feat(core-security): init kanidm

lon.lock

@@ -157,9 +157,9 @@
       "owner": "nixos",
       "repo": "nixpkgs",
       "branch": "nixos-24.11",
-      "revision": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
+      "revision": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca",
-      "url": "https://github.com/nixos/nixpkgs/archive/62c435d93bf046a5396f3016472e8f7c8e2aed65.tar.gz",
+      "url": "https://github.com/nixos/nixpkgs/archive/b47fd6fa00c6afca88b8ee46cfdb00e104f50bca.tar.gz",
-      "hash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34="
+      "hash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g="
     },
     "stateless-uptime-kuma": {
       "type": "Git",

machines/core-security/default.nix

@@ -11,6 +11,7 @@
   imports = [
     ./hardware.nix
     ./home-julien.nix
+    ./kanidm.nix
   ];
 
   machine.meta = {

machines/core-security/kanidm.nix

@@ -0,0 +1,31 @@
+{ pkgs, config, ... }:
+let
+  certificate = config.security.acme.certs."auth.luj.fr";
+in
+{
+  services.kanidm = {
+    enableServer = true;
+    package = pkgs.kanidm_1_4;
+    serverSettings = rec {
+      domain = "auth.luj.fr";
+      origin = "https://${domain}";
+      bindaddress = "127.0.0.1:8443";
+      trust_x_forward_for = true;
+      tls_chain = "${certificate.directory}/fullchain.pem";
+      tls_key = "${certificate.directory}/key.pem";
+    };
+  };
+
+  environment.systemPackages = [ pkgs.kanidm_1_4 ];
+
+  users.users.kanidm.extraGroups = [ certificate.group ];
+
+  services.nginx.virtualHosts."auth.luj.fr" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "https://127.0.0.1:8443";
+    };
+  };
+
+}