52 lines
1.0 KiB
Nix
52 lines
1.0 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
baseDomain = "vimium.com";
|
|
domain = "auth.${baseDomain}";
|
|
in
|
|
{
|
|
services.kanidm =
|
|
let
|
|
uri = "https://${domain}";
|
|
in
|
|
{
|
|
package = pkgs.unstable.kanidm;
|
|
enableClient = true;
|
|
enableServer = true;
|
|
clientSettings = {
|
|
inherit uri;
|
|
};
|
|
serverSettings = {
|
|
bindaddress = "127.0.0.1:3013";
|
|
ldapbindaddress = "100.64.0.1:636";
|
|
domain = baseDomain;
|
|
origin = uri;
|
|
tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
|
|
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
"${domain}" = {
|
|
useACMEHost = "${domain}";
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "https://127.0.0.1:3013";
|
|
};
|
|
};
|
|
};
|
|
|
|
users.extraGroups.acme.members = [
|
|
"kanidm"
|
|
"nginx"
|
|
];
|
|
|
|
security.acme.certs."${domain}" = {
|
|
postRun = "systemctl restart kanidm.service";
|
|
group = "acme";
|
|
};
|
|
}
|