jordan/nix-config
1
1
Fork 0
Code Issues 14 Pull Requests Actions Projects 3 Wiki Activity

kanidm: refactor

Browse Source
This commit is contained in:
Jordan Holt 2025-03-10 15:39:07 +00:00
parent 6bcc543cb4
commit cbf449c356
Signed by: jordan
GPG Key ID: B8CFFF61F1CCF520
2 changed files with 52 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
hosts/vps1/default.nix
View File

@ -1,6 +1,5 @@
{ {
config, config,
pkgs,
lib, lib,
self, self,
... ...
@ -10,6 +9,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./gitea.nix ./gitea.nix
./kanidm.nix
../server.nix ../server.nix
]; ];
@ -47,50 +47,11 @@
groups = { groups = {
jellyfin = { }; jellyfin = { };
}; };
extraGroups.acme.members = [
"kanidm"
"nginx"
];
}; };
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
security.acme.certs."auth.vimium.com" = {
postRun = "systemctl restart kanidm.service";
group = "acme";
};
services.kanidm =
let
baseDomain = "vimium.com";
domain = "auth.${baseDomain}";
uri = "https://${domain}";
in
{
package = pkgs.unstable.kanidm;
enableClient = true;
enableServer = true;
clientSettings = {
inherit uri;
};
serverSettings = {
bindaddress = "127.0.0.1:3013";
ldapbindaddress = "100.64.0.1:636";
domain = baseDomain;
origin = uri;
tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
};
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"auth.vimium.com" = {
useACMEHost = "auth.vimium.com";
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:3013";
};
};
"outline.vimium.com" = { "outline.vimium.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

51
hosts/vps1/kanidm.nix Normal file
View File

@ -0,0 +1,51 @@
{
config,
pkgs,
...
}:
let
baseDomain = "vimium.com";
domain = "auth.${baseDomain}";
in
{
services.kanidm =
let
uri = "https://${domain}";
in
{
package = pkgs.unstable.kanidm;
enableClient = true;
enableServer = true;
clientSettings = {
inherit uri;
};
serverSettings = {
bindaddress = "127.0.0.1:3013";
ldapbindaddress = "100.64.0.1:636";
domain = baseDomain;
origin = uri;
tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
};
};
services.nginx.virtualHosts = {
"${domain}" = {
useACMEHost = "${domain}";
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:3013";
};
};
};
users.extraGroups.acme.members = [
"kanidm"
"nginx"
];
security.acme.certs."${domain}" = {
postRun = "systemctl restart kanidm.service";
group = "acme";
};
}