nixos/kanidm: share ssl cert with nginx

1 files changed, 20 insertions, 3 deletions

diff --git a/modules/nixos/mixins/kanidm.nix b/modules/nixos/mixins/kanidm.nix
index 46d43b3..c7fa9c9 100644
--- a/modules/nixos/mixins/kanidm.nix
+++ b/modules/nixos/mixins/kanidm.nix
@@ -2,7 +2,10 @@
 
 let
   kanidmCfg = config.services.kanidm;
-  certDirectory = config.security.acme.certs.${kanidmCfg.serverSettings.domain}.directory;
+
+  inherit (kanidmCfg.serverSettings) domain;
+  certDirectory = config.security.acme.certs.${domain}.directory;
+  certGroup = config.users.groups.nginx-kanidm;
 in
 
 {
@@ -17,7 +20,7 @@ in
           tls_chain = certDirectory + "/fullchain.pem";
           tls_key = certDirectory + "/key.pem";
           domain = lib.mkDefault ("auth." + config.networking.domain);
-          origin = lib.mkDefault ("https://" + config.services.kanidm.serverSettings.domain);
+          origin = lib.mkDefault ("https://" + domain);
 
           online_backup = {
             versions = lib.mkDefault 7; # Keep a week's worth of backups
@@ -27,11 +30,25 @@ in
     }
 
     (lib.mkIf kanidmCfg.enableServer {
-      services.nginx.virtualHosts.${kanidmCfg.serverSettings.domain} = {
+      security.acme.certs.${domain} = {
+        group = config.users.groups.nginx-kanidm.name;
+      };
+
+      services.nginx.virtualHosts.${domain} = {
         locations."/" = {
           proxyPass = "https://" + kanidmCfg.serverSettings.bindaddress;
         };
       };
+
+      # Create a group for Kanidm and NGINX so they can share the domain's SSL certificate
+      users = {
+        groups.nginx-kanidm = { };
+
+        users = {
+          kanidm.extraGroups = [ certGroup.name ];
+          ${config.services.nginx.user}.extraGroups = [ certGroup.name ];
+        };
+      };
     })
   ];
 }