From ef23fded853f9bf05ee8b69fd4103494f53baecd Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felix@albrigtsen.it>
Date: Thu, 6 Jun 2024 20:47:15 +0200
Subject: [PATCH] voyager/kanidm: remove second nginx

---
 hosts/defiant/services/nginx.nix  | 19 +++++++++++++------
 hosts/voyager/services/kanidm.nix | 17 +++--------------
 2 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix
index 263715d..6561a34 100644
--- a/hosts/defiant/services/nginx.nix
+++ b/hosts/defiant/services/nginx.nix
@@ -31,7 +31,7 @@
   # Publicly exposed services:
 
   services.nginx.virtualHosts = let
-    publicProxy = upstream: {
+    publicProxy = upstream: overrides: {
       listen = [
         { addr = "192.168.10.175"; port = 43443; ssl = true; }
         { addr = "192.168.10.175"; port = 43080; ssl = false; }
@@ -49,11 +49,18 @@
 
         server_tokens off;
       '';
-    };
+    } // overrides;
   in {
-    "auth.feal.no" = publicProxy "https://voyager.home.feal.no";
-    "cloud.feal.no" = publicProxy "http://voyager.home.feal.no";
-    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
-    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
+    "auth.feal.no" = publicProxy "" {
+      locations."/" = {
+        proxyPass = "https://voyager.home.feal.no:8300";
+        extraConfig = ''
+          proxy_ssl_verify off;
+        '';
+      };
+    };
+    "cloud.feal.no" = publicProxy "http://voyager.home.feal.no" {};
+    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}" {};
+    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" {};
   };
 }
diff --git a/hosts/voyager/services/kanidm.nix b/hosts/voyager/services/kanidm.nix
index c95c8e5..caf989d 100644
--- a/hosts/voyager/services/kanidm.nix
+++ b/hosts/voyager/services/kanidm.nix
@@ -10,7 +10,7 @@ in {
     serverSettings = {
       origin = "https://${cfg.serverSettings.domain}";
       domain = "auth.feal.no";
-      bindaddress = "127.0.1.2:8300";
+      bindaddress = "0.0.0.0:8300";
       inherit ldapbindaddress;
 
       tls_chain = "/run/credentials/kanidm.service/cert.crt";
@@ -25,23 +25,12 @@ in {
     ];
   };
 
-
-  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
-    forceSSL = true;
-    sslCertificate    = "${certPath}.crt";
-    sslCertificateKey = "${certPath}.key";
-    locations."/" = {
-      proxyPass = "https://${cfg.serverSettings.bindaddress}";
-      extraConfig = ''
-        proxy_ssl_verify off;
-      '';
-    };
-  };
-
   environment = {
     systemPackages = [ pkgs.kanidm ];
     etc."kanidm/config".text = ''
       uri="${cfg.serverSettings.origin}"
     '';
   };
+
+  networking.firewall.allowedTCPPorts = [ 8300 ];
  }