causalhonk/dots
1
0
Fork 0
forked from nico/dots
Code Pull requests Activity

kanidm: init

Browse source
This commit is contained in:
Nico 2025-05-12 19:23:37 +10:00
parent f1bf4c3ea1
commit d6a7a1fc53
2 changed files with 48 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -30,6 +30,7 @@
./modules/services/karakeep.nix
./modules/services/uptime-kuma.nix
./modules/services/pocketid.nix
./modules/services/auth/kanidm.nix
./modules/services/caddy.nix
./modules/services/forgejo.nix
./modules/services/miniflux.nix

47
modules/services/auth/kanidm.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, pkgs, ... }:
{
services.kanidm = {
enableServer = true;
enablePam = false;
package = pkgs.kanidm_1_5;
serverSettings = {
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
domain = "${config.homelab.authDomain}";
origin = "https://${config.homelab.authDomain}";
tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem";
tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem";
};
};
security.acme.certs."${config.homelab.authDomain}" = {
group = "kanidm-acme";
domain = "${config.homelab.authDomain}";
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
environmentFile = /var/lib/caddy/secret;
};
services.caddy.virtualHosts."${config.homelab.authDomain}" = {
useACMEHost = config.services.kanidm.serverSettings.domain;
extraConfig = ''
reverse_proxy https://localhost:8443 {
header_up Host "${config.homelab.authDomain}:8443"
transport http {
tls_server_name ${config.homelab.authDomain}
}
}
'';
};
# create a group to fix permission issues when accessing
# certificates.
users.groups.kanidm-acme = {};
users.users.caddy.extraGroups = [ "kanidm-acme" ];
users.users.kanidm.extraGroups = [ "kanidm-acme" ];
}