From 7778fa68ec75a08a74c99ba5f5da207111422d9c Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Sat, 1 Feb 2025 00:13:25 -0800 Subject: [PATCH] Feature: Init stack.nix for keycloak. - Rotate secrets for all components. - Delete unused volume. --- homelab/stacks/keycloak/.env | 1 - homelab/stacks/keycloak/docker-compose.yml | 13 ++--- .../keycloak/forwardauth-privileged.secrets | 55 ++++--------------- homelab/stacks/keycloak/forwardauth.secrets | 55 ++++--------------- homelab/stacks/keycloak/keycloak.secrets | 55 ++++--------------- homelab/stacks/keycloak/postgres.secrets | 55 ++++--------------- homelab/stacks/keycloak/stack.nix | 41 ++++++++++++++ 7 files changed, 90 insertions(+), 185 deletions(-) delete mode 100644 homelab/stacks/keycloak/.env create mode 100644 homelab/stacks/keycloak/stack.nix diff --git a/homelab/stacks/keycloak/.env b/homelab/stacks/keycloak/.env deleted file mode 100644 index 6d02818d..00000000 --- a/homelab/stacks/keycloak/.env +++ /dev/null @@ -1 +0,0 @@ -KEYCLOAK_DATA="/home/admin/data/keycloak/data" \ No newline at end of file diff --git a/homelab/stacks/keycloak/docker-compose.yml b/homelab/stacks/keycloak/docker-compose.yml index 723345d4..2926bcb7 100644 --- a/homelab/stacks/keycloak/docker-compose.yml +++ b/homelab/stacks/keycloak/docker-compose.yml @@ -23,7 +23,7 @@ services: KC_METRICS_ENABLED: true KEYCLOAK_ADMIN: Jafner env_file: - - path: ./keycloak.secrets + - path: /run/secret/keycloak/keycloak required: true labels: traefik.http.routers.keycloak.rule: Host(`keycloak.jafner.net`) @@ -49,7 +49,7 @@ services: CLIENT_ID: "traefik-forward-auth" LOG_LEVEL: "debug" env_file: - - path: ./forwardauth.secrets + - path: /run/secret/keycloak/forwardauth required: true labels: - "traefik.enable=false" @@ -72,7 +72,7 @@ services: CLIENT_ID: "traefik-forward-auth-privileged" LOG_LEVEL: "debug" env_file: - - path: ./forwardauth-privileged.secrets + - path: /run/secret/keycloak/forwardauth-privileged required: true labels: - "traefik.enable=false" @@ -88,15 +88,12 @@ services: POSTGRES_DB: keycloak POSTGRES_USER: keycloak env_file: - - path: ./postgres.secrets + - path: /run/secret/keycloak/postgres required: true volumes: - - postgres_data:/var/lib/postgresql/data + - $APPDATA/postgres:/var/lib/postgresql/data networks: web: external: true keycloak: - -volumes: - postgres_data: \ No newline at end of file diff --git a/homelab/stacks/keycloak/forwardauth-privileged.secrets b/homelab/stacks/keycloak/forwardauth-privileged.secrets