Jordan Holt
34585223ca
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m26s
68 lines
1.4 KiB
Nix
68 lines
1.4 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
baseDomain = "vimium.com";
|
|
domain = "auth.${baseDomain}";
|
|
in
|
|
{
|
|
services.kanidm =
|
|
let
|
|
uri = "https://${domain}";
|
|
in
|
|
{
|
|
package = pkgs.unstable.kanidm;
|
|
enableClient = true;
|
|
enableServer = true;
|
|
clientSettings = {
|
|
inherit uri;
|
|
};
|
|
serverSettings = {
|
|
bindaddress = "127.0.0.1:3013";
|
|
ldapbindaddress = "100.64.0.1:636";
|
|
domain = baseDomain;
|
|
origin = uri;
|
|
tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
|
|
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
|
version = "2";
|
|
};
|
|
};
|
|
|
|
# LDAP server binds to tailscale network interface
|
|
systemd.services.kanidm = {
|
|
requires = [ "tailscaled.service" ];
|
|
after = [ "tailscaled.service" ];
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
"${domain}" = {
|
|
useACMEHost = "${domain}";
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "https://127.0.0.1:3013";
|
|
};
|
|
};
|
|
};
|
|
|
|
users.extraGroups.acme.members = [
|
|
"kanidm"
|
|
"nginx"
|
|
];
|
|
|
|
security.acme.certs."${domain}" = {
|
|
postRun = "systemctl restart kanidm.service";
|
|
group = "acme";
|
|
};
|
|
|
|
environment.persistence."/persist".directories = [
|
|
{
|
|
directory = "/var/lib/kanidm";
|
|
user = "kanidm";
|
|
group = "kanidm";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
}
|