configure keycloak with terraform

author: Franck Cuny <franck@fcuny.net> 2025-09-01 12:38:41 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-09-01 12:38:41 -0700
commit: 6b3de6a99ddd810eacdfb4d9f2109ad6fd310592 (patch)
tree: 10ece53c00f999a0781cf5c5f04524fc7f0ec367 /docs
parent: clean up flake and .envrc (diff)
download: infra-6b3de6a99ddd810eacdfb4d9f2109ad6fd310592.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/docs/keycloak.org b/docs/keycloak.org
index e29350f..c8760ff 100644
--- a/docs/keycloak.org
+++ b/docs/keycloak.org
@@ -22,3 +22,23 @@ There's an admin user in 1password.
 - the client ID is =forgejo=
 - the client secret is in the =credentials= tab in forgejo for the client
 - select =skip local 2FA=
+** Managing with terranix
+Ultimately we want to manage it with terranix.
+
+First, we need a client ID and a secret. The client can be created in the UI:
+- https://id.fcuny.net/admin/master/console/#/master/clients
+- create a new client (use =terranix= if possible, so that it's descriptive)
+- =Standard Flow Enabled= should be disabled
+- =Direct Access Grants Enabled= should be disabled
+- =Service Accounts Enabled= should be enabled
+
+The go to "Service account roles" for the newly created client, and ensure it has =admin= role (assign role -> filter by realm roles -> admin).
+
+Export the secret with =KEYCLOAK_CLIENT_SECRET=.
+
+To import resources:
+#+begin_src bash
+nix run .#tf -- import keycloak_realm.master master
+nix run .#tf -- import keycloak_user.fcuny master/d0fdbc04-8f6c-4558-8fd6-ebf7d9e23e6f
+...
+#+end_src
author	Franck Cuny <franck@fcuny.net>	2025-09-01 12:38:41 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-09-01 12:38:41 -0700
commit	6b3de6a99ddd810eacdfb4d9f2109ad6fd310592 (patch)
tree	10ece53c00f999a0781cf5c5f04524fc7f0ec367 /docs
parent	clean up flake and .envrc (diff)
download	infra-6b3de6a99ddd810eacdfb4d9f2109ad6fd310592.tar.gz