dots/modules/services/auth/kanidm.nix

{ config, pkgs, ... }:

{
  services.kanidm = {
    enableServer = true;
    enablePam = false;
    package = pkgs.kanidm_1_8;

    serverSettings = {
      bindaddress = "127.0.0.1:8443";
      ldapbindaddress = "0.0.0.0:636";
      domain = "${config.homelab.authDomain}";
      origin = "https://${config.homelab.authDomain}";

      tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem";
      tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem";
    };
  };

  security.acme.certs."${config.homelab.authDomain}" = {
    group = "kanidm-acme";

    domain = "${config.homelab.authDomain}";
    dnsProvider = "cloudflare";
    dnsResolver = "1.1.1.1:53";
    dnsPropagationCheck = true;
    environmentFile = /var/lib/caddy/secret;
  };

  services.caddy.virtualHosts."${config.homelab.authDomain}" = {
    useACMEHost = config.services.kanidm.serverSettings.domain;
    extraConfig = ''
      reverse_proxy https://localhost:8443 {
        header_up Host "${config.homelab.authDomain}:8443"
        transport http {
          tls_server_name ${config.homelab.authDomain}
        }
      }
    '';
  };

  # create a group to fix permission issues when accessing
  # certificates.
  users.groups.kanidm-acme = {};
  users.users.caddy.extraGroups = [ "kanidm-acme" ];
  users.users.kanidm.extraGroups = [ "kanidm-acme" ];
}