diff --git a/flake.lock b/flake.lock index 64b47f4..04db858 100644 --- a/flake.lock +++ b/flake.lock @@ -86,17 +86,18 @@ }, "firefox-addons": { "inputs": { + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs-unstable" ] }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1744010161, - "narHash": "sha256-6PNBLb/YXVlx2YaDqtljQYpk2MlE0VRjGXcEg1RN/qw=", + "lastModified": 1742097805, + "narHash": "sha256-N3/7llBZ93Itf7ndnNtEm7lPoMqSC57B/PNaMB6cL1Q=", "owner": "rycee", "repo": "nur-expressions", - "rev": "60f50437003e17137a871686dfa3fc4291edd5e5", + "rev": "5a0ac85616aa6b166ea715a41bc1255bb802b189", "type": "gitlab" }, "original": { @@ -112,11 +113,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -141,6 +142,21 @@ } }, "flake-utils_2": { + "locked": { + "lastModified": 1629284811, + "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "inputs": { "systems": "systems_2" }, @@ -180,11 +196,11 @@ ] }, "locked": { - "lastModified": 1743808813, - "narHash": "sha256-2lDQBOmlz9ggPxcS7/GvcVdzXMIiT+PpMao6FbLJSr0=", + "lastModified": 1739757849, + "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", "owner": "nix-community", "repo": "home-manager", - "rev": "a9f8b3db211b4609ddd83683f9db89796c7f6ac6", + "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", "type": "github" }, "original": { @@ -201,11 +217,11 @@ ] }, "locked": { - "lastModified": 1744008831, - "narHash": "sha256-g3mHJLB8ShKuMaBBZxiGuoftJ22f7Boegiw5xBUnS8E=", + "lastModified": 1741955947, + "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", "owner": "nix-community", "repo": "home-manager", - "rev": "f463902a3f03e15af658e48bcc60b39188ddf734", + "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", "type": "github" }, "original": { @@ -230,7 +246,7 @@ }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "flakey-profile": "flakey-profile", "lix": "lix", "nixpkgs": [ @@ -238,24 +254,27 @@ ] }, "locked": { - "lastModified": 1742943028, - "narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=", - "rev": "868d97695bab9d21f6070b03957bcace249fbe3c", - "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/868d97695bab9d21f6070b03957bcace249fbe3c.tar.gz?rev=868d97695bab9d21f6070b03957bcace249fbe3c" + "lastModified": 1741892773, + "narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=", + "ref": "stable", + "rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911", + "revCount": 130, + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module" }, "original": { - "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz" + "ref": "stable", + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module" } }, "nixpkgs": { "locked": { - "lastModified": 1743813633, - "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=", + "lastModified": 1741862977, + "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6", + "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0", "type": "github" }, "original": { @@ -267,11 +286,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1743296961, - "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "lastModified": 1740877520, + "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", "type": "github" }, "original": { @@ -282,11 +301,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1743891346, - "narHash": "sha256-QNxnxIi6PJEnwJp7ZXUpxX4/z/cmRJGeIOkIYfYh/8E=", + "lastModified": 1742072093, + "narHash": "sha256-2aEgxL5RSzNHWFLWEUFXZhkVEYDOuVSXQBiOonzT/Kg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f27c6099cec4fe9b67c7fbc51d8324dcb4b52694", + "rev": "f182029bf7f08a57762b4c762d0917b6803ceff4", "type": "github" }, "original": { @@ -298,11 +317,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1743827369, - "narHash": "sha256-rpqepOZ8Eo1zg+KJeWoq1HAOgoMCDloqv5r2EAa9TSA=", + "lastModified": 1742069588, + "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "42a1c966be226125b48c384171c44c651c236c22", + "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", "type": "github" }, "original": { @@ -314,11 +333,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1743948488, - "narHash": "sha256-uKcMmNPvGPb58MhAFru/CMDYl69nZRK3A3SLch9ejgA=", + "lastModified": 1742095305, + "narHash": "sha256-L8qjRx4MbX/juwbo8+4qYbqQy0MFUzUJLV5o8oujvaA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a", + "rev": "f985965fff9d4e5df55df0489ef113d09a6ee08d", "type": "github" }, "original": { @@ -338,11 +357,11 @@ ] }, "locked": { - "lastModified": 1742765550, - "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=", + "lastModified": 1740569341, + "narHash": "sha256-WV8nY2IOfWdzBF5syVgCcgOchg/qQtpYh6LECYS9XkY=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16", + "rev": "5eeb0172fb74392053b66a8149e61b5e191b2845", "type": "github" }, "original": { @@ -354,11 +373,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1744004743, - "narHash": "sha256-MIWwT/A4IfXmmSMCU3lVVnFJNmkXpYxcK+Fishja6XY=", + "lastModified": 1742090267, + "narHash": "sha256-A+pimpalPZr9Un1yJaVsc+3J71IHuAPN+NSo5MqHtzM=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "335ef83e439cfcb4781d5a8f54f606afb63e9f48", + "rev": "a448b9a9ce66f8e1d1a1de1205f384da25574c7b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5962bf5..4b3c089 100644 --- a/flake.nix +++ b/flake.nix @@ -6,8 +6,7 @@ nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; lix-module = { - # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz"; + url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 65a0ced..a34cbd3 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -28,6 +28,7 @@ in randomcat.services.zfs.datasets = { "rpool_kalessin/state" = { mountpoint = "none"; }; + "rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; }; }; services.sanoid.datasets."rpool_kalessin/state" = { @@ -36,5 +37,10 @@ in process_children_only = true; }; + fountain.services.kanidm = { + enable = true; + domain = "auth.unspecified.systems"; + }; + system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index 9a3f8cb..f60119c 100644 --- a/services/default.nix +++ b/services/default.nix @@ -5,6 +5,7 @@ ./distributed-builds.nix ./forgejo.nix ./jellyfin.nix + ./kanidm.nix ./navidrome.nix ./remote-builder.nix ./web-redirect.nix diff --git a/services/kanidm.nix b/services/kanidm.nix new file mode 100644 index 0000000..6bb891c --- /dev/null +++ b/services/kanidm.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.fountain.services.kanidm; +in +{ + options.fountain.services.kanidm = { + enable = mkEnableOption "Kanidm"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services = { + nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + useACMEHost = cfg.domain; + locations."/".proxyPass = "https://[::1]:8443/"; + }; + }; + }; + + kanidm = { + enableClient = true; # needed for admin configuration + enableServer = true; + package = pkgs.kanidm_1_5; + serverSettings = { + bindaddress = "[::1]:8443"; + ldapbindaddress = "[::1]:636"; + origin = "https://${cfg.domain}"; + domain = cfg.domain; + tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"; + tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem"; + online_backup.versions = 7; + trust_x_forward_for = true; + }; + clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match + }; + }; + + security.acme.certs.${cfg.domain} = { + webroot = "/var/lib/acme/acme-challenge"; + group = "acme_${cfg.domain}"; + reloadServices = [ "kanidm.service" ]; + }; + + users.groups."acme_${cfg.domain}".members = [ + "kanidm" + config.services.nginx.user + ]; + + networking.firewall.allowedTCPPorts = [ 80 443 636 ]; + }; +}