keycloak wip

system-config/configuration/homebox/default.nix

@@ -260,7 +260,7 @@
         virtualization = {
             traefik.enable = true;
             authentik.enable = true;
-            jellyfin.enable = false;
+            jellyfin.enable = true;
             "blunkall.us".enable = true;
             pihole.enable = false; #broken
             nextcloud.enable = true;

system-config/services/containers/keycloak/default.nix

@@ -14,6 +14,10 @@
             hostAddress = "192.168.100.10";
             localAddress = "192.168.100.22";
 
+            extraFlags = [
+                "--load-credential=dbpass:${config.sops.secrets."keycloak/dbpass".path}"
+            ];
+
             bindMounts = {
                 "/etc/keycloak" = {
                     hostPath = "/ssd1/Keycloak";
@@ -22,6 +26,21 @@
             };
 
             config = {
+
+                systemd.services.secrets_setup = {
+                    wantedBy = [ "keycloak.service" ];
+
+                    serviceConfig = {
+                        LoadCredential = [
+                            "dbpass"
+                        ];
+                    };
+
+                    script = ''
+                        cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/keycloak/dbpass
+                        chown keycloak:keycloak /etc/keycloak/*
+                    '';
+                };
                 
                 services.keycloak = {
                     
@@ -29,10 +48,6 @@
 
                     settings = {
                         hostname = "auth.blunkall.us";
-
-                        http-enabled = true;
-
-                        
                     };
                 };