From 932d1471109734be86a4aec6e313a0a9082bd219 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Sat, 21 Dec 2024 10:38:58 +0100
Subject: [PATCH] feat(core-security): init kanidm

---
 lon.lock                           |  6 +++---
 machines/core-security/default.nix |  1 +
 machines/core-security/kanidm.nix  | 31 ++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 machines/core-security/kanidm.nix

diff --git a/lon.lock b/lon.lock
index eaa3b41..a4ef1f2 100644
--- a/lon.lock
+++ b/lon.lock
@@ -157,9 +157,9 @@
       "owner": "nixos",
       "repo": "nixpkgs",
       "branch": "nixos-24.11",
-      "revision": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
-      "url": "https://github.com/nixos/nixpkgs/archive/62c435d93bf046a5396f3016472e8f7c8e2aed65.tar.gz",
-      "hash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34="
+      "revision": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca",
+      "url": "https://github.com/nixos/nixpkgs/archive/b47fd6fa00c6afca88b8ee46cfdb00e104f50bca.tar.gz",
+      "hash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g="
     },
     "stateless-uptime-kuma": {
       "type": "Git",
diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix
index b231d2e..42e9f83 100644
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@@ -11,6 +11,7 @@
   imports = [
     ./hardware.nix
     ./home-julien.nix
+    ./kanidm.nix
   ];
 
   machine.meta = {
diff --git a/machines/core-security/kanidm.nix b/machines/core-security/kanidm.nix
new file mode 100644
index 0000000..9b4521e
--- /dev/null
+++ b/machines/core-security/kanidm.nix
@@ -0,0 +1,31 @@
+{ pkgs, config, ... }:
+let
+  certificate = config.security.acme.certs."auth.luj.fr";
+in
+{
+  services.kanidm = {
+    enableServer = true;
+    package = pkgs.kanidm_1_4;
+    serverSettings = rec {
+      domain = "auth.luj.fr";
+      origin = "https://${domain}";
+      bindaddress = "127.0.0.1:8443";
+      trust_x_forward_for = true;
+      tls_chain = "${certificate.directory}/fullchain.pem";
+      tls_key = "${certificate.directory}/key.pem";
+    };
+  };
+
+  environment.systemPackages = [ pkgs.kanidm_1_4 ];
+
+  users.users.kanidm.extraGroups = [ certificate.group ];
+
+  services.nginx.virtualHosts."auth.luj.fr" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "https://127.0.0.1:8443";
+    };
+  };
+
+}