remove keycloak

2024-06-26 07:13:34 +02:00 · 2024-06-26 07:13:34 +02:00 · cc4d3f4a7e
commit cc4d3f4a7e
parent 0062e91c4a
12 changed files with 2 additions and 315 deletions
--- a/config/nas.nix
+++ b/config/nas.nix
@ -32,7 +32,6 @@
    ./services/yiff-stash.nix
    ./services/reverse-proxy.nix
    ./services/jellyfin.nix
-    ../new-infra/devices/nas.nix
    ./services/mautrix-discord.nix
    ./services/mautrix-telegram.nix
    ./services/mautrix-whatsapp.nix
--- a/config/services/reverse-proxy.nix
+++ b/config/services/reverse-proxy.nix
@ -178,20 +178,6 @@ in {
        }
      '';
    };
-    "keycloak.chir.rs" = {
-      useACMEHost = "chir.rs";
-      logFormat = pkgs.lib.mkForce "";
-      extraConfig = ''
-        import baseConfig
-          reverse_proxy {
-            to https://keycloak.int.chir.rs
-            header_up Host {upstream_hostport}
-            transport http {
-              versions 1.1
-            }
-        }
-      '';
-    };
  };
  services.nginx.virtualHosts."mastodon-assets.chir.rs" = {
    listen = [
--- a/flake.nix
+++ b/flake.nix
@ -350,17 +350,6 @@ rec {
        # Uncomment the line to build an installer image
        # This is EXTREMELY LARGE and will make builds take forever
        # installer.x86_64-linux = nixosConfigurations.installer.config.system.build.isoImage;
-        tests = let
-          pkgs = import nixpkgs {
-            system = "x86_64-linux";
-            overlays = [
-              self.overlays.x86_64-linux
-            ];
-          };
-        in {
-          postgresql = pkgs.callPackage ./new-infra/containers/postgresql/test.nix {};
-          keycloak = pkgs.callPackage ./new-infra/containers/keycloak/test.nix {};
-        };
      };
  };
 }
--- a/new-infra/README.md
+++ b/new-infra/README.md
@ -1,3 +0,0 @@
-# New infrastructure config
-
-Work in progress configuration that is used for a more containerized nixos install.
--- a/new-infra/containers/keycloak/default.nix
+++ b/new-infra/containers/keycloak/default.nix
@ -1,150 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}: let
-  config' = config;
-  keycloakIP = config'.containers.keycloak.localAddress6;
-in {
-  imports = [
-    ../postgresql/default.nix
-  ];
-
-  containers.postgresql = {
-    bindMounts.keycloak-db-password = {
-      mountPoint = "/secrets/keycloak-db-password-input";
-      hostPath = "/run/generated-secrets/keycloak-db-password";
-    };
-    config = {
-      config,
-      pkgs,
-      lib,
-      ...
-    }: {
-      networking.firewall.extraCommands = ''
-        ip6tables -A nixos-fw -p tcp -s ${keycloakIP} -m tcp --dport 5432 -m comment --comment keycloak-db -j nixos-fw-accept
-      '';
-      services.postgresql = {
-        ensureDatabases = [
-          "keycloak"
-        ];
-        ensureUsers = [
-          {
-            name = "keycloak";
-            ensureDBOwnership = true;
-          }
-        ];
-        authentication = ''
-          host keycloak keycloak ${keycloakIP}/128 scram-sha-256
-        '';
-      };
-      systemd.services.postgresql.postStart = lib.mkAfter ''
-        $PSQL -c "ALTER USER keycloak PASSWORD '$(cat /secrets/keycloak-db-password)';"
-      '';
-      systemd.tmpfiles.rules = [
-        "C /secrets/keycloak-db-password - - - - /secrets/keycloak-db-password-input"
-        "z /secrets/keycloak-db-password - postgres postgres - -"
-      ];
-    };
-  };
-
-  containers.keycloak = rec {
-    autoStart = true;
-    privateNetwork = true;
-    hostBridge = "containers";
-    localAddress6 = "fc00::3";
-    ephemeral = true;
-    bindMounts = {
-      keycloak-db-password = {
-        mountPoint = "/secrets/keycloak-db-password";
-        hostPath = "/run/generated-secrets/keycloak-db-password";
-      };
-    };
-    config = {
-      config,
-      pkgs,
-      ...
-    }: {
-      networking.interfaces.eth0.ipv6.routes = [
-        {
-          address = "fc00::";
-          prefixLength = 64;
-        }
-      ];
-      services.keycloak = {
-        database = {
-          host = config'.containers.postgresql.localAddress6;
-          name = "keycloak";
-          passwordFile = "/secrets/keycloak-db-password";
-          username = "keycloak";
-          useSSL = false;
-        };
-        enable = true;
-        settings = {
-          hostname = "keycloak.chir.rs";
-          hostname-strict-backchannel = true;
-          proxy = "edge";
-          proxy-headers = "xforwarded";
-          hostname-admin = "keycloak-admin.int.chir.rs";
-          http-enabled = true;
-          health-enabled = true;
-          metrics-enabled = true;
-          http-port = 8080;
-          https-port = 8443;
-          hostname-strict = false;
-        };
-      };
-      system.stateVersion = "24.05";
-      networking.firewall.extraCommands = ''
-        ip6tables -A nixos-fw -p tcp -s fc00::1 -m tcp --dport 8080 -m comment --comment caddy -j nixos-fw-accept
-      '';
-    };
-  };
-
-  systemd.services.keycloak-db-password = {
-    script = ''
-      umask 077
-      mkdir -pv /run/generated-secrets
-      cat /dev/urandom | tr -dc A-za-z0-9 | head -c 16 > /run/generated-secrets/keycloak-db-password
-    '';
-  };
-
-  systemd.services."container@keycloak".requires = [
-    "container@postgresql.service"
-    "keycloak-db-password.service"
-  ];
-  systemd.services."container@keycloak".after = [
-    "container@postgresql.service"
-    "keycloak-db-password.service"
-  ];
-  systemd.services."container@postgresql".partOf = [
-    "container@keycloak.service"
-  ];
-  systemd.services."container@postgresql".requires = [
-    "keycloak-db-password.service"
-  ];
-
-  services.caddy.virtualHosts = {
-    "keycloak-admin.int.chir.rs" = {
-      useACMEHost = "int.chir.rs";
-      logFormat = lib.mkForce "";
-      extraConfig = ''
-        import baseConfig
-
-        reverse_proxy http://keycloak:8080
-      '';
-    };
-    "keycloak.int.chir.rs" = {
-      useACMEHost = "int.chir.rs";
-      logFormat = lib.mkForce "";
-      extraConfig = ''
-        import baseConfig
-
-        @public path /js/* /realms/* /resources/* /robots.txt
-
-        reverse_proxy @public http://keycloak:8080
-      '';
-    };
-  };
-}
--- a/new-infra/containers/keycloak/test.nix
+++ b/new-infra/containers/keycloak/test.nix
@ -1,21 +0,0 @@
-{pkgs ? import <nixpkgs> {}, ...}:
-pkgs.testers.runNixOSTest {
-  name = "keycloak";
-
-  nodes.keycloak = {
-    config,
-    pkgs,
-    ...
-  }: {
-    imports = [
-      ./default.nix
-      ../../default.nix
-    ];
-    system.stateVersion = "23.11";
-  };
-  testScript = ''
-    keycloak.wait_for_unit("container@keycloak.service")
-    keycloak.succeed("sleep 60")
-    keycloak.succeed("nixos-container run keycloak -- curl -v 'http://localhost:8080/health'")
-  '';
-}
--- a/new-infra/containers/postgresql/default.nix
+++ b/new-infra/containers/postgresql/default.nix
@ -1,63 +0,0 @@
-{pkgs, ...}: {
-  containers.postgresql = rec {
-    autoStart = true;
-    privateNetwork = true;
-    hostBridge = "containers";
-    localAddress6 = "fc00::2";
-    ephemeral = true;
-    bindMounts = {
-      persist = {
-        mountPoint = "/persist";
-        hostPath = "/persist/postgresql";
-        isReadOnly = false;
-      };
-      backup = {
-        mountPoint = "/backup";
-        hostPath = "/persist/backup/postgresql";
-        isReadOnly = false;
-      };
-    };
-
-    config = {
-      config,
-      pkgs,
-      ...