index 83b43b3e..a1f4f4be 100644 --- a/homelab/stacks/keycloak/forwardauth-privileged.secrets +++ b/homelab/stacks/keycloak/forwardauth-privileged.secrets @@ -1,54 +1,21 @@ { "data": "ENC[AES256_GCM,data:jpguP28Vxd2gIgnCjoo1x78iyYfejg+EBrp3ji+PHZfQD8iqwCyswBYNnLlssPSOeOCjubp6DA1ujcwGed+a8dkXjufme1QCTfmo2BrFfXIKmcnl8YqbOf4Jxn5pK2IUNvKjwVoG9/MmDrXS5zdsl0RGaGdSPHZWbCeeVful6GHuBAxNotPk3ZlW9N9MrRZ9iD6X18cM,iv:z07y+Fz86lR81A/L9jLshkKds0seHiBN3UTnFbaF8SA=,tag:pX5ayIPNWp114sZE6oae+w==,type:str]", "sops": { - "shamir_threshold": 2, - "key_groups": [ - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMaWdXZjRkREc4eDJHaHl6\ncksvWDdZMkxZcTFLL0dUbDNDSUFhY1llTlVBCkUvSDduV3FJYk5udWhYVEFlTUJo\nVnBkTzJDeWFCYTVGZUIwMkdWM2cydTgKLS0tIEd0M3d2bnlpRkhFcHhLZStjUFNE\nLzY1bmVEblBUcXlLTnh4TWlFbUN2cE0K8HwwAiDS+7oZ+f1HaZXAyKI2ow4LFC6L\np7YqBrdvHBFhe/g4Tt/nV9RNzYS/AUq3xuSX2eBS76LVNvyRZGfePh0=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWjJGRU1zQjRoN0tnMUxt\nTWd3aHNIcFdwZWFWZVNLRU42TmVQZUhyWTFzCjBuZytJMlBQaDhtWTNQVXhTbjA3\nVlczSmhtS3F3WjhhOFZTUTR2SFVERDgKLS0tICtzOVFpUDkvaEtPdSszN2FFZnJW\nWUVSa0Q1TFJUUEs4cFJVUFBCeXMzVUkKWij6wB2LntxLxRsurqjGZx7Yzk4B2meI\nctxz5gHGkfL4psY+snRx4IOtry2Hd9uQLVCxLDDiST6zFDG6KE29IMg=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVnJDRjZveW5kYkduRGpK\nMU5ibHNGUFpRMGdIeDRGcStIVHZpZnFyeDJnCk1QSDB5VXlyNVcrQ0Y0YzJqeE1J\ncDJhT2FWNGdqUWUrYnNYVVlyQnh1SEEKLS0tIGZHYnJvNUxwa3NNREYwRk14WVlv\nY01seGd4WE5uMW5OaWJRY2hWMHpDT1EKWdLbmqge51ZRWh9t0umS+6MhLc1OWFNZ\n+suvSUGz/6DOYu4GwD3BVADttdBFr6yYF/VWO8aLWttOElF43t9/kWI=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFV3dwUXZjSnVxRlZwbjdS\ndmltRmM2RnZlWXBlUkg2dHk1eE1uc21HVUVrClBqU25jL3paU2lZQys3QnBrdWF3\nZGJyRlBWbGtkRkd0bGVVcDJWTDZTYnMKLS0tIERaSXRpOGpTOTZ5WEZqNkpNSk1I\nSkcwcnAxdDZaa2V4ZzEzKyttN0huWjQKypRdr8tVPaNMiT/LviPmoxRoILi7ilNr\nomllbweerJMduBEn19Cd/kUxvqFTNhRVpwl4RH522dOhXBnYtjZg3NQ=\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa3N1T3hFUmZlOVc3cTVx\nSmVTWmc4bmk4djRPUjY2RlFnZFY3R0FDK25zCmJCVXFzSDhpVzhUTUVjS1lYa0xN\nSU9vYWJMNnpLUzd5c2p6REpBbDhTYnMKLS0tIGxWTEozM0RpY3N1VlE1bkxrNFJn\nbitRQWZkcEx0NDVWQTI1SzBlaG92MUEKQtbqZ4PKELfdi2NJAxqryCNQ8RQL5Hua\nnX0ArDF5FGd3KhePIY7vbaBE1S6z+D1kl8vM2+MwPWnNjxx/ln+HYF0=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - } - ], + "shamir_threshold": 