From 6b3de6a99ddd810eacdfb4d9f2109ad6fd310592 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Mon, 1 Sep 2025 12:38:41 -0700
Subject: configure keycloak with terraform

---
 docs/keycloak.org | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'docs')

diff --git a/docs/keycloak.org b/docs/keycloak.org
index e29350f..c8760ff 100644
--- a/docs/keycloak.org
+++ b/docs/keycloak.org
@@ -22,3 +22,23 @@ There's an admin user in 1password.
 - the client ID is =forgejo=
 - the client secret is in the =credentials= tab in forgejo for the client
 - select =skip local 2FA=
+** Managing with terranix
+Ultimately we want to manage it with terranix.
+
+First, we need a client ID and a secret. The client can be created in the UI:
+- https://id.fcuny.net/admin/master/console/#/master/clients
+- create a new client (use =terranix= if possible, so that it's descriptive)
+- =Standard Flow Enabled= should be disabled
+- =Direct Access Grants Enabled= should be disabled
+- =Service Accounts Enabled= should be enabled
+
+The go to "Service account roles" for the newly created client, and ensure it has =admin= role (assign role -> filter by realm roles -> admin).
+
+Export the secret with =KEYCLOAK_CLIENT_SECRET=.
+
+To import resources:
+#+begin_src bash
+nix run .#tf -- import keycloak_realm.master master
+nix run .#tf -- import keycloak_user.fcuny master/d0fdbc04-8f6c-4558-8fd6-ebf7d9e23e6f
+...
+#+end_src
-- 
cgit v1.2.3