.serviceHardened // {
+    MemoryDenyWriteExecute = false;
+  };
+
+  services.caddy.virtualHosts."keycloak.rebmit.moe" = {
+    extraConfig = ''
+      reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
+    '';
+  };
+}

nixos/profiles/services/ntfy/default.nix

@@ -9,7 +9,7 @@
     enable = true;
     settings = {
       base-url = "https://ntfy.rebmit.moe";
-      listen-http = "[::1]:${toString config.networking.ports.ntfy}";
+      listen-http = "127.0.0.1:${toString config.networking.ports.ntfy}";
       auth-default-access = "deny-all";
       behind-proxy = true;
     };