1, "kms": null, "gcp_kms": null, "azure_kv": null, "hc_vault": null, - "age": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLTzJ6TTJHeFd0TFE0QVRw\ndEJkWk5Yb2JoZnNmN2xCbkNlejZmb0Z4OWxRCmJCYlp4amx3MzU0MHJ3THZTVW9i\nZG9CanV6S0NMSFRIaStrd21xM3hDNVUKLS0tIHRVOTZTS24vRFhJV3V4SHRmUGFt\nYnpLWG5xZFI5QWxRY0R3REZwdXpRcE0K3QnfgVq7U3DInznOw2YSfYdQDdEyDl0b\nEJUOCLFiVDvTOXGMCe2u4s7SCFwOsGbkxqauaSBwzctUK84O+NQqRg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByaU4wNWZhK0todldWaGpW\nQkZCMXR0SXRubjRoZkpaRUtSK1J3U0JGZVJFCktCYjRkYXR1TjRuendKcjJEVGhK\nUXp1RTM5bWxMaUNuUHJFakgwaFZNWWcKLS0tIHFDbmE3TWhybnJWOGVzOE9HTzgr\nQTNrK0hnUkhXcERpOS9EV0tXeVY2TGMKVBvB4no8TUJ8vwvNq1gnDkV6RjTLA85z\nTzql/GxXmhd4VlJcAXkrZWdR4OfUpP3oIOpQRWkvjNIJ04ZDV9kFmg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], "lastmodified": "2024-10-08T18:51:47Z", "mac": "ENC[AES256_GCM,data:AkjpXJ53ArZ7IdNg+tZBWNqQ6ik3prDRX93JGvDEgdJd0+lsci2m9uK+5sug2orr4tjzo0cf9o4j+N63IwXFCmyiDEBcgaLdPpgJKBcmf/a4pXWvu7aAs0sjHf1KEKLal6Za/6uBxPVdnaUxWo9G1hDtL9KAjhKWZ7c0dqGYkqI=,iv:9OY69R+M7E4THodVbxXewFQkiTFOjc4qiP0Y+HAJuLU=,tag:8lpeaPS59LAk9s79TGaJ9w==,type:str]", "pgp": null, diff --git a/homelab/stacks/keycloak/forwardauth.secrets b/homelab/stacks/keycloak/forwardauth.secrets index 197d02e5..68f37838 100644 --- a/homelab/stacks/keycloak/forwardauth.secrets +++ b/homelab/stacks/keycloak/forwardauth.secrets @@ -1,54 +1,21 @@ { "data": "ENC[AES256_GCM,data:fgB0JOEvZSPwDyQngmRXltL1xWoMoMR8xQJqepTfZFaO5QzM/ifm2bkYWHreitgpgPUH8Fr7XiWwhMi+Ib3EeUavoDU2t6BXPYQbxgynLLEy1upIzWJpe4QHfrd6bWP35o6/XHjLc+zGArz8yFRey56ZwSUShlG20m1hudTviViD2CbgxX1iEpbcg96wrvnG0Y64bqiPKX+qfFlUesKRRpvJmCcmOA==,iv:wdtBxdbXHcXKozXt4gYQclvkYWWEJRX7nJ71ZMkWKy8=,tag:D3rRP5WAkQOYPC4IkcrN6w==,type:str]", "sops": { - "shamir_threshold": 2, - "key_groups": [ - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYXZvUGQyclhnejVPbytV\nZGpQSFhGcXVNcHpEdHZNZ3U3a2VqL1g2VG1BClhyaldjY3lhdE9oTmN2Q1g4VUtR\nTThzOG84Z0JBTk1RNm5PdFh1SjVhUU0KLS0tIFUwS1lYMTlrakgyWjdKbHBzNWJW\nNDVpMmdIYlV1M1NXOU41c3pHMGRjL3cKlMDcXDkqVERs7p+R2DKmto/nc5LJC1L8\nRXaovEdpJ4furaCMJFYGdYjTtDM1/HVyDUMV+TMibNk8yAD1hUvZ4cI=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SVc0aDBrTi9zQUEvWGJX\naEk2V1U4b1Q2T1luemJoY1NJajR1TWhWbEdjCkdMamZhSG5jSkttYmpQc1FNR1cy\ndTJMVEdIK3c4MkVlMTdZaWR2d3NIK1EKLS0tIDBCeDJnWlZaSEN1cXU4bVBOYWFj\nT3I2MzdLS0JZbFRaS1pieG92VGVIQzgK4S639cS+k1gwGJdjDKouLUjHbYU6KXAZ\n7F8JVRqHuTn3C1VItdCOJCz48dRNfQJVbu6F/qXgZWmLjUVWTF9J7ww=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYXZ5bzNvNWpscFlpcHNP\nVlg4UEF5RFVoVUYvODFpWmllZXpqRkdUdW5zCkZxckgrQ20rQlZESVV0Vllpa1pw\neFlDNXZVNExUTWR3ekVyTHdTSS9ocDQKLS0tIHJzUVNMKzEwRmRqbzhHMXRzOW83\nTlpTTXFHTlpPZm5lYkVvZjZZMnJ0NlkKysir8GBF5FbCA9hweXUpVqrTdTknqCNZ\n+lFm3WPBpb8xXWffv2tt9QRxXeF84ZkGD20HBPTDHK9Klh5dVLlUITQ=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaHNGbzN3bEt2YjJiNWFm\nQU8vbWNta3NEcGF2NXJZMGRuQmV1Qk5GN0RzCkJBdTR3WEFoclBoQUh2b0szV2dr\neTd2QTNPY29FVGdMTmJMQlVHMHE2cWcKLS0tIFVicy96dDFEVnF4bk1RNUhOTXZI\nazdiREd0R0JYSnlLY3JObEZvUWJzOW8K9+j8aGBI4303Zb09EyXA7CoCDgI6Pwzk\nm/rCInEbR8keqhSHYI58JH42bmYEHae+xMhr+Jn6OnS2oQwxUGxK67A=\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQVRBWHFKRUhkRVliRzlL\nN3ZRQlJZdXZoSVRBWVU5SXVvOGxQZU5EKzBrCkp3TFFIaHdQaFV6ODBOL2hiWmhv\ndGRCKzZiNDN4N1RnQUpydXM1T3YybHcKLS0tIFhpVGZvdjZOamVhWVNWMCtCZktI\neUNEMmljc29jMzlwOGNHcjR2UDQwVVkKK+kcQ8Yozf0LfDGL5yKReM+WHEpDYOER\nhi4XfMQUVQiFoNOZcB8S/Jvnnpz7ku80XJku5kdgDhHwDuyVHO4KETs=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - } - ], + "shamir_threshold": 1, "kms": null, "gcp_kms": null, "azure_kv": null, "hc_vault": null, - "age": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcmtURmxoMm9RRHY4Q3du\nbjk5dTZQVExTdTZzS28xRFBUcHVnWEF1UzJ3CmROcHlvSldtaFR0bEtlbERWRnJw\nM2xiZWlFeFB6OTZicldMWGRYSlo4amsKLS0tIGRPcGpXVEVCdVpheENNa0hxb1pp\nVEhVT0NYTGt2ci9ibkswSXV4UEJrc0UKdzsyPTM3d0vmWihCYm3OcmGC/klbPE8Q\nRezlTTOpYdxaA6FuC2Uyq1/AVQHe+mvlhy3nuIUoTwMSWruhfiZiKw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArb09DUGhjSFdwVG1QeXNi\nRVhrNlQ3WU8vL2Q4bHBEaklnZHpDanRseUdvClluMnV0MzdtQkNvU1JveUxEOC9P\nYVB0UTh5STRXUnJNbm9JZ0tkTUZoYVUKLS0tIE5LLytSWmEwZVB4bU8zam1yWUlE\nZkEyMElQK1F0SUJOSzVTREtHWXRSZ0kKNRZwk0nasuV1QVXMZT7o8d/z6t8OfU2t\nr8Pr7HVC76810UcGqFHeeGp6i6mN7swtilltf4AJnnDYKr0anVfiPQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], "lastmodified": "2024-10-08T18:51:47Z", "mac": "ENC[AES256_GCM,data:G4TdaahUtwpPtTxYg+7f4D8/K/oJ5Tl6iSpc5jP+WuUC2M9GXJCTAWc/eqyxjmucY5jVDmU9HhceCptnj9/YX/QqIgwlOBUvm8LpcM15DAAhX7YeaOxLudchGpZyDKrI+j8IvT3RQUEx5XyMkAdO3uP0MfC3rwL6xiaEpXyCJmc=,iv:QjXP31iTt6S2URA8JFkQRRcjbgVa/xOAOVsuPUwbHNU=,tag:f6OkacHIGWy6GPIJQVcs+g==,type:str]", "pgp": null, diff --git a/homelab/stacks/keycloak/keycloak.secrets b/homelab/stacks/keycloak/keycloak.secrets index e0f06fdf..86173c94 100644 --- a/homelab/stacks/keycloak/keycloak.secrets +++ b/homelab/stacks/keycloak/keycloak.secrets @@ -1,54 +1,21 @@ { "data": "ENC[AES256_GCM,data:UkqWdi0bt93s/QP4UvJt/hCf5gtzG57MTPS/sdXOvz8s6lGWGBz687BpNXHaJEtJD1lABHwuNLOwldWRVKeCUid/4ry5QmsXQ4Rpj9Gzzy4zqehg89icFoP23TFPWNrsjohl3LHgi7eno51tsoioyP35ZyPY9nxirOQ7UhK7ZndhaLue2H5qwhRgSmm7DTSNCfkV+Cg9z68p6bRCvcaNeyAJlr7XyhE0uoGoLO7F55yu,iv:qUaa+HYnX+aB+DdXu7wCUBSnZuo79DbemRQq58KLFXY=,tag:B/akezxRkfaz3WL01JEtvQ==,type:str]", "sops": { - "shamir_threshold": 