kanidm: init

flake.nix

@@ -30,6 +30,7 @@
         ./modules/services/karakeep.nix
         ./modules/services/uptime-kuma.nix
         ./modules/services/pocketid.nix
+        ./modules/services/auth/kanidm.nix
         ./modules/services/caddy.nix
         ./modules/services/forgejo.nix
         ./modules/services/miniflux.nix

modules/services/auth/kanidm.nix

@@ -0,0 +1,47 @@
+{ config, pkgs, ... }:
+
+{
+  services.kanidm = {
+    enableServer = true;
+    enablePam = false;
+    package = pkgs.kanidm_1_5;
+
+    serverSettings = {
+      bindaddress = "127.0.0.1:8443";
+      ldapbindaddress = "0.0.0.0:636";
+      domain = "${config.homelab.authDomain}";
+      origin = "https://${config.homelab.authDomain}";
+
+      tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem";
+      tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem";
+    };
+  };
+
+  security.acme.certs."${config.homelab.authDomain}" = {
+    group = "kanidm-acme";
+
+    domain = "${config.homelab.authDomain}";
+    dnsProvider = "cloudflare";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = true;
+    environmentFile = /var/lib/caddy/secret;
+  };
+
+  services.caddy.virtualHosts."${config.homelab.authDomain}" = {
+    useACMEHost = config.services.kanidm.serverSettings.domain;
+    extraConfig = ''
+      reverse_proxy https://localhost:8443 {
+        header_up Host "${config.homelab.authDomain}:8443"
+        transport http {
+          tls_server_name ${config.homelab.authDomain}
+        }
+      }
+    '';
+  };
+
+  # create a group to fix permission issues when accessing
+  # certificates.
+  users.groups.kanidm-acme = {};
+  users.users.caddy.extraGroups = [ "kanidm-acme" ];
+  users.users.kanidm.extraGroups = [ "kanidm-acme" ];
+}