cnix/modules/server/keycloak/default.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  unit = "keycloak";
  cfg = config.server.${unit};
  srv = config.server;
in {
  options.server.${unit} = {
    enable = lib.mkEnableOption {
      description = "Enable ${unit}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "login.${srv.domain}";
    };
    homepage.name = lib.mkOption {
      type = lib.types.str;
      default = "Keycloak";
    };
    homepage.description = lib.mkOption {
      type = lib.types.str;
      default = "Open Source Identity and Access Management";
    };
    homepage.icon = lib.mkOption {
      type = lib.types.str;
      default = "keycloak.svg";
    };
    homepage.category = lib.mkOption {
      type = lib.types.str;
      default = "Services";
    };
    dbPasswordFile = lib.mkOption {
      type = lib.types.path;
    };
    cloudflared = {
      credentialsFile = lib.mkOption {
        type = lib.types.str;
        example = lib.literalExpression ''
          pkgs.writeText "cloudflare-credentials.json" '''
          {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
          '''
        '';
      };
      tunnelId = lib.mkOption {
        type = lib.types.str;
        example = "00000000-0000-0000-0000-000000000000";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    server.postgresql.databases = [
      {
        database = "keycloak";
      }
    ];
    services.cloudflared = {
      enable = true;
      tunnels.${cfg.cloudflared.tunnelId} = {
        credentialsFile = cfg.cloudflared.credentialsFile;
        default = "http_status:404";
        ingress."${cfg.url}".service = "http://127.0.0.1:${
          toString config.services.${unit}.settings.http-port
        }";
      };
    };

    environment.systemPackages = [
      pkgs.keycloak
    ];

    services.${unit} = {
      enable = true;
      initialAdminPassword = "pwpwpw";
      database = {
        type = "postgresql";
        host = "127.0.0.1";
        port = 5432;
        name = "keycloak";
        username = "keycloak";
        passwordFile = cfg.dbPasswordFile;
        useSSL = false;
      };
      settings = {
        spi-theme-static-max-age = "-1";
        spi-theme-cache-themes = false;
        spi-theme-cache-templates = false;
        http-port = 8821;
        hostname = cfg.url;
        hostname-strict = false;
        hostname-strict-https = false;
        proxy-headers = "xforwarded";
        http-enabled = true;
      };
    };
  };
}