kanidm: refactor

2025-03-10 15:39:07 +00:00 · 2025-03-10 15:39:07 +00:00 · cbf449c356
commit cbf449c356
parent 6bcc543cb4
2 changed files with 52 additions and 40 deletions
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -1,6 +1,5 @@
 {
  config,
-  pkgs,
  lib,
  self,
  ...
@ -10,6 +9,7 @@
  imports = [
    ./hardware-configuration.nix
    ./gitea.nix
+    ./kanidm.nix
    ../server.nix
  ];

@ -47,50 +47,11 @@
    groups = {
      jellyfin = { };
    };
-    extraGroups.acme.members = [
-      "kanidm"
-      "nginx"
-    ];
  };

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

-  security.acme.certs."auth.vimium.com" = {
-    postRun = "systemctl restart kanidm.service";
-    group = "acme";
-  };
-
-  services.kanidm =
-    let
-      baseDomain = "vimium.com";
-      domain = "auth.${baseDomain}";
-      uri = "https://${domain}";
-    in
-    {
-      package = pkgs.unstable.kanidm;
-      enableClient = true;
-      enableServer = true;
-      clientSettings = {
-        inherit uri;
-      };
-      serverSettings = {
-        bindaddress = "127.0.0.1:3013";
-        ldapbindaddress = "100.64.0.1:636";
-        domain = baseDomain;
-        origin = uri;
-        tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
-        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
-      };
-    };
-
  services.nginx.virtualHosts = {
-    "auth.vimium.com" = {
-      useACMEHost = "auth.vimium.com";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "https://127.0.0.1:3013";
-      };
-    };
    "outline.vimium.com" = {
      forceSSL = true;
      enableACME = true;
--- a/hosts/vps1/kanidm.nix
+++ b/hosts/vps1/kanidm.nix
@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  baseDomain = "vimium.com";
+  domain = "auth.${baseDomain}";
+in
+{
+  services.kanidm =
+    let
+      uri = "https://${domain}";
+    in
+    {
+      package = pkgs.unstable.kanidm;
+      enableClient = true;
+      enableServer = true;
+      clientSettings = {
+        inherit uri;
+      };
+      serverSettings = {
+        bindaddress = "127.0.0.1:3013";
+        ldapbindaddress = "100.64.0.1:636";
+        domain = baseDomain;
+        origin = uri;
+        tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
+        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+      };
+    };
+
+  services.nginx.virtualHosts = {
+    "${domain}" = {
+      useACMEHost = "${domain}";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:3013";
+      };
+    };
+  };
+
+  users.extraGroups.acme.members = [
+    "kanidm"
+    "nginx"
+  ];
+
+  security.acme.certs."${domain}" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "acme";
+  };
+}