{ lib, ... }: let mkUser = { enable ? true, first_name, last_name, username, email, initial_password ? null, }: { realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; enabled = enable; inherit username email first_name last_name ; email_verified = true; required_actions = [ "Update password" "Configure OTP" ]; initial_password = { value = email; temporary = true; }; }; in { provider.keycloak = { client_id = "terranix"; url = "https://id.fcuny.net"; realm = "master"; }; resource.secret_resource.keycloak_smtp_password.lifecycle.prevent_destroy = true; resource.keycloak_realm."fcuny" = { enabled = true; realm = "fcuny.net"; display_name = "Keycloak for fcuny.net"; login_theme = "keycloak"; access_code_lifespan = "1h"; reset_password_allowed = true; remember_me = true; login_with_email_allowed = true; smtp_server = { from = "noreply@fcuny.net"; from_display_name = "fcuny.net identity services"; host = "smtp.fastmail.com"; port = 465; ssl = true; starttls = true; auth = { username = "franck@fcuny.net"; # nix run .#tf -- import secret_resource.keycloak_smtp_password SMPT_PASSWORD # https://github.com/numtide/terraform-provider-secret?tab=readme-ov-file#usage password = lib.tf.ref "resource.secret_resource.keycloak_smtp_password.value"; }; }; default_signature_algorithm = "RS256"; }; resource.keycloak_user = { fcuny = mkUser { username = "fcuny"; first_name = "Franck"; last_name = "Cuny"; email = "franck@fcuny.net"; }; }; data.keycloak_openid_client.realm_management_client = { realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; client_id = "realm-management"; }; data.keycloak_role.admin = { realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; client_id = lib.tf.ref "data.keycloak_openid_client.realm_management_client.id"; name = "realm-admin"; }; resource.keycloak_role = { forgejo_admin = { realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; client_id = lib.tf.ref "keycloak_openid_client.forgejo.id"; name = "Forgejo Admin"; description = "Forgejo's site admin"; }; }; resource.keycloak_openid_user_client_role_protocol_mapper = { forgejo_role_mapper = { name = "forgejo_roles_mapper"; realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; client_id = lib.tf.ref "keycloak_openid_client.forgejo.id"; claim_name = "forgejo_roles"; claim_value_type = "String"; add_to_id_token = true; add_to_access_token = true; multivalued = true; client_id_for_role_mappings = lib.tf.ref "keycloak_openid_client.forgejo.client_id"; }; }; resource.keycloak_user_roles = let superadminRoles = { exhaustive = false; realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; role_ids = [ (lib.tf.ref "data.keycloak_role.admin.id") (lib.tf.ref "keycloak_role.forgejo_admin.id") ]; }; in { fcuny_roles = superadminRoles // { user_id = lib.tf.ref "keycloak_user.fcuny.id"; }; }; resource.keycloak_openid_client = { forgejo = { realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; client_id = "forgejo"; name = "Forgejo [fcuny.net]"; enabled = true; access_type = "CONFIDENTIAL"; standard_flow_enabled = true; oauth2_device_authorization_grant_enabled = true; base_url = "https://code.fcuny.net"; description = "fcuny.net's Forgejo instance"; direct_access_grants_enabled = true; exclude_session_state_from_auth_response = false; service_accounts_enabled = false; full_scope_allowed = false; valid_redirect_uris = [ "https://code.fcuny.net/*" ]; web_origins = [ "https://code.fcuny.net" ]; }; }; }