bekkalokk: setup keycloak

hosts/bekkalokk/configuration.nix

@@ -5,6 +5,8 @@
 
     ../../base.nix
 
+    ./services/keycloak.nix
+
     # TODO: set up authentication for the following:
     # ./services/website/website.nix
     # ./services/website/nginx.nix

hosts/bekkalokk/services/keycloak.nix

@@ -0,0 +1,24 @@
+{ pkgs, config, values, ... }:
+{
+  sops.secrets."keys/postgres/keycloak" = {
+    owner = "keycloak";
+    group = "keycloak";
+    restartUnits = [ "keycloak.service" ];
+  };
+
+  services.keycloak = {
+    enable = true;
+
+    settings = {
+      hostname = "auth.pvv.ntnu.no";
+      # hostname-strict-backchannel = true;
+    };
+
+    database = {
+      host = values.hosts.bicep.ipv4;
+      createLocally = false;
+      passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
+      caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    };
+  };
+}