feat(2w): W0.3 declarative warm-keycloak reconciler (WC1)

nix/modules/warm-keycloak.nix: idempotent systemd oneshot (like deploy-proxy) that converges a live-warm shared keycloak at warm-keycloak.ci.commoninternet.net pinned to 10.7.1+26.6.2, secrets generated only-if-missing (never rotate a live provider), waits /realms/master=200. Re-warmable from scratch (D8/WC8). Wired into hosts/cc-ci/configuration.nix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-28 23:28:44 +01:00
parent 1b8d26b504
commit c8e9ddb681
2 changed files with 85 additions and 0 deletions
--- a/nix/hosts/cc-ci/configuration.nix
+++ b/nix/hosts/cc-ci/configuration.nix
@ -16,6 +16,7 @@
    ../../modules/dashboard.nix
    ../../modules/backupbot.nix
    ../../modules/harness.nix
+    ../../modules/warm-keycloak.nix
  ];

  # --- Tailscale (ACCESS-CRITICAL: do not break, this is the only route in) ---