blob: c8760ff310b938edf16088c283156cababe9e656 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
* Keycloak
Running at id.fcuny.net
There's an admin user in 1password.
** Client for forgejo
- create a client with name =forgejo=
- set root URL to =https://code.fcuny.net=
- set home URL to =https://code.fcuny.net=
- set valid redirects URL to =https://code.fcuny.net*=
- set web origins to =https://code.fcuny.net=
- set admin URL to https://code.fcuny.net
- set client authentication to =on=
- keep =standard flow= checked and nothing else
*** forgejo configuration
- create a new authentication source under https://code.fcuny.net/admin/auths
- choose OAuth2
- set the name to =id.fcuny.net=
- set OAuth2 provider to OpenID Connect
- configure the OpenID realm to =https://id.fcuny.net/realms/master/.well-known/openid-configuration=
- the client ID is =forgejo=
- the client secret is in the =credentials= tab in forgejo for the client
- select =skip local 2FA=
** Managing with terranix
Ultimately we want to manage it with terranix.
First, we need a client ID and a secret. The client can be created in the UI:
- https://id.fcuny.net/admin/master/console/#/master/clients
- create a new client (use =terranix= if possible, so that it's descriptive)
- =Standard Flow Enabled= should be disabled
- =Direct Access Grants Enabled= should be disabled
- =Service Accounts Enabled= should be enabled
The go to "Service account roles" for the newly created client, and ensure it has =admin= role (assign role -> filter by realm roles -> admin).
Export the secret with =KEYCLOAK_CLIENT_SECRET=.
To import resources:
#+begin_src bash
nix run .#tf -- import keycloak_realm.master master
nix run .#tf -- import keycloak_user.fcuny master/d0fdbc04-8f6c-4558-8fd6-ebf7d9e23e6f
...
#+end_src
|
