blob: 4c1af8b2b632423d1248cd8e9c6d8c57423ff05c (
plain) (
tree)
|
|
{ lib, ... }:
let
mkUser =
{
enable ? true,
first_name,
last_name,
username,
email,
initial_password ? null,
}:
{
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
enabled = enable;
inherit
username
email
first_name
last_name
;
email_verified = true;
required_actions = [
"Update password"
"Configure OTP"
];
initial_password = {
value = email;
temporary = true;
};
};
in
{
provider.keycloak = {
client_id = "terranix";
url = "https://id.fcuny.net";
realm = "master";
};
resource.secret_resource.keycloak_smtp_password.lifecycle.prevent_destroy = true;
resource.keycloak_realm."fcuny" = {
enabled = true;
realm = "fcuny.net";
display_name = "Keycloak for fcuny.net";
login_theme = "keycloak";
access_code_lifespan = "1h";
reset_password_allowed = true;
remember_me = true;
login_with_email_allowed = true;
smtp_server = {
from = "noreply@fcuny.net";
from_display_name = "fcuny.net identity services";
host = "smtp.fastmail.com";
port = 465;
ssl = true;
starttls = true;
auth = {
username = "franck@fcuny.net";
# nix run .#tf -- import secret_resource.keycloak_smtp_password SMPT_PASSWORD
# https://github.com/numtide/terraform-provider-secret?tab=readme-ov-file#usage
password = lib.tf.ref "resource.secret_resource.keycloak_smtp_password.value";
};
};
default_signature_algorithm = "RS256";
};
resource.keycloak_user = {
fcuny = mkUser {
username = "fcuny";
first_name = "Franck";
last_name = "Cuny";
email = "franck@fcuny.net";
};
};
data.keycloak_openid_client.realm_management_client = {
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
client_id = "realm-management";
};
data.keycloak_role.admin = {
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
client_id = lib.tf.ref "data.keycloak_openid_client.realm_management_client.id";
name = "realm-admin";
};
resource.keycloak_role = {
forgejo_admin = {
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
client_id = lib.tf.ref "keycloak_openid_client.forgejo.id";
name = "Forgejo Admin";
description = "Forgejo's site admin";
};
};
resource.keycloak_openid_user_client_role_protocol_mapper = {
forgejo_role_mapper = {
name = "forgejo_roles_mapper";
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
client_id = lib.tf.ref "keycloak_openid_client.forgejo.id";
claim_name = "forgejo_roles";
claim_value_type = "String";
add_to_id_token = true;
add_to_access_token = true;
multivalued = true;
client_id_for_role_mappings = lib.tf.ref "keycloak_openid_client.forgejo.client_id";
};
};
resource.keycloak_user_roles =
let
superadminRoles = {
exhaustive = false;
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
role_ids = [
(lib.tf.ref "data.keycloak_role.admin.id")
(lib.tf.ref "keycloak_role.forgejo_admin.id")
];
};
in
{
fcuny_roles = superadminRoles // {
user_id = lib.tf.ref "keycloak_user.fcuny.id";
};
};
resource.keycloak_openid_client = {
forgejo = {
realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
client_id = "forgejo";
name = "Forgejo [fcuny.net]";
enabled = true;
access_type = "CONFIDENTIAL";
standard_flow_enabled = true;
oauth2_device_authorization_grant_enabled = true;
base_url = "https://code.fcuny.net";
description = "fcuny.net's Forgejo instance";
direct_access_grants_enabled = true;
exclude_session_state_from_auth_response = false;
service_accounts_enabled = false;
full_scope_allowed = false;
valid_redirect_uris = [
"https://code.fcuny.net/*"
];
web_origins = [
"https://code.fcuny.net"
];
};
};
}
|
