remove keycloak

2024-06-26 07:13:34 +02:00 · 2024-06-26 07:13:34 +02:00 · cc4d3f4a7e
commit cc4d3f4a7e
parent 0062e91c4a
12 changed files with 2 additions and 315 deletions
--- a/config/nas.nix
+++ b/config/nas.nix
@ -32,7 +32,6 @@
    ./services/yiff-stash.nix
    ./services/reverse-proxy.nix
    ./services/jellyfin.nix
    ../new-infra/devices/nas.nix
    ./services/mautrix-discord.nix
    ./services/mautrix-telegram.nix
    ./services/mautrix-whatsapp.nix
--- a/config/services/reverse-proxy.nix
+++ b/config/services/reverse-proxy.nix
@ -178,20 +178,6 @@ in {
        }
      '';
    };
    "keycloak.chir.rs" = {
      useACMEHost = "chir.rs";
      logFormat = pkgs.lib.mkForce "";
      extraConfig = ''
        import baseConfig
          reverse_proxy {
            to https://keycloak.int.chir.rs
            header_up Host {upstream_hostport}
            transport http {
              versions 1.1
            }
        }
      '';
    };
  };
  services.nginx.virtualHosts."mastodon-assets.chir.rs" = {
    listen = [
--- a/flake.nix
+++ b/flake.nix
@ -350,17 +350,6 @@ rec {
        # Uncomment the line to build an installer image
        # This is EXTREMELY LARGE and will make builds take forever
        # installer.x86_64-linux = nixosConfigurations.installer.config.system.build.isoImage;
        tests = let
          pkgs = import nixpkgs {
            system = "x86_64-linux";
            overlays = [
              self.overlays.x86_64-linux
            ];
          };
        in {
          postgresql = pkgs.callPackage ./new-infra/containers/postgresql/test.nix {};
          keycloak = pkgs.callPackage ./new-infra/containers/keycloak/test.nix {};
        };
      };
  };
 }
--- a/new-infra/README.md
+++ b/new-infra/README.md
@ -1,3 +0,0 @@
 # New infrastructure config
 Work in progress configuration that is used for a more containerized nixos install.
--- a/new-infra/containers/keycloak/default.nix
+++ b/new-infra/containers/keycloak/default.nix
@ -1,150 +0,0 @@
 {
  lib,
  pkgs,
  config,
  ...
 }: let
  config' = config;
  keycloakIP = config'.containers.keycloak.localAddress6;
 in {
  imports = [
    ../postgresql/default.nix
  ];
  containers.postgresql = {
    bindMounts.keycloak-db-password = {
      mountPoint = "/secrets/keycloak-db-password-input";
      hostPath = "/run/generated-secrets/keycloak-db-password";
    };
    config = {
      config,
      pkgs,
      lib,
      ...
    }: {
      networking.firewall.extraCommands = ''
        ip6tables -A nixos-fw -p tcp -s ${keycloakIP} -m tcp --dport 5432 -m comment --comment keycloak-db -j nixos-fw-accept
      '';
      services.postgresql = {
        ensureDatabases = [
          "keycloak"
        ];
        ensureUsers = [
          {
            name = "keycloak";
            ensureDBOwnership = true;
          }
        ];
        authentication = ''
          host keycloak keycloak ${keycloakIP}/128 scram-sha-256
        '';
      };
      systemd.services.postgresql.postStart = lib.mkAfter ''
        $PSQL -c "ALTER USER keycloak PASSWORD '$(cat /secrets/keycloak-db-password)';"
      '';
      systemd.tmpfiles.rules = [
        "C /secrets/keycloak-db-password - - - - /secrets/keycloak-db-password-input"
        "z /secrets/keycloak-db-password - postgres postgres - -"
      ];
    };
  };
  containers.keycloak = rec {
    autoStart = true;
    privateNetwork = true;
    hostBridge = "containers";
    localAddress6 = "fc00::3";
    ephemeral = true;
    bindMounts = {
      keycloak-db-password = {
        mountPoint = "/secrets/keycloak-db-password";
        hostPath = "/run/generated-secrets/keycloak-db-password";
      };
    };
    config = {
      config,
      pkgs,
      ...
