mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 22:57:55 +00:00
64 lines
1.5 KiB
Nix
64 lines
1.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
authDomain = "auth.${config.networking.domain}";
|
|
port = 9443;
|
|
|
|
certsDir = config.security.acme.certs."${authDomain}".directory;
|
|
|
|
backupsDir = "/var/lib/kanidm/backups";
|
|
in
|
|
{
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = authDomain;
|
|
origin = "https://${authDomain}:${builtins.toString port}";
|
|
bindaddress = "127.0.0.1:${builtins.toString port}";
|
|
ldapbindaddress = "127.0.0.1:3636";
|
|
role = "WriteReplica";
|
|
trust_x_forward_for = true;
|
|
|
|
tls_chain = "${certsDir}/fullchain.pem";
|
|
tls_key = "${certsDir}/key.pem";
|
|
|
|
online_backup = {
|
|
path = backupsDir;
|
|
schedule = "0 0 * * *";
|
|
};
|
|
};
|
|
};
|
|
|
|
# The kanidm Nix module already sets the certificates directory to be
|
|
# read-only with systemd so no need for it though we may need to set the
|
|
# backups directory.
|
|
systemd.services.kanidm = {
|
|
preStart = lib.mkBefore ''
|
|
mkdir -p "${backupsDir}"
|
|
'';
|
|
serviceConfig = {
|
|
SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."${authDomain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
acmeRoot = null;
|
|
kTLS = true;
|
|
locations."/".proxyPass = "https://kanidm";
|
|
};
|
|
|
|
services.nginx.upstreams."kanidm" = {
|
|
extraConfig = ''
|
|
zone services;
|
|
'';
|
|
servers = {
|
|
"localhost:${builtins.toString port}" = { };
|
|
};
|
|
};
|
|
|
|
# Add the following to be backed up.
|
|
services.borgbackup.jobs.services-backup.paths = [ backupsDir ];
|
|
}
|