hosts/plover: replace Keycloak with Kanidm as SSO application

hosts/plover/default.nix

@@ -36,8 +36,8 @@ in
     # configuring it here will make it too big.
     ./modules/services/atuin.nix
     ./modules/services/gitea.nix
-    ./modules/services/keycloak.nix
     ./modules/services/portunus.nix
+    ./modules/services/kanidm.nix
     ./modules/services/vaultwarden.nix
     ./modules/services/wireguard.nix
     ./modules/services/wezterm-mux-server.nix

hosts/plover/modules/services/kanidm.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+let
+  authDomain = "auth.${config.networking.domain}";
+  port = 9443;
+
+  certsDir = config.security.acme.certs."${authDomain}".directory;
+
+  backupsDir = "/var/lib/kanidm/backups";
+in
+{
+  services.kanidm = {
+    enableServer = true;
+    serverSettings = {
+      domain = authDomain;
+      origin = "https://${authDomain}:${builtins.toString port}";
+      bindaddress = "127.0.0.1:${builtins.toString port}";
+      role = "WriteReplica";
+      trust_x_forward_for = true;
+
+      tls_chain = "${certsDir}/fullchain.pem";
+      tls_key = "${certsDir}/key.pem";
+
+      online_backup = {
+        path = backupsDir;
+        schedule = "0 0 * * *";
+      };
+    };
+  };
+
+  # The kanidm Nix module already sets the certificates directory to be
+  # read-only with systemd so no need for it though we may need to set the
+  # backups directory.
+  systemd.services.kanidm = {
+    preStart = lib.mkBefore ''
+      mkdir -p "${backupsDir}"
+    '';
+    serviceConfig = {
+      SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];
+    };
+  };
+
+  services.nginx.virtualHosts."${authDomain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/".proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
+  };
+
+  # Add the following to be backed up.
+  services.borgbackup.jobs.services-backup.paths = [ backupsDir ];
+}