2, - "key_groups": [ - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiY0Zrck53bWdhSEhEaUI5\nM3VDc0FMUzJuT0E4b0NFL1RaRTFTL09IVjI4ClFDTitmM28xcjE5NThPRjlZdjU4\ndy9STVhJeDRzOUZUeHh6bkcxUXFSRTgKLS0tIGhUOFRhTXY5WHp2MkV6RjBPbmFn\nZ1NKQzIwTlhzSXFZaXpadXdLaFByc2MKfLbxcHtCaSIMDnJxj1k59jZoT6AiuDPQ\np5OSPFs8T/vdwk4BeFKV29emZRi20j0X7H5DANjm/40u1+fXf1+aIjs=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2FWRittSnBnV0s2RlRI\nWXJnbm1DUlMxZTFWd3E3TnBnekp6d1ZwK1M4CjI5TWFhWkFQNS9jMWI2VFVKTHRx\nY2VMNUNTYUMwY29VelFqanRINmlEcmMKLS0tIDJCYXFER0Irb1F6RGtPRjNEdDJT\nNitpKzNOMEpvWjlXQ0RTdmFuTTdFWWcKNLlWxjk4EfoSidbp3BAL+kGj+n/Kpmg8\n6vTAb55PbXDZIqaD+1tRE25jwzWtsAe+Xkg6lCEnOCZV63e9ulGU+sA=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdGZ5eTQwOUVKK3lwSmk2\nUWdCREpXc2xaU0FiNTRwZjJWS3NkMmZyMUNZClIwR2ZLN3loRng0SEZZYlhJa1Q5\nSVl5TEp6QTk5bU5qc0tpblFKQzErTEUKLS0tIGJPeXhuWmFIMGkrdUU5eVZaeGRv\nMnB0bWdWRW0zNU9mTVRLWGFOSlY4NlkKIXd9HMzrhD+OLl/kVtuoirGIUmUNcee3\nQrbY1QznLjGhKyeGCEoQLb7Z8RezwYbKvOk0Acs0QEtzneeHB1LV1kE=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dHBrKzRFV0RoeHYrY3Vp\nZHVGN1RqMXNYbUhQMU5WcGcvYmsvZDdXZlZvCkxYTWsybzJVbjlxZ2pYRld2dkJo\nRWdLdnRtai9vc2VtNFpsVWViRFlHcUUKLS0tIHp5Y1dDc2Y2MGNiMVUwT0FKRkpD\nM3N4N0Q1YUtzNjNyQWxqWVJKV1dJNWMK2nr2N2mNQgQ22GkN/+GtAST6fRpDB6b4\n27gm2tC+vGYNLz3oyCelHAA4qtAI8h17y7K5NJwDzE2iiWQw5w+G+ZY=\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRURkS2V2VUpLay9BWEF0\nV2grNWJWbkJGWjdWZE12TmhFcnN6bGg4ejBzCnliaFZZeWJWQ2MrUkphSlVPT3dW\nNnBsVG5leTlBWnIyZkRnWXhvb1BhK2cKLS0tIDBpZTFYK0pCQUxTUnZQL09CaFpX\ncXFXMzRxVHRyaFMwMnJJemlieGJCRm8KKyjcvvV19odXZVAXOK89yHzPbfgtu3uC\npoSw67zzCA7wP8uGvNPT3q+oOA+9F20z4AffsrfVpzQlmaG2tGLq7lU=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - } - ], + "shamir_threshold": 1, "kms": null, "gcp_kms": null, "azure_kv": null, "hc_vault": null, - "age": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOWNac2o5Zm5HakYxbTlS\ndU9xdUJKTDFJN3N5OFZ6cUZrUVBPNitHRVJnCnlKSFdnVjFNd1dLcWhDSGdGd29J\nNk5Ib0ZWc3Nka2Z0c0t5M0QwMXI3RTAKLS0tIG1abXZaM3d0WmkxYWJKbzdsSTdW\nd2l0a0hPYlhIZVI0MmRyaXZKUUxPbFEKgEu/nasDg5DJ2duklByUAcDciVb1QpC+\nCmuhY96L0jEL5A8nJJiS6mud9I6l0bi3kGwiukvwPL35VRm96kBwnA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTVJzTDRoTjRsL2tIdHVa\ndXdybmxnNUU5VGRSQ0FyQk9mZ0lWNG9PN2hjCi9QYUdFaDJ1MnBVU2lzZWVXbUVm\nejR1a0VoenBTazJmU2pTR1dkaEViYU0KLS0tIG9ZZ01HU3F5aXdVemdQQUFoUjU2\nZVRRUmE4RUZQeXkwQzVxczB6R2M3ZVEK8umKBAtUsFMbKvidACi9xmfd1BCeHw0q\nvf9urQw3hLeuu8EMUBJTkhVDGTpkzwBhj4I1lKmKwPztLj1BllHRkw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], "lastmodified": "2024-10-08T18:51:47Z", "mac": "ENC[AES256_GCM,data:xayrPlm3qZtbOynBz/mTHgkyRJZLMbVzTzbaL0LEsCZZJ7iAJ7Y+GDy4AFByI3gPBNV6hzIFptZzKswXYTmCY3jow5Jx/M+AAE6xRpHJ9R8h7c+RYtKYwA3Omg47lp1i95aHNfHLHZVgcrQXOTC8kPhCU8LFSLv4VURmQwFlcak=,iv:apKbLfaY0mmchQCOVva+QMB7PRknwj0ePvqkM93tPA0=,tag:wkDWOalwZmGW0rbRp76vYQ==,type:str]", "pgp": null, diff --git a/homelab/stacks/keycloak/postgres.secrets b/homelab/stacks/keycloak/postgres.secrets index fb5d83dc..ec0e1d8c 100644 --- a/homelab/stacks/keycloak/postgres.secrets +++ b/homelab/stacks/keycloak/postgres.secrets @@ -1,54 +1,21 @@ { "data": "ENC[AES256_GCM,data:7+2r676ey+KfW9oiakYrSZq4ptWbeu0MHg1+KXMCS7J/HDDN30pwkS2llYo85j++7vCHcA5ntfSz4Uk30/bVI3Gh0id0pbC44w==,iv:d4YRFoEO3D7WBH/3ShBx3TPk5wow/F9QlZ7ve448KPg=,tag:GlziU8ZPqMaRxL440kam7g==,type:str]", "sops": { - "shamir_threshold": 2, - "key_groups": [ - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBob0VwM2ljd3JRdFdiYisz\naWpndkd0QVU3aG82RmRRU0lFQ2xrMzB1dlFrCm5qTU0vZ0FjV2tZcUlwRVBpWDVQ\nNlV1TDlXNklETHF1NVpuMVdjdkhzck0KLS0tIHpXRTk5T0FCbUVCRWk4MGdNYnI3\na293UzZ1eko3N0lvMUIvWTE0RWlmMWsK6aEXPxED7J+FGzasLbUaHUdh1SgX7jIO\nPYgaJvbHN2l6/oYmimMY+iJyY1PvMpN6SiZ0r8cuxGlpyMkLBfoUUKc=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Zjh2bUpORVA3WHRDbmZX\nZWhGV1oyamtnMytQeUJvV0s1L1JTT09KQzBNCkx6SXN0OEZ6amovZ01mZTBJbmhF\nNllBOEFMRnhoSDUyOW84STJtQ0I1VEkKLS0tIG00d2E4RHAvRzNTVGJEMWFTYkNu\nT2Fmc0hjS3JHNFdpOGdGc2ZVcXJYNGsKOVWLYqa+JYdNH6whTvgV6FRBo/o4yAQ2\nXQ61UcGtYVVjY9Qr5XQZR7O0mTz1WD0F3rR+m90+F7m1mJpEIsSgp8s=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSml0a1pya1prMEtvOW9N\nL2xtSW5xU2R5WCtYOFdPTzRETWd1aGttWlNNCmFWWkxkSHBPOU1ZSkRvZ2ZlV0Vk\nOG4zMDIzT2dITVVlRG5KTmUrbDdQVUkKLS0tIHhMNFBqVm1EL1k1WUxwMHMwaUpt\nVjQ5L2RPNHFZL1ozdjR4UjBTbS9ITDAKD7h8Y4ocl7fQMaTXZP9I/FSTVeofFF39\nZxVLCtweHiDKIuCDSowk5WYOxuVlENBHgbp2HnCmGkcr0ob+oZScqLg=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWlI3L2Q5RUdUM0hsS29k\nakhpU0NWak1pdTZDdFZXMzdhMnRobmMvakhrCjVEN2o2RC9rb1VYQmJaY0VyaE0w\ncytTb0tqc0ZQNE5OWCt1YUVrWFlLN1kKLS0tIHdRT2FFWnhkclV1YUZOcnBmM2VJ\nc1d4b0dmTUQxS21EYTVGZ1V6MkFvcFkKzSvnqZG3Wdf20lt+yjXX/JXSrD0u7uP5\nZSecpyhCGMvoojG2SSrS20VbBJjELeqy8GSwRBl4VXiQ689Kb+R8htU=\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MVdLTDhDSmFKUHdqb3lo\nTEI5YUpjak9jYzVoRk9tT2JNV0lGTjllcTBZCnBDb1Z2K2pHc3dOWTRkbWxzTlVm\nOS85em9hUG1kem1Qa3YvR2FLUnNDTW8KLS0tIHc4Z1hVOTRzbHdBNVVlQURiWWFE\nZUZnZVYvZ0hNN2FZUTNHTU0zbFRLNG8Kt593gm2FN4eM6OVsid50tajQlaTwufwi\nV9IEtfxuXqtL+TsyYbEiw6EGsXprpFvwCStgcMtRiTzCj0KxcfCVMNk=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - } - ], + "shamir_threshold": 