diff --git a/flake.nix b/flake.nix index ccae1a7..8ee02f4 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,7 @@ ./modules/services/karakeep.nix ./modules/services/uptime-kuma.nix ./modules/services/pocketid.nix + ./modules/services/auth/kanidm.nix ./modules/services/caddy.nix ./modules/services/forgejo.nix ./modules/services/miniflux.nix diff --git a/modules/services/auth/kanidm.nix b/modules/services/auth/kanidm.nix new file mode 100644 index 0000000..f19285c --- /dev/null +++ b/modules/services/auth/kanidm.nix @@ -0,0 +1,47 @@ +{ config, pkgs, ... }: + +{ + services.kanidm = { + enableServer = true; + enablePam = false; + package = pkgs.kanidm_1_5; + + serverSettings = { + bindaddress = "127.0.0.1:8443"; + ldapbindaddress = "0.0.0.0:636"; + domain = "${config.homelab.authDomain}"; + origin = "https://${config.homelab.authDomain}"; + + tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem"; + tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem"; + }; + }; + + security.acme.certs."${config.homelab.authDomain}" = { + group = "kanidm-acme"; + + domain = "${config.homelab.authDomain}"; + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1:53"; + dnsPropagationCheck = true; + environmentFile = /var/lib/caddy/secret; + }; + + services.caddy.virtualHosts."${config.homelab.authDomain}" = { + useACMEHost = config.services.kanidm.serverSettings.domain; + extraConfig = '' + reverse_proxy https://localhost:8443 { + header_up Host "${config.homelab.authDomain}:8443" + transport http { + tls_server_name ${config.homelab.authDomain} + } + } + ''; + }; + + # create a group to fix permission issues when accessing + # certificates. + users.groups.kanidm-acme = {}; + users.users.caddy.extraGroups = [ "kanidm-acme" ]; + users.users.kanidm.extraGroups = [ "kanidm-acme" ]; +}