    }: {
      networking.interfaces.eth0.ipv6.routes = [
        {
          address = "fc00::";
          prefixLength = 64;
        }
      ];
      services.keycloak = {
        database = {
          host = config'.containers.postgresql.localAddress6;
          name = "keycloak";
          passwordFile = "/secrets/keycloak-db-password";
          username = "keycloak";
          useSSL = false;
        };
        enable = true;
        settings = {
          hostname = "keycloak.chir.rs";
          hostname-strict-backchannel = true;
          proxy = "edge";
          proxy-headers = "xforwarded";
          hostname-admin = "keycloak-admin.int.chir.rs";
          http-enabled = true;
          health-enabled = true;
          metrics-enabled = true;
          http-port = 8080;
          https-port = 8443;
          hostname-strict = false;
        };
      };
      system.stateVersion = "24.05";
      networking.firewall.extraCommands = ''
        ip6tables -A nixos-fw -p tcp -s fc00::1 -m tcp --dport 8080 -m comment --comment caddy -j nixos-fw-accept
      '';
    };
  };
  systemd.services.keycloak-db-password = {
    script = ''
      umask 077
      mkdir -pv /run/generated-secrets
      cat /dev/urandom | tr -dc A-za-z0-9 | head -c 16 > /run/generated-secrets/keycloak-db-password
    '';
  };
  systemd.services."container@keycloak".requires = [
    "container@postgresql.service"
    "keycloak-db-password.service"
  ];
  systemd.services."container@keycloak".after = [
    "container@postgresql.service"
    "keycloak-db-password.service"
  ];
  systemd.services."container@postgresql".partOf = [
    "container@keycloak.service"
  ];
  systemd.services."container@postgresql".requires = [
    "keycloak-db-password.service"
  ];
  services.caddy.virtualHosts = {
    "keycloak-admin.int.chir.rs" = {
      useACMEHost = "int.chir.rs";
      logFormat = lib.mkForce "";
      extraConfig = ''
        import baseConfig
        reverse_proxy http://keycloak:8080
      '';
    };
    "keycloak.int.chir.rs" = {
      useACMEHost = "int.chir.rs";
      logFormat = lib.mkForce "";
      extraConfig = ''
        import baseConfig
        @public path /js/* /realms/* /resources/* /robots.txt
        reverse_proxy @public http://keycloak:8080
      '';
    };
  };
 }
--- a/new-infra/containers/keycloak/test.nix
+++ b/new-infra/containers/keycloak/test.nix
@ -1,21 +0,0 @@
 {pkgs ? import <nixpkgs> {}, ...}:
 pkgs.testers.runNixOSTest {
  name = "keycloak";
  nodes.keycloak = {
    config,
    pkgs,
    ...
  }: {
    imports = [
      ./default.nix
      ../../default.nix
    ];
    system.stateVersion = "23.11";
  };
  testScript = ''
    keycloak.wait_for_unit("container@keycloak.service")
    keycloak.succeed("sleep 60")
    keycloak.succeed("nixos-container run keycloak -- curl -v 'http://localhost:8080/health'")
  '';
 }
--- a/new-infra/containers/postgresql/default.nix
+++ b/new-infra/containers/postgresql/default.nix
@ -1,63 +0,0 @@
 {pkgs, ...}: {
  containers.postgresql = rec {
    autoStart = true;
    privateNetwork = true;
    hostBridge = "containers";
    localAddress6 = "fc00::2";
    ephemeral = true;
    bindMounts = {
      persist = {
        mountPoint = "/persist";
        hostPath = "/persist/postgresql";
        isReadOnly = false;
      };
      backup = {
        mountPoint = "/backup";
        hostPath = "/persist/backup/postgresql";
        isReadOnly = false;
      };
    };
    config = {
      config,
      pkgs,
      ...
