Keycloak: Difference between revisions
imported>Nix cleanup |
Fix for running http only |
||
(11 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
'''[https://keycloak.org/ Keycloak]''' ([[wikipedia:en:Keycloak|Wikipedia]]) is identity and access management software, and can serve as an authentication server for applications (providing support for OpenID Connect, OAuth 2.0, and SAML. | '''[https://keycloak.org/ Keycloak]''' ([[wikipedia:en:Keycloak|Wikipedia]]) is identity and access management software, and can serve as an authentication server for applications (providing support for OpenID Connect, OAuth 2.0, and SAML). | ||
For official documentation on Keycloak please consult the [https://nixos.org/manual/nixos/stable/index.html#module-services-keycloak NixOS manual]. | |||
== Setup == | |||
Following configuration will enable a minimal and insecure Keycloak instance for '''testing purpose'''.<syntaxhighlight lang="nix"> | |||
environment.etc."keycloak-database-pass".text = "PWD"; | |||
services.keycloak = { | |||
enable = true; | |||
settings = { | |||
hostname = "localhost"; | |||
http-enabled = true; | |||
hostname-strict-https = false; | |||
}; | |||
database.passwordFile = "/etc/keycloak-database-pass"; | |||
}; | |||
</syntaxhighlight>After applying the configuration the Keycloak management interface will be available at http://localhost. Login with username <code>admin</code> and password <code>changeme</code>. | |||
== | == Tips and tricks == | ||
=== | === Installation in subdirectory === | ||
Keycloak may be installed in a subdirectory of a domain. Thus you don't need to configure and expose a subdomain. For example with the following configuration, remember to edit <code>domain.tld</code>, reflecting your used domain. | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
{ | |||
services.nginx = { | |||
enable = true; | |||
# enable recommended settings | |||
recommendedGzipSettings = true; | |||
recommendedOptimisation = true; | |||
recommendedTlsSettings = true; | |||
recommendedProxySettings = true; | |||
virtualHosts = { | |||
"domain.tld" = { | |||
forceSSL = true; | |||
enableACME = true; | |||
locations = { | |||
"/cloak/" = { | |||
proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/cloak/"; | |||
}; | |||
}; | |||
}; | |||
}; | |||
}; | |||
services.postgresql.enable = true; | |||
services.keycloak = { | |||
enable = true; | |||
database = { | |||
type = "postgresql"; | |||
createLocally = true; | |||
username = "keycloak"; | |||
passwordFile = "/etc/nixos/secrets/keycloak_psql_pass"; | |||
}; | |||
settings = { | |||
hostname = "domain.tld"; | |||
http-relative-path = "/cloak"; | |||
http-port = 38080; | |||
proxy = "passthrough"; | |||
http-enabled = true; | |||
}; | |||
}; | |||
} | |||
</nowiki>}} | |||
=== Keycloak themes on NixOS === | |||
You need to create a package for your custom theme and configure the keycloak service to use it | |||
Here is a what a basic theme will look like : | |||
- configuration.nix | |||
- keycloak | |||
- custom_theme | |||
- login | |||
- resources | |||
- css | |||
- custom.css | |||
- theme.properties | |||
- default.nix <- set of packages to be imported in your configuration.nix | |||
- keycloak_custom_theme.nix <- package for your theme | |||
==== Create a theme ==== | |||
{{file|custom.css|css|<nowiki> | |||
</ | body { | ||
background: red; | |||
color: blue; | |||
} | |||
</nowiki>}} | |||
. | {{file|theme.properties|bash|<nowiki> | ||
parent=base | |||
import=common/keycloak | |||
styles=css/custom.css | |||
</nowiki>}} | |||
{{file|/ | ==== Create a package ==== | ||
{ | {{file|keycloak_custom_theme.nix|nix|<nowiki> | ||
{ stdenv }: | |||
stdenv.mkDerivation rec { | |||
name = "keycloak_custom_theme"; | |||
version = "1.0"; | |||
src = ./keycloak_custom_theme; | |||
nativeBuildInputs = [ ]; | |||
buildInputs = [ ]; | |||
installPhase = '' | |||
mkdir -p $out | |||
cp -a login $out | |||
''; | |||
} | |||
</nowiki>}} | |||
==== Create a packages set ==== | |||
{{file|default.nix|nix|<nowiki> | |||
{pkgs, ...}: let | |||
callPackage = pkgs.callPackage; | |||
in { | |||
nixpkgs.overlays = [(final: prev: { | |||
custom_keycloak_themes = { | |||
custom = callPackage ./keycloak_custom_theme.nix {}; | |||
}; | |||
})]; | |||
} | |||
</nowiki>}} | |||
{ | ==== Configure your keycloak service ==== | ||
{{file|configuration.nix|nix|<nowiki> | |||
} | { config, pkgs, lib, ... }: | ||
{ | |||
imports = | |||
[ # Include the results of the hardware scan. | |||
./hardware-configuration.nix | |||
./keycloak | |||
]; | |||
... | |||
environment.systemPackages = with pkgs; [ | |||
... | |||
# authentication requires | |||
keycloak | |||
custom_keycloak_themes.agatha | |||
]; | |||
... | |||
services.keycloak = { | |||
enable = true; | |||
themes = with pkgs ; { | |||
custom = custom_keycloak_themes.custom; | |||
}; | |||
... | |||
} | |||
</nowiki>}} | </nowiki>}} | ||
[[Category:Server]] | |||
[[Category:Security]] | |||
[[Category:NixOS Manual]] |