* Keycloak

Running at https://id.fcuny.net.

There's an admin user in 1password.
** Bootstrap
#+begin_src shell
ssh keycloak-host -L 8080:localhost:8080
#+end_src

Then go to =http://localhost:8080= with your browser to setup the initial user.

** Client for forgejo
The client is managed by terranix.
*** forgejo configuration
- create a new authentication source under https://code.fcuny.net/admin/auths
- choose OAuth2
- set the name to =id.fcuny.net=
- set OAuth2 provider to OpenID Connect
- configure the OpenID realm to =https://id.fcuny.net/realms/master/.well-known/openid-configuration=
- the client ID is =forgejo=
- the client secret is in the =credentials= tab in forgejo for the client
- select =skip local 2FA=
** Managing with terranix
Ultimately we want to manage it with terranix.

First, we need a client ID and a secret. The client can be created in the UI:
- https://id.fcuny.net/admin/master/console/#/master/clients
- create a new client (use =terranix= if possible, so that it's descriptive)
- =Standard Flow Enabled= should be disabled
- =Direct Access Grants Enabled= should be disabled
- =Service Accounts Enabled= should be enabled

The go to "Service account roles" for the newly created client, and ensure it has =admin= role (assign role -> filter by realm roles -> admin).

Export the secret with =KEYCLOAK_CLIENT_SECRET= (it might be already be set in =../.envrc.local=).