Compare commits
No commits in common. "8f8f2556a01ba0de9b9389b4c9afe6761c23bdba" and "996871782480e10c120b2be8533df53430dd198b" have entirely different histories.
8f8f2556a0
...
9968717824
5 changed files with 127 additions and 43 deletions
101
flake.lock
generated
101
flake.lock
generated
|
|
@ -86,17 +86,18 @@
|
|||
},
|
||||
"firefox-addons": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs-unstable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"dir": "pkgs/firefox-addons",
|
||||
"lastModified": 1744010161,
|
||||
"narHash": "sha256-6PNBLb/YXVlx2YaDqtljQYpk2MlE0VRjGXcEg1RN/qw=",
|
||||
"lastModified": 1742097805,
|
||||
"narHash": "sha256-N3/7llBZ93Itf7ndnNtEm7lPoMqSC57B/PNaMB6cL1Q=",
|
||||
"owner": "rycee",
|
||||
"repo": "nur-expressions",
|
||||
"rev": "60f50437003e17137a871686dfa3fc4291edd5e5",
|
||||
"rev": "5a0ac85616aa6b166ea715a41bc1255bb802b189",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -112,11 +113,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1743550720,
|
||||
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
|
||||
"lastModified": 1741352980,
|
||||
"narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
|
||||
"rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -141,6 +142,21 @@
|
|||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"locked": {
|
||||
"lastModified": 1629284811,
|
||||
"narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_3": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
},
|
||||
|
|
@ -180,11 +196,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1743808813,
|
||||
"narHash": "sha256-2lDQBOmlz9ggPxcS7/GvcVdzXMIiT+PpMao6FbLJSr0=",
|
||||
"lastModified": 1739757849,
|
||||
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "a9f8b3db211b4609ddd83683f9db89796c7f6ac6",
|
||||
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -201,11 +217,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1744008831,
|
||||
"narHash": "sha256-g3mHJLB8ShKuMaBBZxiGuoftJ22f7Boegiw5xBUnS8E=",
|
||||
"lastModified": 1741955947,
|
||||
"narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "f463902a3f03e15af658e48bcc60b39188ddf734",
|
||||
"rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -230,7 +246,7 @@
|
|||
},
|
||||
"lix-module": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"flake-utils": "flake-utils_3",
|
||||
"flakey-profile": "flakey-profile",
|
||||
"lix": "lix",
|
||||
"nixpkgs": [
|
||||
|
|
@ -238,24 +254,27 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742943028,
|
||||
"narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=",
|
||||
"rev": "868d97695bab9d21f6070b03957bcace249fbe3c",
|
||||
"type": "tarball",
|
||||
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/868d97695bab9d21f6070b03957bcace249fbe3c.tar.gz?rev=868d97695bab9d21f6070b03957bcace249fbe3c"
|
||||
"lastModified": 1741892773,
|
||||
"narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=",
|
||||
"ref": "stable",
|
||||
"rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911",
|
||||
"revCount": 130,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz"
|
||||
"ref": "stable",
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1743813633,
|
||||
"narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=",
|
||||
"lastModified": 1741862977,
|
||||
"narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6",
|
||||
"rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -267,11 +286,11 @@
|
|||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1743296961,
|
||||
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
|
||||
"lastModified": 1740877520,
|
||||
"narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
|
||||
"rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -282,11 +301,11 @@
|
|||
},
|
||||
"nixpkgs-small": {
|
||||
"locked": {
|
||||
"lastModified": 1743891346,
|
||||
"narHash": "sha256-QNxnxIi6PJEnwJp7ZXUpxX4/z/cmRJGeIOkIYfYh/8E=",
|
||||
"lastModified": 1742072093,
|
||||
"narHash": "sha256-2aEgxL5RSzNHWFLWEUFXZhkVEYDOuVSXQBiOonzT/Kg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f27c6099cec4fe9b67c7fbc51d8324dcb4b52694",
|
||||
"rev": "f182029bf7f08a57762b4c762d0917b6803ceff4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -298,11 +317,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1743827369,