1, "kms": null, "gcp_kms": null, "azure_kv": null, "hc_vault": null, - "age": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdU5pNExoaFZRR2RON3BQ\nb3E1Nkt6OFN4NEVOY3FTOU9oR3BwUW1odzNnCnZpMWQwQ0tnUit2MHBQVFpnSUQy\nV212SWpxMThFQ0xUb2hrS09raFdIZTQKLS0tIG9GM0paZmZUUGxJNTh3cmwvQStn\nTjFOdW1NNXAzUWRqMEk2WGc5NXRCa3MKdYKi9WAWm7xuI4IUA8W5ymtGw9goQNB5\ntgKzrbSWxc5eSJ/HjRB5eQXTZrjrSOYZkCFzSj+/5/oUxO8Wk5Q1WQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YWU1UkgxL1ZKNW82TVdq\nb0lDck5xMlh6Z3JnVFM1dC90aWtLM2VaMDB3CmtxNjM0WktkZk1lMDZSWGpKRld0\nekdXd2dBUEc0UVhLVDFQMlVkMWRxUjAKLS0tIDFYK3dndEV5WHBxU2s5KzJMcEpt\nckRiQ3NmajBvS002N0NWSkVRbTF6MkUK5QHBIJRIYPGbh7XnqWO57ACPgCtW5qQq\nanSKUQmnL4VL608zYG/NR9n26xTrEcRb4XiPNB7sM4OHGFfnpQzE4g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], "lastmodified": "2024-10-08T18:51:47Z", "mac": "ENC[AES256_GCM,data:vQZhr60Rw7+tss4JDlz6PhqE5fodK/enHYPeVrTW3ACCsehKw57ySbMtoQVCijhGcnOQ5PpV583PCaYxa2pDdpZ+lu0YS3KAVR5o/+sPVbGGXyuQSEFuxRAIB6kENnZEWbOev6eGM9lOoycVBrLCp8FfVChG2XKF7KRp5A4HoUI=,iv:3toT/mij4UodEKIx8qnXm7n/9zNZmN7MHbrb8zuJoUA=,tag:SYi6RvgMs0kGj3pvMNy7VQ==,type:str]", "pgp": null, diff --git a/homelab/stacks/keycloak/stack.nix b/homelab/stacks/keycloak/stack.nix new file mode 100644 index 00000000..896b89d4 --- /dev/null +++ b/homelab/stacks/keycloak/stack.nix @@ -0,0 +1,41 @@ +{ sys, ... }: let stack = "keycloak"; in { + home-manager.users."${sys.username}".home.file = { + "${stack}" = { + enable = true; + recursive = true; + source = ./.; + target = "stacks/${stack}/"; + }; + "${stack}/.env" = { + enable = true; + text = '' + APPDATA=${sys.dataDirs.appdata}/${stack} + ''; + target = "stacks/${stack}/.env"; + }; + }; + sops.secrets."${stack}/keycloak" = { + sopsFile = ./keycloak.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; + sops.secrets."${stack}/postgres" = { + sopsFile = ./postgres.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; + sops.secrets."${stack}/forwardauth" = { + sopsFile = ./forwardauth.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; + sops.secrets."${stack}/forwardauth-privileged" = { + sopsFile = ./forwardauth-privileged.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; +} \ No newline at end of file