shark: Add kanidm

2025-12-16 15:17:15 +01:00 · 2023-09-16 22:21:47 +02:00
parent 36b768b3b2
commit 84d1eb69fd
2 changed files with 52 additions and 10 deletions
--- a/hosts/shark/services/kanidm.nix
+++ b/hosts/shark/services/kanidm.nix
@@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.kanidm;
+  domain = "auth.pvv.ntnu.no";
+  bindaddr_web = "127.0.0.1:8300"; #
+  bindaddr_ldaps = "0.0.0.0:636";
+in {
+  # Kanidm - Identity management / auth provider
+  services.kanidm = {
+    enableServer = true;
+
+    serverSettings = let
+      credsDir = "/run/credentials/kanidm.service";
+    in {
+      inherit domain;
+      ldapbindaddress = bindaddr_ldaps;
+      bindaddress = bindaddr_web;
+      origin = "https://${domain}";
+
+      tls_chain = "${credsDir}/fullchain.pem";
+      tls_key = "${credsDir}/key.pem";
+    };
+  };
+
+  systemd.services.kanidm = let
+    certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
+  in {
+    requires = [ "acme-finished-${certName}.target" ];
+    serviceConfig.LoadCredential = let
+      certDir = config.security.acme.certs.${certName}.directory;
+    in [
+      "fullchain.pem:${certDir}/fullchain.pem"
+      "key.pem:${certDir}/key.pem"
+    ];
+  };
+
+  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "https://${cfg.serverSettings.bindaddress}";
+  };
+
+  environment = {
+    systemPackages = [ pkgs.kanidm ]; # CLI tool
+    etc."kanidm/config".text = ''
+      uri="${cfg.serverSettings.origin}"
+    '';
+  };
+ }