From d1a61a0f28f551e15aa8331bbd672cc9648f47e3 Mon Sep 17 00:00:00 2001
From: Victor <victor@xirion.net>
Date: Mon, 16 Jan 2023 16:01:34 +0100
Subject: [PATCH] replace keycloak with dex

---
 nixos/hosts/olympus/default.nix               |  5 +-
 nixos/hosts/olympus/dex/configuration.nix     | 31 +++++++-----
 .../hosts/olympus/keycloak/configuration.nix  | 47 -------------------
 .../olympus/mailserver/configuration.nix      |  4 --
 nixos/hosts/olympus/nginx/configuration.nix   |  1 -
 nixos/hosts/olympus/outline/configuration.nix | 14 +++---
 6 files changed, 25 insertions(+), 77 deletions(-)
 delete mode 100644 nixos/hosts/olympus/keycloak/configuration.nix

diff --git a/nixos/hosts/olympus/default.nix b/nixos/hosts/olympus/default.nix
index d08fa6a..3c8c7ce 100644
--- a/nixos/hosts/olympus/default.nix
+++ b/nixos/hosts/olympus/default.nix
@@ -123,10 +123,7 @@
     ip = "10.42.42.28";
     mac = "9E:86:D3:46:EE:AE";
   };
-  "keycloak" = {
-    ip = "10.42.42.29";
-    mac = "A6:09:1D:A8:81:28";
-  };
+  # 10.42.42.29
   "vault-1" = {
     ip = "10.42.42.30";
     mac = "26:69:0E:7C:B3:79";
diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix
index 37ff572..8d030c8 100644
--- a/nixos/hosts/olympus/dex/configuration.nix
+++ b/nixos/hosts/olympus/dex/configuration.nix
@@ -49,19 +49,24 @@ in {
       };
       web.http = "0.0.0.0:5556";
 
-      connectors = [
-        {
-          type = "gitea";
-          id = "gitea";
-          name = "Gitea";
-          config = {
-            clientID = "$GITEA_CLIENT_ID";
-            clientSecret = "$GITEA_CLIENT_SECRET";
-            redirectURI = "https://dex.0x76.dev/callback";
-            baseURL = "https://git.0x76.dev";
-          };
-        }
-      ];
+      connectors = [{
+        type = "gitea";
+        id = "gitea";
+        name = "Gitea";
+        config = {
+          clientID = "$GITEA_CLIENT_ID";
+          clientSecret = "$GITEA_CLIENT_SECRET";
+          redirectURI = "https://dex.0x76.dev/callback";
+          baseURL = "https://git.0x76.dev";
+        };
+      }];
+
+      staticClients = [{
+        id = "outline";
+        name = "Outline";
+        redirectURIs = [ "https://outline.0x76.dev/auth/oidc.callback" ];
+        secretEnv = "OUTLINE_CLIENT_SECRET";
+      }];
     };
 
     environmentFile = "${vs.dex}/environment";
diff --git a/nixos/hosts/olympus/keycloak/configuration.nix b/nixos/hosts/olympus/keycloak/configuration.nix
deleted file mode 100644
index 9e82947..0000000
--- a/nixos/hosts/olympus/keycloak/configuration.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, lib, ... }:
-let vs = config.vault-secrets.secrets; in
-{
-  imports = [ ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
-
-  # Additional packages
-  environment.systemPackages = with pkgs; [ ];
-
-  networking.firewall.allowedTCPPorts = [
-    config.services.keycloak.settings.http-port
-  ];
-
-  environment.noXlibs = lib.mkForce false;
-
-  vault-secrets.secrets.keycloak = { };
-
-  # If loadCredential doesn't work:
-  # https://github.com/NixOS/nixpkgs/issues/157449#issuecomment-1208501368
-  # also check: systemd 252 got more strict about how exactly the filesystems need to be set up for credentials to work properly
-  services.keycloak = {
-    enable = true;
-    database = {
-      type = "postgresql";
-      host = "localhost";
-      createLocally = true;
-      passwordFile = "${vs.keycloak}/databasePassword"; 
-    };
-    settings = {
-      hostname = "id.0x76.dev";
-      proxy = "edge";
-      hostname-strict-backchannel = true;
-    };
-  };
-
-}
diff --git a/nixos/hosts/olympus/mailserver/configuration.nix b/nixos/hosts/olympus/mailserver/configuration.nix
index 220402c..754a88e 100644
--- a/nixos/hosts/olympus/mailserver/configuration.nix
+++ b/nixos/hosts/olympus/mailserver/configuration.nix
@@ -43,10 +43,6 @@ let vs = config.vault-secrets.secrets; in
         aliases = [ "lau@meowy.tech" ];
       };
       # Services
-      "keycloak@0x76.dev" = {
-        hashedPasswordFile = "${vs.mailserver}/keycloak@0x76.dev";
-        sendOnly = true;
-      };
       "gitea@0x76.dev" = {
         hashedPasswordFile = "${vs.mailserver}/gitea@0x76.dev";
         sendOnly = true;
diff --git a/nixos/hosts/olympus/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix
index 70fc203..8f18d64 100644
--- a/nixos/hosts/olympus/nginx/configuration.nix
+++ b/nixos/hosts/olympus/nginx/configuration.nix
@@ -52,7 +52,6 @@ in {
     virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000";
     virtualHosts."grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342";
     virtualHosts."outline.0x76.dev" = proxy "http://outline.olympus:3000";
-    virtualHosts."id.0x76.dev" = proxy "http://keycloak.olympus:80";
     virtualHosts."ntfy.0x76.dev" = proxy "http://ntfy.olympus:80";
     virtualHosts."ci.0x76.dev" = proxy "http://woodpecker.olympus:8000";
     virtualHosts."dex.0x76.dev" = proxy "http://dex.olympus:5556";
diff --git a/nixos/hosts/olympus/outline/configuration.nix b/nixos/hosts/olympus/outline/configuration.nix
index 3b792c9..452fabd 100644
--- a/nixos/hosts/olympus/outline/configuration.nix
+++ b/nixos/hosts/olympus/outline/configuration.nix
@@ -16,8 +16,6 @@ let vs = config.vault-secrets.secrets; in
   system.stateVersion = "22.11"; # Did you read the comment?
 
   # Additional packages
-  environment.systemPackages = with pkgs; [ ];
-
   networking.firewall.allowedTCPPorts = [
     config.services.outline.port
   ];
@@ -42,13 +40,13 @@ let vs = config.vault-secrets.secrets; in
       uploadBucketName = "outline";
       region = "us-east-1"; # fake
     };
-    oidcAuthentication = {
-      displayName = "Keycloak";
-      userinfoUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/userinfo";
-      tokenUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/token";
+  oidcAuthentication = {
+      displayName = "Dex";
+      userinfoUrl = "https://dex.0x76.dev/userinfo";
+      tokenUrl = "https://dex.0x76.dev/token";
       clientId = "outline";
-      authUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/auth";
-      clientSecretFile = "${vs.outline}/keycloakClientSecret";
+      authUrl = "https://dex.0x76.dev/auth";
+      clientSecretFile = "${vs.outline}/dexClientSecret";
     };
     smtp = rec {
       username = "outline@0x76.dev";