add kanidm

systems/palatine-hill/haproxy/auth.nix

@@ -0,0 +1,38 @@
+# HAProxy routing stubs for Kanidm.
+# These are ADDITIVE fragments — merge into your main haproxy config.
+# Assumes:
+#   - HAProxy terminates TLS using the acme-nayeonie.com certificate
+#   - Kanidm HTTPS listens on [::1]:8443
+#   - Kanidm LDAP compat listens on [::1]:3890
+#   - ACL-based routing by SNI / Host header
+#
+# In your main frontend (or add a dedicated one):
+#
+#   acl host_kanidm hdr(host) -i auth.nayeonie.com   # internal/admin only
+#
+#   use_backend kanidm if host_kanidm
+#
+# --- Kanidm backend ---
+#
+# backend kanidm
+#   mode http
+#   option forwardfor
+#   http-request set-header X-Forwarded-Proto https
+#   http-request set-header X-Forwarded-Host %[req.hdr(host)]
+#   acl internal src 192.168.76.0/24 192.168.191.0/24
+#   http-request deny unless internal
+#   server kanidm [::1]:8443 ssl verify none check
+#
+# --- Forward-auth pattern for protecting other backends with Kanidm ---
+#
+# To protect an existing backend with Kanidm OIDC, add oauth2-proxy.
+# The simplest
+# path for HAProxy is:
+#
+#   1. Deploy oauth2-proxy (services.oauth2-proxy) configured against
+#      Kanidm as OIDC provider (issuer https://auth.nayeonie.com).
+#   2. In HAProxy frontend, redirect unauthenticated requests to
+#      oauth2-proxy before forwarding to the real backend.
+#
+# This is left as a follow-up — get Kanidm running first.
+{ ... }: { }