diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index 6cad640b..e2a2397a 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -36,8 +36,8 @@ in # configuring it here will make it too big. ./modules/services/atuin.nix ./modules/services/gitea.nix - ./modules/services/keycloak.nix ./modules/services/portunus.nix + ./modules/services/kanidm.nix ./modules/services/vaultwarden.nix ./modules/services/wireguard.nix ./modules/services/wezterm-mux-server.nix diff --git a/hosts/plover/modules/services/kanidm.nix b/hosts/plover/modules/services/kanidm.nix new file mode 100644 index 00000000..df0c0332 --- /dev/null +++ b/hosts/plover/modules/services/kanidm.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + authDomain = "auth.${config.networking.domain}"; + port = 9443; + + certsDir = config.security.acme.certs."${authDomain}".directory; + + backupsDir = "/var/lib/kanidm/backups"; +in +{ + services.kanidm = { + enableServer = true; + serverSettings = { + domain = authDomain; + origin = "https://${authDomain}:${builtins.toString port}"; + bindaddress = "127.0.0.1:${builtins.toString port}"; + role = "WriteReplica"; + trust_x_forward_for = true; + + tls_chain = "${certsDir}/fullchain.pem"; + tls_key = "${certsDir}/key.pem"; + + online_backup = { + path = backupsDir; + schedule = "0 0 * * *"; + }; + }; + }; + + # The kanidm Nix module already sets the certificates directory to be + # read-only with systemd so no need for it though we may need to set the + # backups directory. + systemd.services.kanidm = { + preStart = lib.mkBefore '' + mkdir -p "${backupsDir}" + ''; + serviceConfig = { + SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ]; + }; + }; + + services.nginx.virtualHosts."${authDomain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/".proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}"; + }; + + # Add the following to be backed up. + services.borgbackup.jobs.services-backup.paths = [ backupsDir ]; +}