    }: {
      networking.interfaces.eth0.ipv6.routes = [
        {
          address = "fc00::";
          prefixLength = 64;
        }
      ];
      services.postgresql = {
        enable = true;
        package = pkgs.postgresql_16;
        dataDir = "/persist/16";
        enableTCPIP = true;
      };
      services.postgresqlBackup = {
        enable = true;
        pgdumpOptions = "-C";
        location = "/backup";
        compression = "zstd";
        compressionLevel = 19;
      };
      networking.firewall = {
        enable = true;
      };
      system.stateVersion = "24.05";
      systemd.tmpfiles.rules = [
        "d /persist - postgres postgres - -"
        "d /backup - postgres postgres - -"
      ];
      services.prometheus.exporters.postgres.enable = true;
      networking.firewall.extraCommands = ''
        ip6tables -A nixos-fw -p tcp -s _gateway -m tcp --dport ${toString config.services.prometheus.exporters.postgres.port} -m comment --comment postgres-exporter -j nixos-fw-accept
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d /persist/postgresql - - - - -"
    "d /persist/backup/postgresql - - - - -"
  ];
 }
--- a/new-infra/containers/postgresql/test.nix
+++ b/new-infra/containers/postgresql/test.nix
@ -1,23 +0,0 @@
 {pkgs ? import <nixpkgs> {}, ...}:
 pkgs.testers.runNixOSTest {
  name = "postgresql";
  nodes.postgresql = {
    config,
    pkgs,
    ...
  }: {
    imports = [
      ./default.nix
      ../../default.nix
    ];
    system.stateVersion = "23.11";
  };
  testScript = ''
    postgresql.wait_for_unit("container@postgresql.service")
    postgresql.succeed("nixos-container run postgresql -- systemctl start postgresqlBackup.service")
    postgresql.succeed("stat /persist/backup/postgresql/all.sql.zstd")
    postgresql.succeed("sleep 5")
    postgresql.succeed("curl -v 'http://postgresql:9187/metrics'")
  '';
 }
--- a/new-infra/default.nix
+++ b/new-infra/default.nix
@ -1,18 +0,0 @@
 {config, ...}: {
  networking = {
    bridges.containers.interfaces = ["container-root"];
    interfaces = {
      container-root = {
        virtual = true;
      };
      containers = {
        ipv6.addresses = [
          {
            address = "fc00::1";
            prefixLength = 64;
          }
        ];
      };
    };
  };
 }
--- a/new-infra/devices/nas.nix
+++ b/new-infra/devices/nas.nix
@ -1,6 +0,0 @@
 {
  imports = [
    ../default.nix
    ../containers/keycloak/default.nix # TODO
  ];
 }
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@ -144,7 +144,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.chir.rs.";
      adminEmail = "lotte@chir.rs";
-      serial = 51;
+      serial = 52;
    };
    NS = [
      "ns1.chir.rs."
@ -248,7 +248,6 @@ with dns.lib.combinators; let
      status = createZone oracleBase;
      sliding-sync = createZone oracleBase;
      weblate = createFullZone {};
      keycloak = createFullZone {};
      int =
        delegateTo [
--- a/zones/int.chir.rs.nix
+++ b/zones/int.chir.rs.nix
@ -15,7 +15,7 @@ in {
  SOA = {
    nameServer = "ns1.chir.rs.";
    adminEmail = "lotte@chir.rs";
-    serial = 35;
+    serial = 36;
  };
  NS = [
    "ns1.chir.rs."
@ -239,8 +239,6 @@ in {
    mautrix-whatsapp.CNAME = [(ttl zoneTTL (cname "nas"))];
    weblate.CNAME = [(ttl zoneTTL (cname "nas"))];
    jellyfin.CNAME = [(ttl zoneTTL (cname "nas"))];
    keycloak.CNAME = [(ttl zoneTTL (cname "nas"))];
    keycloak-admin.CNAME = [(ttl zoneTTL (cname "nas"))];
    _acme-challenge = delegateTo [
      "ns1.chir.rs."
      "ns2.chir.rs."
		`@ -1,3 +0,0 @@`
			`# New infrastructure config`

			`Work in progress configuration that is used for a more containerized nixos install.`