maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snix/ops/keycloak
History
Florian Klink e20ff4cb60 fix(ops/keycloak): fix assigning grafana_roles 
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.

We can also disable full scope, as we're not interested in other role
mappings.

The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.

Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
..
.gitignore feat(ops/keycloak): Check in initial Keycloak configuration 2021-12-26 16:45:59 +00:00
attributes.tf feat(ops/keycloak): configure user profile declaratively 2025-04-04 16:41:12 +00:00
buildkite.tf fix(ops/keycloak): fix assigning grafana_roles 2025-05-05 12:36:30 +00:00
default.nix refactor(ops/keycloak): Use tools.checks.validateTerraform 2022-06-07 09:32:13 +00:00
forgejo.tf fix(ops/keycloak): fix assigning grafana_roles 2025-05-05 12:36:30 +00:00
gerrit.tf fix(ops/keycloak): fix assigning grafana_roles 2025-05-05 12:36:30 +00:00
grafana.tf fix(ops/keycloak): fix assigning grafana_roles 2025-05-05 12:36:30 +00:00
identity_providers.tf feat(ops/keycloak): use preferred_username claim from Bornhack IdP 2025-05-04 13:32:57 +00:00
main.tf feat(ops/keycloak): configure smtp settings 2025-03-23 00:49:59 +00:00
permissions.tf fix(ops/keycloak): fix assigning grafana_roles 2025-05-05 12:36:30 +00:00
README.md docs(ops/buildkite): Add documentation about this config 2022-06-06 11:05:12 +00:00

README.md

Terraform for Keycloak

This contains the Terraform configuration for deploying TVL's Keycloak instance (which lives at auth.tvl.fyi).

Secrets are needed for applying this. The encrypted file //ops/secrets/tf-keycloak.age contains export calls which should be sourced, for example via direnv, by users with the appropriate credentials.

An example direnv configuration used by tazjin is this:

# //ops/keycloak/.envrc
source_up
eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age)