feat(core-security): init kanidm

2025-03-24 04:40:53 +01:00 · 2024-12-21 10:38:58 +01:00 · 2024-12-21 10:38:58 +01:00 · 932d147110
commit 932d147110
parent 7fad180d17
3 changed files with 35 additions and 3 deletions
--- a/lon.lock
+++ b/lon.lock
@ -157,9 +157,9 @@
      "owner": "nixos",
      "repo": "nixpkgs",
      "branch": "nixos-24.11",
-      "revision": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
-      "url": "https://github.com/nixos/nixpkgs/archive/62c435d93bf046a5396f3016472e8f7c8e2aed65.tar.gz",
-      "hash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34="
+      "revision": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca",
+      "url": "https://github.com/nixos/nixpkgs/archive/b47fd6fa00c6afca88b8ee46cfdb00e104f50bca.tar.gz",
+      "hash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g="
    },
    "stateless-uptime-kuma": {
      "type": "Git",
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@ -11,6 +11,7 @@
  imports = [
    ./hardware.nix
    ./home-julien.nix
+    ./kanidm.nix
  ];

  machine.meta = {
--- a/machines/core-security/kanidm.nix
+++ b/machines/core-security/kanidm.nix
@ -0,0 +1,31 @@
+{ pkgs, config, ... }:
+let
+  certificate = config.security.acme.certs."auth.luj.fr";
+in
+{
+  services.kanidm = {
+    enableServer = true;
+    package = pkgs.kanidm_1_4;
+    serverSettings = rec {
+      domain = "auth.luj.fr";
+      origin = "https://${domain}";
+      bindaddress = "127.0.0.1:8443";
+      trust_x_forward_for = true;
+      tls_chain = "${certificate.directory}/fullchain.pem";
+      tls_key = "${certificate.directory}/key.pem";
+    };
+  };
+
+  environment.systemPackages = [ pkgs.kanidm_1_4 ];
+
+  users.users.kanidm.extraGroups = [ certificate.group ];
+
+  services.nginx.virtualHosts."auth.luj.fr" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "https://127.0.0.1:8443";
+    };
+  };
+
+}