{ config, lib, pkgs, ... }: with lib; let cfg = config.services.keycloak; in { options.services.keycloak = { enable = mkEnableOption "Keycloak identity provider"; database = { host = mkOption { type = types.str; default = "localhost"; description = "Database host"; }; name = mkOption { type = types.str; default = "keycloak"; description = "Database name"; }; user = mkOption { type = types.str; default = "keycloak"; description = "Database user"; }; passwordFile = mkOption { type = types.path; description = "Path to file containing database password"; }; }; adminUser = mkOption { type = types.str; default = "admin"; description = "Admin username"; }; adminPasswordFile = mkOption { type = types.path; description = "Path to file containing admin password"; }; hostname = mkOption { type = types.str; description = "Keycloak hostname"; }; settings = mkOption { type = types.attrs; default = {}; description = "Additional Keycloak settings"; }; }; config = mkIf cfg.enable { services.keycloak = { enable = true; settings = { hostname = cfg.hostname; hostname-strict-backchannel = true; proxy = "edge"; db = mkDefault "postgres"; db-url = "jdbc:postgresql://${cfg.database.host}/${cfg.database.name}"; db-username = cfg.database.user; db-password-file = cfg.database.passwordFile; admin-user = cfg.adminUser; admin-password-file = cfg.adminPasswordFile; } // cfg.settings; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }