foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-12 06:19:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: replace Keycloak with Kanidm as SSO application

Browse Source
This commit is contained in:
Gabriel Arazas 2023-09-28 18:29:09 +08:00
parent ed8611478a
commit 862fd5a07a
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/plover/default.nix
View File

@ -36,8 +36,8 @@ in
# configuring it here will make it too big. # configuring it here will make it too big.
./modules/services/atuin.nix ./modules/services/atuin.nix
./modules/services/gitea.nix ./modules/services/gitea.nix
./modules/services/keycloak.nix
./modules/services/portunus.nix ./modules/services/portunus.nix
./modules/services/kanidm.nix
./modules/services/vaultwarden.nix ./modules/services/vaultwarden.nix
./modules/services/wireguard.nix ./modules/services/wireguard.nix
./modules/services/wezterm-mux-server.nix ./modules/services/wezterm-mux-server.nix

52
hosts/plover/modules/services/kanidm.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
let
authDomain = "auth.${config.networking.domain}";
port = 9443;
certsDir = config.security.acme.certs."${authDomain}".directory;
backupsDir = "/var/lib/kanidm/backups";
in
{
services.kanidm = {
enableServer = true;
serverSettings = {
domain = authDomain;
origin = "https://${authDomain}:${builtins.toString port}";
bindaddress = "127.0.0.1:${builtins.toString port}";
role = "WriteReplica";
trust_x_forward_for = true;
tls_chain = "${certsDir}/fullchain.pem";
tls_key = "${certsDir}/key.pem";
online_backup = {
path = backupsDir;
schedule = "0 0 * * *";
};
};
};
# The kanidm Nix module already sets the certificates directory to be
# read-only with systemd so no need for it though we may need to set the
# backups directory.
systemd.services.kanidm = {
preStart = lib.mkBefore ''
mkdir -p "${backupsDir}"
'';
serviceConfig = {
SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];
};
};
services.nginx.virtualHosts."${authDomain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
};
# Add the following to be backed up.
services.borgbackup.jobs.services-backup.paths = [ backupsDir ];
}