From cdac7ad5fc02c955832f974d06ff57436e37fde5 Mon Sep 17 00:00:00 2001
From: Jonas Heinrich <heinrich@synyx.de>
Date: Sun, 21 Jul 2024 00:26:18 +0200
Subject: [PATCH] auto setup keycloak realm

---
 flake.lock       | 17 +++++++++++++++++
 flake.nix        |  4 +++-
 vm-nextcloud.nix | 41 +++++++++++++++++++++++++++++++++++++++--
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 942cdb3..0982089 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "keycloak-realms": {
+      "locked": {
+        "lastModified": 1721493163,
+        "narHash": "sha256-VmHIhv0VKcpL4IhP8kc5gIeIZNMS4Df9yHlPVc7LAlg=",
+        "owner": "rorosen",
+        "repo": "nixpkgs",
+        "rev": "162639ea7c3ac6578e77698ce71c2b1dc49ceffd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rorosen",
+        "ref": "keycloak-realm-import",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixos-shell": {
       "inputs": {
         "nixpkgs": "nixpkgs"
@@ -51,6 +67,7 @@
     },
     "root": {
       "inputs": {
+        "keycloak-realms": "keycloak-realms",
         "nixos-shell": "nixos-shell",
         "nixpkgs": "nixpkgs_2"
       }
diff --git a/flake.nix b/flake.nix
index 76b10ec..caffccc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,9 +6,10 @@
     #nixpkgs.url = "nixpkgs/nixos-24.05";
     nixpkgs.url = "github:onny/nixpkgs/hmr-enabler";
     nixos-shell.url = "github:Mic92/nixos-shell";
+    keycloak-realms.url = "github:rorosen/nixpkgs/keycloak-realm-import";
   };
 
-  outputs = { self, nixpkgs, nixos-shell }: let
+  outputs = { self, nixpkgs, nixos-shell, ... }@inputs: let
     pkgs = nixpkgs.legacyPackages.x86_64-linux;
     start =
       pkgs.writeShellScriptBin "start" ''
@@ -20,6 +21,7 @@
 
     nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
+      specialArgs.inputs = inputs;
       modules = [
         (import ./vm-nextcloud.nix)
         nixos-shell.nixosModules.nixos-shell
diff --git a/vm-nextcloud.nix b/vm-nextcloud.nix
index 7bac516..8603f86 100644
--- a/vm-nextcloud.nix
+++ b/vm-nextcloud.nix
@@ -1,12 +1,17 @@
-{ pkgs, config, lib, options, ... }: {
+{ pkgs, config, lib, options, inputs, ... }: {
 
   virtualisation = {
     memorySize = 8000;
     cores = 4;
   };
 
+  disabledModules = [
+    "services/web-apps/keycloak.nix"
+  ];
+
   imports = [
     ./nextcloud-extras.nix
+    "${inputs.keycloak-realms}/nixos/modules/services/web-apps/keycloak.nix"
   ];
 
   nixpkgs = {
@@ -191,7 +196,32 @@
 
   # How to setup https://www.schiessle.org/articles/2023/07/04/nextcloud-and-openid-connect/
   # FIXME auto setup realm https://github.com/NixOS/nixpkgs/pull/273833
-  services.keycloak = {
+  services.keycloak = let
+    realm = {
+      realm = "OIDCDemo";
+      enabled = true;
+      clients = [{
+        clientId = "nextcloud";
+        secret = "4KoWtOWtg8xpRdAoorNan4PdfFMATo91";
+        rootUrl = "http://localhost:8080";
+        redirectUris = [
+          "http://localhost:8080/*"
+        ];
+      }];
+      users = [{
+        enabled = true;
+        firstName = "Hans";
+        lastName = "Wurst";
+        username = "onny";
+        email = "onny@localhost";
+        credentials = [{
+          type = "password";
+          temporary = false;
+          value = "test123";
+        }];
+      }];
+    };
+  in {
     enable = true;
     settings = {
       hostname = "localhost";
@@ -200,6 +230,7 @@
       hostname-strict-https = false;
     };
     database.passwordFile = "${pkgs.writeText "dbPassword" ''test123''}";
+    realmFiles.OIDCDemo = builtins.toJSON realm;
   };
 
   system.stateVersion = "24.05";
@@ -220,4 +251,10 @@
     nixos.enable = false;
   };
 
+  nix = {
+    package = pkgs.nixFlakes;
+    registry.nixpkgs.flake = inputs.nixpkgs;
+    settings.experimental-features = [ "nix-command" "flakes" ];
+  };
+
 }