add kanidm

systems/palatine-hill/kanidm.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  domain = "nayeonie.com";
+  authDomain = "auth.${domain}";
+in
+{
+  services = {
+    kanidm = {
+      package = pkgs.kanidm_1_9.withSecretProvisioning;
+
+      server = {
+        enable = true;
+
+        settings = {
+          origin = "https://${authDomain}";
+          inherit domain;
+          bindaddress = "0.0.0.0:8443";
+          ldapbindaddress = "0.0.0.0:3890";
+          tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
+          tls_key = "/var/lib/acme/${domain}/key.pem";
+          db_fs_type = "zfs";
+        };
+      };
+
+      # Reuse the existing secret during migration; rotate/rename in a follow-up.
+      provision = {
+        enable = true;
+        instanceUrl = "https://${authDomain}";
+        adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
+        idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
+        acceptInvalidCerts = false;
+
+        groups = {
+          gitea-users = {
+            present = true;
+          };
+        };
+
+        persons = {
+          alice = {
+            displayName = "Alice";
+            present = true;
+            groups = [ "gitea-users" ];
+          };
+        };
+
+        systems.oauth2.gitea = {
+          present = true;
+          displayName = "Gitea";
+          public = false;
+          basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;
+          originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";
+          originLanding = "https://nayeonie.com/";
+          preferShortUsername = true;
+          scopeMaps = {
+            gitea-users = [
+              "openid"
+              "email"
+              "profile"
+            ];
+          };
+          claimMaps.groups.valuesByGroup = {
+            gitea-users = [ "gitea-users" ];
+          };
+        };
+      };
+    };
+  };
+
+  sops.secrets = {
+    "kanidm/admin_password".owner = "kanidm";
+    "kanidm/gitea_oidc_client_secret".owner = "kanidm";
+  };
+
+  # Certs are currently group-readable by haproxy for docker HAProxy.
+  users.users.kanidm.extraGroups = [ "haproxy" ];
+
+  networking.firewall.allowedTCPPorts = [
+    3890
+    8443
+  ];
+}