foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 22:57:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9527896251
nixos-config/hosts/plover/modules/services/kanidm.nix
Gabriel Arazas 2632b75bf2
hosts/plover: properly add nginx upstreams 
Even though this is unlikely to be scaled further, we're just being good
sysadmins (or at least roleplaying as one).
2023-10-13 16:48:02 +08:00

64 lines
1.5 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
authDomain = "auth.${config.networking.domain}";
port = 9443;
certsDir = config.security.acme.certs."${authDomain}".directory;
backupsDir = "/var/lib/kanidm/backups";
in
{
services.kanidm = {
enableServer = true;
serverSettings = {
domain = authDomain;
origin = "https://${authDomain}:${builtins.toString port}";
bindaddress = "127.0.0.1:${builtins.toString port}";
ldapbindaddress = "127.0.0.1:3636";
role = "WriteReplica";
trust_x_forward_for = true;
tls_chain = "${certsDir}/fullchain.pem";
tls_key = "${certsDir}/key.pem";
online_backup = {
path = backupsDir;
schedule = "0 0 * * *";
};
};
};
# The kanidm Nix module already sets the certificates directory to be
# read-only with systemd so no need for it though we may need to set the
# backups directory.
systemd.services.kanidm = {
preStart = lib.mkBefore ''
mkdir -p "${backupsDir}"
'';
serviceConfig = {
SupplementaryGroups = [ config.security.acme.certs."${authDomain}".group ];
};
};
services.nginx.virtualHosts."${authDomain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
kTLS = true;
locations."/".proxyPass = "https://kanidm";
};
services.nginx.upstreams."kanidm" = {
extraConfig = ''
zone apps;
'';
servers = {
"localhost:${builtins.toString port}" = { };
};
};
# Add the following to be backed up.
services.borgbackup.jobs.services-backup.paths = [ backupsDir ];
}
Reference in New Issue View Git Blame Copy Permalink