systems/palatine-hill/kanidm.nix

{
  config,
  pkgs,
  ...
}:
let
  domain = "nayeonie.com";
  authDomain = "auth.${domain}";
in
{
  services = {
    kanidm = {
      package = pkgs.kanidm_1_9.withSecretProvisioning;

      server = {
        enable = true;

        settings = {
          origin = "https://${authDomain}";
          inherit domain;
          bindaddress = "0.0.0.0:8443";
          ldapbindaddress = "0.0.0.0:3890";
          tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
          tls_key = "/var/lib/acme/${domain}/key.pem";
          db_fs_type = "zfs";
        };
      };

      # Reuse the existing secret during migration; rotate/rename in a follow-up.
      provision = {
        enable = true;
        instanceUrl = "https://${authDomain}";
        adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
        idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
        acceptInvalidCerts = false;

        groups = {
          gitea-users = {
            present = true;
          };
        };

        persons = {
          alice = {
            displayName = "Alice";
            present = true;
            groups = [ "gitea-users" ];
          };
        };

        systems.oauth2.gitea = {
          present = true;
          displayName = "Gitea";
          public = false;
          basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;
          originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";
          originLanding = "https://nayeonie.com/";
          preferShortUsername = true;
          scopeMaps = {
            gitea-users = [
              "openid"
              "email"
              "profile"
            ];
          };
          claimMaps.groups.valuesByGroup = {
            gitea-users = [ "gitea-users" ];
          };
        };
      };
    };
  };

  sops.secrets = {
    "kanidm/admin_password".owner = "kanidm";
    "kanidm/gitea_oidc_client_secret".owner = "kanidm";
  };

  # Certs are currently group-readable by haproxy for docker HAProxy.
  users.users.kanidm.extraGroups = [ "haproxy" ];

  networking.firewall.allowedTCPPorts = [
    3890
    8443
  ];
}
add kanidm 2026-05-02 12:52:47 -04:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}:`
			`let`
			`domain = "nayeonie.com";`
			`authDomain = "auth.${domain}";`
			`in`
			`{`
			`services = {`
			`kanidm = {`
			`package = pkgs.kanidm_1_9.withSecretProvisioning;`

			`server = {`
			`enable = true;`

			`settings = {`
			`origin = "https://${authDomain}";`
			`inherit domain;`
			`bindaddress = "0.0.0.0:8443";`
			`ldapbindaddress = "0.0.0.0:3890";`
			`tls_chain = "/var/lib/acme/${domain}/fullchain.pem";`
			`tls_key = "/var/lib/acme/${domain}/key.pem";`
			`db_fs_type = "zfs";`
			`};`
			`};`

			`# Reuse the existing secret during migration; rotate/rename in a follow-up.`
			`provision = {`
			`enable = true;`
			`instanceUrl = "https://${authDomain}";`
			`adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;`
			`idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;`
			`acceptInvalidCerts = false;`

			`groups = {`
			`gitea-users = {`
			`present = true;`
			`};`
			`};`

			`persons = {`
			`alice = {`
			`displayName = "Alice";`
			`present = true;`
			`groups = [ "gitea-users" ];`
			`};`
			`};`

			`systems.oauth2.gitea = {`
			`present = true;`
			`displayName = "Gitea";`
			`public = false;`
			`basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;`
			`originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";`
			`originLanding = "https://nayeonie.com/";`
			`preferShortUsername = true;`
			`scopeMaps = {`
			`gitea-users = [`
			`"openid"`
			`"email"`
			`"profile"`
			`];`
			`};`
			`claimMaps.groups.valuesByGroup = {`
			`gitea-users = [ "gitea-users" ];`
			`};`
			`};`
			`};`
			`};`
			`};`

			`sops.secrets = {`
			`"kanidm/admin_password".owner = "kanidm";`
			`"kanidm/gitea_oidc_client_secret".owner = "kanidm";`
			`};`

			`# Certs are currently group-readable by haproxy for docker HAProxy.`
			`users.users.kanidm.extraGroups = [ "haproxy" ];`

			`networking.firewall.allowedTCPPorts = [`
			`3890`
			`8443`
			`];`
			`}`