mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 10:58:02 +00:00
80 lines
2.2 KiB
Nix
80 lines
2.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
hostCfg = config.hosts.plover;
|
|
cfg = hostCfg.services.idm;
|
|
|
|
authDomain = "auth.${config.networking.domain}";
|
|
port = config.state.ports.kanidm.value;
|
|
|
|
certsDir = config.security.acme.certs."${authDomain}".directory;
|
|
|
|
backupsDir = "${config.state.paths.dataDir}/kanidm/backups";
|
|
in
|
|
{
|
|
options.hosts.plover.services.idm.enable = lib.mkEnableOption "preferred IDM server";
|
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
{
|
|
state.ports.kanidm.value = 9443;
|
|
hosts.plover.services.vouch-proxy.enable = lib.mkDefault true;
|
|
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = authDomain;
|
|
origin = "https://${authDomain}";
|
|
bindaddress = "127.0.0.1:${builtins.toString port}";
|
|
ldapbindaddress = "127.0.0.1:3636";
|
|
role = "WriteReplica";
|
|
trust_x_forward_for = true;
|
|
|
|
tls_chain = "${certsDir}/fullchain.pem";
|
|
tls_key = "${certsDir}/key.pem";
|
|
|
|
online_backup = {
|
|
path = backupsDir;
|
|
schedule = "0 0 * * *";
|
|
};
|
|
};
|
|
};
|
|
|
|
# The kanidm Nix module already sets the certificates directory to be
|
|
# read-only with systemd so no need for it though we may need to set the
|
|
# backups directory.
|
|
systemd.services.kanidm = {
|
|
preStart = lib.mkBefore ''
|
|
mkdir -p "${backupsDir}"
|
|
'';
|
|
serviceConfig = {
|
|
SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];
|
|
};
|
|
};
|
|
}
|
|
|
|
(lib.mkIf hostCfg.services.reverse-proxy.enable {
|
|
services.nginx.virtualHosts."${authDomain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
acmeRoot = null;
|
|
kTLS = true;
|
|
locations."/".proxyPass = "https://kanidm";
|
|
};
|
|
|
|
services.nginx.upstreams."kanidm" = {
|
|
extraConfig = ''
|
|
zone services;
|
|
'';
|
|
servers = {
|
|
"localhost:${builtins.toString port}" = { };
|
|
};
|
|
};
|
|
})
|
|
|
|
(lib.mkIf hostCfg.services.backup.enable {
|
|
# Add the following to be backed up.
|
|
services.borgbackup.jobs.services-backup.paths = [ backupsDir ];
|
|
})
|
|
]);
|
|
}
|