From 996871782480e10c120b2be8533df53430dd198b Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Thu, 3 Apr 2025 08:04:22 +0100
Subject: [PATCH] kanidm: init

---
 hosts/kalessin/default.nix |  6 ++++
 services/default.nix       |  1 +
 services/kanidm.nix        | 59 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 services/kanidm.nix

diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index 65a0ced..a34cbd3 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -28,6 +28,7 @@ in
 
   randomcat.services.zfs.datasets = {
     "rpool_kalessin/state" = { mountpoint = "none"; };
+    "rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; };
   };
 
   services.sanoid.datasets."rpool_kalessin/state" = {
@@ -36,5 +37,10 @@ in
     process_children_only = true;
   };
 
+  fountain.services.kanidm = {
+    enable = true;
+    domain = "auth.unspecified.systems";
+  };
+
   system.stateVersion = "23.11";
 }
diff --git a/services/default.nix b/services/default.nix
index 9a3f8cb..f60119c 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -5,6 +5,7 @@
     ./distributed-builds.nix
     ./forgejo.nix
     ./jellyfin.nix
+    ./kanidm.nix
     ./navidrome.nix
     ./remote-builder.nix
     ./web-redirect.nix
diff --git a/services/kanidm.nix b/services/kanidm.nix
new file mode 100644
index 0000000..6bb891c
--- /dev/null
+++ b/services/kanidm.nix
@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption mkEnableOption types;
+  cfg = config.fountain.services.kanidm;
+in
+{
+  options.fountain.services.kanidm = {
+    enable = mkEnableOption "Kanidm";
+    domain = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      nginx = {
+        enable = true;
+        virtualHosts = {
+          ${cfg.domain} = {
+            forceSSL = true;
+            useACMEHost = cfg.domain;
+            locations."/".proxyPass = "https://[::1]:8443/";
+          };
+        };
+      };
+
+      kanidm = {
+        enableClient = true; # needed for admin configuration
+        enableServer = true;
+        package = pkgs.kanidm_1_5;
+        serverSettings = {
+          bindaddress = "[::1]:8443";
+          ldapbindaddress = "[::1]:636";
+          origin = "https://${cfg.domain}";
+          domain = cfg.domain;
+          tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem";
+          tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
+          online_backup.versions = 7;
+          trust_x_forward_for = true;
+        };
+        clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match
+      };
+    };
+
+    security.acme.certs.${cfg.domain} = {
+      webroot = "/var/lib/acme/acme-challenge";
+      group = "acme_${cfg.domain}";
+      reloadServices = [ "kanidm.service" ];
+    };
+
+    users.groups."acme_${cfg.domain}".members = [
+      "kanidm"
+      config.services.nginx.user
+    ];
+
+    networking.firewall.allowedTCPPorts = [ 80 443 636 ];
+  };
+}