ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity
Files
6a6f5a1e9d38f41ab81f0c31339ff27ed914a0a7
nix-dotfiles/systems/palatine-hill/kanidm.nix
ahuston-0 6a6f5a1e9d add kanidm
2026-05-02 12:59:11 -04:00

87 lines
2.1 KiB
Nix
Raw Blame History

{
config,
pkgs,
...
}:
let
domain = "nayeonie.com";
authDomain = "auth.${domain}";
in
{
services = {
kanidm = {
package = pkgs.kanidm_1_9.withSecretProvisioning;
server = {
enable = true;
settings = {
origin = "https://${authDomain}";
inherit domain;
bindaddress = "0.0.0.0:8443";
ldapbindaddress = "0.0.0.0:3890";
tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
tls_key = "/var/lib/acme/${domain}/key.pem";
db_fs_type = "zfs";
};
};
# Reuse the existing secret during migration; rotate/rename in a follow-up.
provision = {
enable = true;
instanceUrl = "https://${authDomain}";
adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
acceptInvalidCerts = false;
groups = {
gitea-users = {
present = true;
};
};
persons = {
alice = {
displayName = "Alice";
present = true;
groups = [ "gitea-users" ];
};
};
systems.oauth2.gitea = {
present = true;
displayName = "Gitea";
public = false;
basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;
originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";
originLanding = "https://nayeonie.com/";
preferShortUsername = true;
scopeMaps = {
gitea-users = [
"openid"
"email"
"profile"
];
};
claimMaps.groups.valuesByGroup = {
gitea-users = [ "gitea-users" ];
};
};
};
};
};
sops.secrets = {
"kanidm/admin_password".owner = "kanidm";
"kanidm/gitea_oidc_client_secret".owner = "kanidm";
};
# Certs are currently group-readable by haproxy for docker HAProxy.
users.users.kanidm.extraGroups = [ "haproxy" ];
networking.firewall.allowedTCPPorts = [
3890
8443
];
}
Reference in New Issue View Git Blame Copy Permalink