-    }: {
-      networking.interfaces.eth0.ipv6.routes = [
-        {
-          address = "fc00::";
-          prefixLength = 64;
-        }
-      ];
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql_16;
-        dataDir = "/persist/16";
-        enableTCPIP = true;
-      };
-      services.postgresqlBackup = {
-        enable = true;
-        pgdumpOptions = "-C";
-        location = "/backup";
-        compression = "zstd";
-        compressionLevel = 19;
-      };
-      networking.firewall = {
-        enable = true;
-      };
-      system.stateVersion = "24.05";
-      systemd.tmpfiles.rules = [
-        "d /persist - postgres postgres - -"
-        "d /backup - postgres postgres - -"
-      ];
-      services.prometheus.exporters.postgres.enable = true;
-      networking.firewall.extraCommands = ''
-        ip6tables -A nixos-fw -p tcp -s _gateway -m tcp --dport ${toString config.services.prometheus.exporters.postgres.port} -m comment --comment postgres-exporter -j nixos-fw-accept
-      '';
-    };
-  };
-  systemd.tmpfiles.rules = [
-    "d /persist/postgresql - - - - -"
-    "d /persist/backup/postgresql - - - - -"
-  ];
-}
--- a/new-infra/containers/postgresql/test.nix
+++ b/new-infra/containers/postgresql/test.nix
@ -1,23 +0,0 @@
-{pkgs ? import <nixpkgs> {}, ...}:
-pkgs.testers.runNixOSTest {
-  name = "postgresql";
-
-  nodes.postgresql = {
-    config,
-    pkgs,
-    ...
-  }: {
-    imports = [
-      ./default.nix
-      ../../default.nix
-    ];
-    system.stateVersion = "23.11";
-  };
-  testScript = ''
-    postgresql.wait_for_unit("container@postgresql.service")
-    postgresql.succeed("nixos-container run postgresql -- systemctl start postgresqlBackup.service")
-    postgresql.succeed("stat /persist/backup/postgresql/all.sql.zstd")
-    postgresql.succeed("sleep 5")
-    postgresql.succeed("curl -v 'http://postgresql:9187/metrics'")
-  '';
-}
--- a/new-infra/default.nix
+++ b/new-infra/default.nix
@ -1,18 +0,0 @@
-{config, ...}: {
-  networking = {
-    bridges.containers.interfaces = ["container-root"];
-    interfaces = {
-      container-root = {
-        virtual = true;
-      };
-      containers = {
-        ipv6.addresses = [
-          {
-            address = "fc00::1";
-            prefixLength = 64;
-          }
-        ];
-      };
-    };
-  };
-}
--- a/new-infra/devices/nas.nix
+++ b/new-infra/devices/nas.nix
@ -1,6 +0,0 @@
-{
-  imports = [
-    ../default.nix
-    ../containers/keycloak/default.nix # TODO
-  ];
-}
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@ -144,7 +144,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.chir.rs.";
      adminEmail = "lotte@chir.rs";
-      serial = 51;
+      serial = 52;
    };
    NS = [
      "ns1.chir.rs."
@ -248,7 +248,6 @@ with dns.lib.combinators; let
      status = createZone oracleBase;
      sliding-sync = createZone oracleBase;
      weblate = createFullZone {};
-      keycloak = createFullZone {};

      int =
        delegateTo [
--- a/zones/int.chir.rs.nix
+++ b/zones/int.chir.rs.nix
@ -15,7 +15,7 @@ in {
  SOA = {
    nameServer = "ns1.chir.rs.";
    adminEmail = "lotte@chir.rs";
-    serial = 35;
+    serial = 36;
  };
  NS = [
    "ns1.chir.rs."
@ -239,8 +239,6 @@ in {
    mautrix-whatsapp.CNAME = [(ttl zoneTTL (cname "nas"))];
    weblate.CNAME = [(ttl zoneTTL (cname "nas"))];
    jellyfin.CNAME = [(ttl zoneTTL (cname "nas"))];
-    keycloak.CNAME = [(ttl zoneTTL (cname "nas"))];
-    keycloak-admin.CNAME = [(ttl zoneTTL (cname "nas"))];
    _acme-challenge = delegateTo [
      "ns1.chir.rs."
      "ns2.chir.rs."