bf952a5dc4
This works, however there's still stuff to do. The configuration.nix pam stack is broken, still defaults back to pam_unix.so if this fails. The code is now a small mess, I need to make `Client` structs and more separation. And I still have to fully understand keycloak and properly use the clients or configure them.
198 lines
4.2 KiB
Nix
198 lines
4.2 KiB
Nix
{
|
|
inputs',
|
|
inputs,
|
|
lib,
|
|
pkgs,
|
|
self',
|
|
self,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
mkDefault
|
|
mkIf
|
|
;
|
|
|
|
inherit (self') packages;
|
|
|
|
fqdn = "keycloak-pam.test";
|
|
|
|
passwordFile = builtins.toFile "super-secure-password" "nuhuh";
|
|
|
|
theme-name = "default";
|
|
in
|
|
{
|
|
virtualisation.vmVariant.virtualisation = {
|
|
cores = 2;
|
|
diskSize = 8192;
|
|
graphics = false;
|
|
memorySize = 4096;
|
|
|
|
qemu.networkingOptions = lib.mkForce [
|
|
"-nic bridge,br=virbr0,id=hn0,model=virt-net-pci,helper=\${QEMU_BRIDGE_HELPER_PATH}"
|
|
"-device virtio-net-pci,netdev=hn0,id=nic1,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
|
|
];
|
|
};
|
|
|
|
system = {
|
|
configurationRevision = self.rev or self.dirtyRev or null;
|
|
stateVersion = "25.11";
|
|
};
|
|
|
|
networking = {
|
|
inherit fqdn;
|
|
|
|
firewall.enable = false;
|
|
networkmanager.enable = true;
|
|
|
|
extraHosts =
|
|
let
|
|
subdomains = [ ];
|
|
hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
|
|
in
|
|
lib.concatMapStrings (host: ''
|
|
127.0.0.1 ${host}
|
|
::1 ${host}
|
|
'') hosts;
|
|
};
|
|
|
|
services.getty.autologinUser = "root";
|
|
|
|
services.nginx =
|
|
let
|
|
|
|
mkVhost =
|
|
attrs: locations:
|
|
{
|
|
forceSSL = false;
|
|
inherit locations;
|
|
}
|
|
// attrs;
|
|
|
|
mkProxy = port: {
|
|
proxyPass = "http://127.0.0.1:${toString port}/";
|
|
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
enable = true;
|
|
|
|
recommendedProxySettings = true;
|
|
recommendedOptimisation = true;
|
|
|
|
virtualHosts = {
|
|
"${fqdn}" = mkVhost { default = true; } {
|
|
"/" = mkProxy config.services.keycloak.settings.http-port;
|
|
};
|
|
};
|
|
};
|
|
|
|
users = {
|
|
users.admin = {
|
|
password = config.services.keycloak.initialAdminPassword;
|
|
isNormalUser = true;
|
|
extraGroups = [ "keycloak-login" ];
|
|
};
|
|
|
|
groups.keycloak-login = { };
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
croc
|
|
neovim
|
|
];
|
|
|
|
services.keycloak = {
|
|
enable = true;
|
|
initialAdminPassword = "dontchangeme";
|
|
|
|
settings = {
|
|
hostname = "http://${fqdn}";
|
|
http-port = 3000;
|
|
http-enabled = true;
|
|
|
|
proxy-headers = "forwarded";
|
|
};
|
|
|
|
database = {
|
|
host = "localhost";
|
|
inherit passwordFile;
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
authentication = pkgs.lib.mkOverride 10 ''
|
|
#type database DBuser auth-method
|
|
local all all trust
|
|
host keycloak keycloak 127.0.0.1/32 md5
|
|
'';
|
|
};
|
|
|
|
security.pam.services =
|
|
let
|
|
modulePath = "${packages.keycloak-pam}/lib/libkeycloak_pam.so";
|
|
|
|
keycloakPamConfig = builtins.toFile "keycloak-pam.json" (
|
|
builtins.toJSON {
|
|
base_url = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
|
|
default_realm = "master";
|
|
client_id = "account";
|
|
client_secret = "7bsrMrRuNKpqsxcOOJavWjEqek12ZCkj";
|
|
unix_group = "keycloak-login";
|
|
admin_username = "admin";
|
|
admin_password = "dontchangeme";
|
|
}
|
|
);
|
|
|
|
type = {
|
|
auth = {
|
|
type = "auth";
|
|
control = "sufficient";
|
|
};
|
|
password = {
|
|
type = "password";
|
|
control = "sufficient";
|
|
};
|
|
};
|
|
|
|
settings = {
|
|
debug = true;
|
|
config = keycloakPamConfig;
|
|
};
|
|
|
|
mkRuleBeforeUnix =
|
|
{ type, control }:
|
|
service: {
|
|
"${type}".keycloak-pam = {
|
|
order = config.security.pam.services."${service}".rules."${type}".unix.order - 10;
|
|
inherit modulePath settings control;
|
|
};
|
|
};
|
|
mkRulesBeforeUnix =
|
|
types: service: builtins.foldl' (rules: type: rules // mkRuleBeforeUnix type service) { } types;
|
|
|
|
mkServicesWith =
|
|
withfn: builtins.foldl' (attrs: service: attrs // { "${service}".rules = withfn service; }) { };
|
|
mkAuths = mkServicesWith (mkRuleBeforeUnix type.auth);
|
|
mkPasswds = mkServicesWith (mkRulesBeforeUnix [
|
|
type.auth
|
|
type.password
|
|
]);
|
|
in
|
|
mkAuths [
|
|
"login"
|
|
"su"
|
|
"sudo"
|
|
"passwd"
|
|
]
|
|
// mkPasswds [ "passwd" ];
|
|
}
|