{ pkgs, config, ... }: let network = import ./network.nix; domain = "auth.giugl.io"; in { services = { keycloak = { enable = true; initialAdminPassword = "giulio"; database.passwordFile = "/secrets/keycloak/database.key"; settings = { hostname = domain; proxy = "edge"; http-port = 6654; https-port = 6655; hostname-strict-backchannel = true; }; }; postgresql = { ensureDatabases = [ "${toString config.services.keycloak.database.name}" ]; ensureUsers = [{ name = "${toString config.services.keycloak.database.username}"; ensurePermissions = { "DATABASE ${toString config.services.keycloak.database.name}" = "ALL PRIVILEGES"; }; }]; }; nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations = { "/" = { return = "301 https://${domain}/realms/master/account"; }; "/admin" = { proxyPass = "http://127.0.0.1:${ toString config.services.keycloak.settings.http-port }"; }; "/js" = { proxyPass = "http://127.0.0.1:${ toString config.services.keycloak.settings.http-port }"; }; "/realms" = { proxyPass = "http://127.0.0.1:${ toString config.services.keycloak.settings.http-port }"; }; "/resources" = { proxyPass = "http://127.0.0.1:${ toString config.services.keycloak.settings.http-port }"; }; "/robots.txt" = { proxyPass = "http://127.0.0.1:${ toString config.services.keycloak.settings.http-port }"; }; }; }; }; networking.extraHosts = '' ${network.architect-lan} ${domain} ${network.architect-wg} ${domain} ''; }