qenya/nixfiles
1
0
Fork 0
Code Issues 5 Pull requests Actions Activity

Compare commits

base: qenya:780a18f6271e928ffd117f1880848b794e121ed8
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
...
compare: qenya:996871782480e10c120b2be8533df53430dd198b
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

2 commits
780a18f627 ... 9968717824

Author SHA1 Message Date
Katherina Walshe-Grey 9968717824 kanidm: init 2025-04-03 08:04:22 +01:00
Katherina Walshe-Grey dc7fdfb7ea gpg: init 2025-03-19 17:17:51 +00:00
5 changed files with 76 additions and 1 deletions
Show stats Expand all files Collapse all files

1
common/default.nix
View file

@ -4,6 +4,7 @@
./base-server ./base-server
./users ./users
./boot.nix ./boot.nix
./gpg.nix
./home-manager.nix ./home-manager.nix
./misc.nix ./misc.nix
./nginx.nix ./nginx.nix

8
common/gpg.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
{
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
}

6
hosts/kalessin/default.nix
View file

@ -28,6 +28,7 @@ in
randomcat.services.zfs.datasets = { randomcat.services.zfs.datasets = {
"rpool_kalessin/state" = { mountpoint = "none"; }; "rpool_kalessin/state" = { mountpoint = "none"; };
"rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; };
}; };
services.sanoid.datasets."rpool_kalessin/state" = { services.sanoid.datasets."rpool_kalessin/state" = {
@ -36,5 +37,10 @@ in
process_children_only = true; process_children_only = true;
}; };
fountain.services.kanidm = {
enable = true;
domain = "auth.unspecified.systems";
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

1
services/default.nix
View file

@ -5,6 +5,7 @@
./distributed-builds.nix ./distributed-builds.nix
./forgejo.nix ./forgejo.nix
./jellyfin.nix ./jellyfin.nix
./kanidm.nix
./navidrome.nix ./navidrome.nix
./remote-builder.nix ./remote-builder.nix
./web-redirect.nix ./web-redirect.nix

59
services/kanidm.nix Normal file
View file

@ -0,0 +1,59 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkOption mkEnableOption types;
cfg = config.fountain.services.kanidm;
in
{
options.fountain.services.kanidm = {
enable = mkEnableOption "Kanidm";
domain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services = {
nginx = {
enable = true;
virtualHosts = {
${cfg.domain} = {
forceSSL = true;
useACMEHost = cfg.domain;
locations."/".proxyPass = "https://[::1]:8443/";
};
};
};
kanidm = {
enableClient = true; # needed for admin configuration
enableServer = true;
package = pkgs.kanidm_1_5;
serverSettings = {
bindaddress = "[::1]:8443";
ldapbindaddress = "[::1]:636";
origin = "https://${cfg.domain}";
domain = cfg.domain;
tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem";
tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
online_backup.versions = 7;
trust_x_forward_for = true;
};
clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match
};
};
security.acme.certs.${cfg.domain} = {
webroot = "/var/lib/acme/acme-challenge";
group = "acme_${cfg.domain}";
reloadServices = [ "kanidm.service" ];
};
users.groups."acme_${cfg.domain}".members = [
"kanidm"
config.services.nginx.user
];
networking.firewall.allowedTCPPorts = [ 80 443 636 ];
};
}