Add gotosocial

tf-stage-1/dns-unruhig-eu.tf

@@ -24,6 +24,9 @@ module "dns-unruhig-eu" {
     # Other
     { type = "CNAME", name = "index", value = "web.tobiasmanske.de" },
 
+    # Goto Social
+    { type = "CNAME", name = "social", value = "unruhig.eu" },
+
 
     # Mail settings
     { type = "A", name = "mail", value = "202.61.232.207" },

tf-stage-1/secrets.yml

@@ -1,5 +1,6 @@
 ---
 TF_VAR_grafana_secret: !var keycloak/grafana/secret
+TF_VAR_gotosocial_secret: !var keycloak/gotosocial/secret
 TF_VAR_hedgedoc_secret: !var keycloak/hedgedoc/secret
 TF_VAR_miniflux_secret: !var keycloak/miniflux/secret
 TF_VAR_synapse_secret: !var keycloak/synapse/secret

tf-stage-1/service_gotosocial.tf

@@ -0,0 +1,49 @@
+module "gotosocialclient" {
+  source = "./modules/kc-client"
+
+  realm           = var.realm
+  client_id       = "gotosocial"
+  client_name     = "gotosocial"
+  client_secret   = var.gotosocial_secret
+  description     = "https://social.unruhig.eu"
+  root_url            = "https://social.unruhig.eu"
+  admin_url           = "https://social.unruhig.eu"
+  base_url            = "https://social.unruhig.eu"
+  valid_redirect_uris = ["https://social.unruhig.eu/auth/callback"]
+  web_origins         = ["https://social.unruhig.eu"]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "gotosocial-membership-mapper" {
+  realm_id  = module.gotosocialclient.realm.id
+  client_id = module.gotosocialclient.client.id
+
+  name                = "Group Mapper"
+  claim_name          = "groups"
+  full_path           = false
+  add_to_userinfo     = true
+  add_to_access_token = false
+  add_to_id_token     = true
+}
+
+resource "keycloak_openid_user_property_protocol_mapper" "gotosocial-username-mapper" {
+  realm_id  = module.gotosocialclient.realm.id
+  client_id = module.gotosocialclient.client.id
+
+  name                = "username"
+  user_property       = "username"
+  claim_name          = "preferred_username"
+  add_to_userinfo     = true
+  add_to_access_token = true
+  add_to_id_token     = false
+}
+
+resource "keycloak_openid_user_client_role_protocol_mapper" "gotosocial-role-mapper" {
+  realm_id            = module.gotosocialclient.realm.id
+  client_id           = module.gotosocialclient.client.id
+  multivalued         = true
+  name                = "user-client-role-mapper"
+  claim_name          = "resource_access.$${client_id}.roles"
+  add_to_userinfo     = true
+  add_to_access_token = true
+  add_to_id_token     = false
+}

tf-stage-1/user_rad4day.tf

@@ -17,6 +17,8 @@ resource "keycloak_user_groups" "rad4day_groups" {
     module.minifluxclient.access_group.id,
     module.synapseclient.access_group.id,
     module.seafileclient.access_group.id,
+    module.gotosocialclient.access_group.id,
+    module.gotosocialclient.admin_group.id,
     data.keycloak_group.proxypass.id,
   ]
 }

tf-stage-1/variables.tf

@@ -7,6 +7,11 @@ variable "grafana_secret" {
   sensitive = true
 }
 
+variable "gotosocial_secret" {
+  type      = string
+  sensitive = true
+}
+
 variable "hedgedoc_secret" {
   type      = string
   sensitive = true