|
||||
"narHash": "sha256-rpqepOZ8Eo1zg+KJeWoq1HAOgoMCDloqv5r2EAa9TSA=",
|
||||
"lastModified": 1742069588,
|
||||
"narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "42a1c966be226125b48c384171c44c651c236c22",
|
||||
"rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -314,11 +333,11 @@
|
|||
},
|
||||
"nixpkgs-unstable-small": {
|
||||
"locked": {
|
||||
"lastModified": 1743948488,
|
||||
"narHash": "sha256-uKcMmNPvGPb58MhAFru/CMDYl69nZRK3A3SLch9ejgA=",
|
||||
"lastModified": 1742095305,
|
||||
"narHash": "sha256-L8qjRx4MbX/juwbo8+4qYbqQy0MFUzUJLV5o8oujvaA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a",
|
||||
"rev": "f985965fff9d4e5df55df0489ef113d09a6ee08d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -338,11 +357,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742765550,
|
||||
"narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=",
|
||||
"lastModified": 1740569341,
|
||||
"narHash": "sha256-WV8nY2IOfWdzBF5syVgCcgOchg/qQtpYh6LECYS9XkY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "plasma-manager",
|
||||
"rev": "b70be387276e632fe51232887f9e04e2b6ef8c16",
|
||||
"rev": "5eeb0172fb74392053b66a8149e61b5e191b2845",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -354,11 +373,11 @@
|
|||
"randomcat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1744004743,
|
||||
"narHash": "sha256-MIWwT/A4IfXmmSMCU3lVVnFJNmkXpYxcK+Fishja6XY=",
|
||||
"lastModified": 1742090267,
|
||||
"narHash": "sha256-A+pimpalPZr9Un1yJaVsc+3J71IHuAPN+NSo5MqHtzM=",
|
||||
"owner": "randomnetcat",
|
||||
"repo": "nix-configs",
|
||||
"rev": "335ef83e439cfcb4781d5a8f54f606afb63e9f48",
|
||||
"rev": "a448b9a9ce66f8e1d1a1de1205f384da25574c7b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -6,8 +6,7 @@
|
|||
nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||
|
||||
lix-module = {
|
||||
# lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39
|
||||
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz";
|
||||
url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ in
|
|||
|
||||
randomcat.services.zfs.datasets = {
|
||||
"rpool_kalessin/state" = { mountpoint = "none"; };
|
||||
"rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; };
|
||||
};
|
||||
|
||||
services.sanoid.datasets."rpool_kalessin/state" = {
|
||||
|
|
@ -36,5 +37,10 @@ in
|
|||
process_children_only = true;
|
||||
};
|
||||
|
||||
fountain.services.kanidm = {
|
||||
enable = true;
|
||||
domain = "auth.unspecified.systems";
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
./distributed-builds.nix
|
||||
./forgejo.nix
|
||||
./jellyfin.nix
|
||||
./kanidm.nix
|
||||
./navidrome.nix
|
||||
./remote-builder.nix
|
||||
./web-redirect.nix
|
||||
|
|
|
|||
59
services/kanidm.nix
Normal file
59
services/kanidm.nix
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkIf mkOption mkEnableOption types;
|
||||
cfg = config.fountain.services.kanidm;
|
||||
in
|
||||
{
|
||||
options.fountain.services.kanidm = {
|
||||
enable = mkEnableOption "Kanidm";
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
${cfg.domain} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = cfg.domain;
|
||||
locations."/".proxyPass = "https://[::1]:8443/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
kanidm = {
|
||||
enableClient = true; # needed for admin configuration
|
||||
enableServer = true;
|
||||
package = pkgs.kanidm_1_5;
|
||||
serverSettings = {
|
||||
bindaddress = "[::1]:8443";
|
||||
ldapbindaddress = "[::1]:636";
|
||||
origin = "https://${cfg.domain}";
|
||||
domain = cfg.domain;
|
||||
tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem";
|
||||
tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
|
||||
online_backup.versions = 7;
|
||||
trust_x_forward_for = true;
|
||||
};
|
||||
clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs.${cfg.domain} = {
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
group = "acme_${cfg.domain}";
|
||||
reloadServices = [ "kanidm.service" ];
|
||||
};
|
||||
|
||||
users.groups."acme_${cfg.domain}".members = [
|
||||
"kanidm"
|
||||
config.services.nginx.user
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 636 ];
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue