nixos-config/configs/nixos/plover/modules/services/idm.nix

{ config, lib, pkgs, ... }:

let
  hostCfg = config.hosts.plover;
  cfg = hostCfg.services.idm;

  authDomain = "auth.${config.networking.domain}";
  port = config.state.ports.kanidm.value;

  certsDir = config.security.acme.certs."${authDomain}".directory;

  backupsDir = "/var/lib/kanidm/backups";
in
{
  options.hosts.plover.services.idm.enable = lib.mkEnableOption "preferred IDM server";

  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
      state.ports.kanidm.value = 9443;
      hosts.plover.services.vouch-proxy.enable = lib.mkDefault true;

      services.kanidm = {
        enableServer = true;
        serverSettings = {
          domain = authDomain;
          origin = "https://${authDomain}:${builtins.toString port}";
          bindaddress = "127.0.0.1:${builtins.toString port}";
          ldapbindaddress = "127.0.0.1:3636";
          role = "WriteReplica";
          trust_x_forward_for = true;

          tls_chain = "${certsDir}/fullchain.pem";
          tls_key = "${certsDir}/key.pem";

          online_backup = {
            path = backupsDir;
            schedule = "0 0 * * *";
          };
        };
      };

      # The kanidm Nix module already sets the certificates directory to be
      # read-only with systemd so no need for it though we may need to set the
      # backups directory.
      systemd.services.kanidm = {
        preStart = lib.mkBefore ''
          mkdir -p "${backupsDir}"
        '';
        serviceConfig = {
          SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];
        };
      };
    }

    (lib.mkIf hostCfg.services.reverse-proxy.enable {
      services.nginx.virtualHosts."${authDomain}" = {
        forceSSL = true;
        enableACME = true;
        acmeRoot = null;
        kTLS = true;
        locations."/".proxyPass = "https://kanidm";
      };

      services.nginx.upstreams."kanidm" = {
        extraConfig = ''
          zone services;
        '';
        servers = {
          "localhost:${builtins.toString port}" = { };
        };
      };
    })

    (lib.mkIf hostCfg.services.backup.enable {
      # Add the following to be backed up.
      services.borgbackup.jobs.services-backup.paths = [ backupsDir ];
    })
  ]);
}
hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`{ config, lib, pkgs, ... }:`

			`let`
			`hostCfg = config.hosts.plover;`
			`cfg = hostCfg.services.idm;`

			`authDomain = "auth.${config.networking.domain}";`
hosts/plover: update service configs 2024-09-20 10:34:58 +00:00			`port = config.state.ports.kanidm.value;`
hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00
			`certsDir = config.security.acme.certs."${authDomain}".directory;`

			`backupsDir = "/var/lib/kanidm/backups";`
			`in`
			`{`
			`options.hosts.plover.services.idm.enable = lib.mkEnableOption "preferred IDM server";`

			`config = lib.mkIf cfg.enable (lib.mkMerge [`
			`{`
hosts/plover: update service configs 2024-09-20 10:34:58 +00:00			`state.ports.kanidm.value = 9443;`
hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`hosts.plover.services.vouch-proxy.enable = lib.mkDefault true;`

			`services.kanidm = {`
			`enableServer = true;`
			`serverSettings = {`
			`domain = authDomain;`
			`origin = "https://${authDomain}:${builtins.toString port}";`
			`bindaddress = "127.0.0.1:${builtins.toString port}";`
			`ldapbindaddress = "127.0.0.1:3636";`
			`role = "WriteReplica";`
			`trust_x_forward_for = true;`

			`tls_chain = "${certsDir}/fullchain.pem";`
			`tls_key = "${certsDir}/key.pem";`

			`online_backup = {`
			`path = backupsDir;`
			`schedule = "0 0 * * *";`
			`};`
			`};`
			`};`

			`# The kanidm Nix module already sets the certificates directory to be`
			`# read-only with systemd so no need for it though we may need to set the`
			`# backups directory.`
			`systemd.services.kanidm = {`
			`preStart = lib.mkBefore ''`
			`mkdir -p "${backupsDir}"`
			`'';`
			`serviceConfig = {`
			`SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];`
			`};`
			`};`
			`}`

			`(lib.mkIf hostCfg.services.reverse-proxy.enable {`
			`services.nginx.virtualHosts."${authDomain}" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`acmeRoot = null;`
			`kTLS = true;`
			`locations."/".proxyPass = "https://kanidm";`
			`};`

			`services.nginx.upstreams."kanidm" = {`
			`extraConfig = ''`
			`zone services;`
			`'';`
			`servers = {`
			`"localhost:${builtins.toString port}" = { };`
			`};`
			`};`
			`})`

			`(lib.mkIf hostCfg.services.backup.enable {`
			`# Add the following to be backed up.`
			`services.borgbackup.jobs.services-backup.paths = [ backupsDir ];`
			`})`
			`]);`
			`}`