From 84d1eb69fd5e206f170e7a70f5fd1f0ed448dacc Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sat, 16 Sep 2023 22:21:47 +0200 Subject: [PATCH] shark: Add kanidm --- hosts/shark/configuration.nix | 13 ++------- hosts/shark/services/kanidm.nix | 49 +++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 10 deletions(-) create mode 100644 hosts/shark/services/kanidm.nix diff --git a/hosts/shark/configuration.nix b/hosts/shark/configuration.nix index d22263c..b75daad 100644 --- a/hosts/shark/configuration.nix +++ b/hosts/shark/configuration.nix @@ -5,6 +5,8 @@ ./hardware-configuration.nix ../../base.nix ../../misc/metrics-exporters.nix + + ./services/kanidm.nix ]; sops.defaultSopsFile = ../../secrets/shark/shark.yaml; @@ -15,25 +17,16 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "shark"; # Define your hostname. + networking.hostName = "shark"; systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ]; }; - # List packages installed in system profile environment.systemPackages = with pkgs; [ ]; - # List services that you want to enable: - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? } diff --git a/hosts/shark/services/kanidm.nix b/hosts/shark/services/kanidm.nix new file mode 100644 index 0000000..0e0c0f1 --- /dev/null +++ b/hosts/shark/services/kanidm.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.kanidm; + domain = "auth.pvv.ntnu.no"; + bindaddr_web = "127.0.0.1:8300"; # + bindaddr_ldaps = "0.0.0.0:636"; +in { + # Kanidm - Identity management / auth provider + services.kanidm = { + enableServer = true; + + serverSettings = let + credsDir = "/run/credentials/kanidm.service"; + in { + inherit domain; + ldapbindaddress = bindaddr_ldaps; + bindaddress = bindaddr_web; + origin = "https://${domain}"; + + tls_chain = "${credsDir}/fullchain.pem"; + tls_key = "${credsDir}/key.pem"; + }; + }; + + systemd.services.kanidm = let + certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost; + in { + requires = [ "acme-finished-${certName}.target" ]; + serviceConfig.LoadCredential = let + certDir = config.security.acme.certs.${certName}.directory; + in [ + "fullchain.pem:${certDir}/fullchain.pem" + "key.pem:${certDir}/key.pem" + ]; + }; + + services.nginx.virtualHosts."${cfg.serverSettings.domain}" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "https://${cfg.serverSettings.bindaddress}"; + }; + + environment = { + systemPackages = [ pkgs.kanidm ]; # CLI tool + etc."kanidm/config".text = '' + uri="${cfg.serverSettings.origin}" + ''; + }; + }