feat(whitby): Configure initial Keycloak setup

Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-25 17:06:15 +03:00 · 2021-12-25 17:06:15 +03:00 · d8a1802b3e
commit d8a1802b3e
parent 1ee31d67fc
4 changed files with 59 additions and 1 deletions
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@ -23,6 +23,7 @@ in {
    "${depot.path}/ops/modules/tvl-slapd/default.nix"
    "${depot.path}/ops/modules/tvl-sso/default.nix"
    "${depot.path}/ops/modules/www/atward.tvl.fyi.nix"
+    "${depot.path}/ops/modules/www/auth.tvl.fyi.nix"
    "${depot.path}/ops/modules/www/b.tvl.fyi.nix"
    "${depot.path}/ops/modules/www/cache.tvl.su.nix"
    "${depot.path}/ops/modules/www/cl.tvl.fyi.nix"
@ -210,6 +211,7 @@ in {
      gerrit-queue.file = secretFile "gerrit-queue";
      grafana.file = secretFile "grafana";
      irccat.file = secretFile "irccat";
+      keycloak-db.file = secretFile "keycloak-db";
      nix-cache-priv.file = secretFile "nix-cache-priv";
      owothia.file = secretFile "owothia";
      panettone.file = secretFile "panettone";
@ -417,8 +419,9 @@ in {
  services.postgresqlBackup = {
    enable = true;
    databases = [
-      "tvldb"
+      "keycloak"
      "panettone"
+      "tvldb"
    ];
  };

@ -546,9 +549,39 @@ in {
      }];
    };
  };
+
  # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
  systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana";

+  services.keycloak = {
+    enable = true;
+    httpPort = "5925"; # "kycl"
+    frontendUrl = "https://auth.tvl.fyi/auth/";
+
+    database = {
+      type = "postgresql";
+      passwordFile = "/run/agenix/keycloak-db";
+      createLocally = false;
+    };
+
+    # Configure Keycloak to look at forwarded headers from the reverse
+    # proxy.
+    extraConfig = {
+      "subsystem=undertow" = {
+        "server=default-server" = {
+          "http-listener=default" = {
+            proxy-address-forwarding = "true";
+          };
+        };
+      };
+    };
+  };
+
+  # Allow Keycloak access to the LDAP module by forcing in the JVM
+  # configuration
+  systemd.services.keycloak.environment.PREPEND_JAVA_OPTS =
+    "--add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED";
+
  security.sudo.extraRules = [
    {
      groups = ["wheel"];