nixos/kanidm: init

2 files changed, 38 insertions, 0 deletions

diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index 63a72d7..72bc296 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -3,6 +3,7 @@
     ./acme.nix
     ./forgejo.nix
     ./hercules.nix
+    ./kanidm.nix
     ./nginx.nix
     ./promtail.nix
   ];
diff --git a/modules/nixos/mixins/kanidm.nix b/modules/nixos/mixins/kanidm.nix
new file mode 100644
index 0000000..09730e0
--- /dev/null
+++ b/modules/nixos/mixins/kanidm.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+let
+  kanidmCfg = config.services.kanidm;
+  certDirectory = config.security.acme.certs.${kanidmCfg.serverSettings.domain}.directory;
+in
+
+{
+  config = lib.mkMerge [
+    {
+      services.kanidm = {
+        clientSettings = {
+          uri = lib.mkDefault kanidmCfg.serverSettings.origin;
+        };
+
+        serverSettings = {
+          tls_chain = certDirectory + "/fullchain.pem";
+          tls_key = certDirectory + "/key.pem";
+          domain = lib.mkDefault ("auth." + config.networking.domain);
+          origin = lib.mkDefault ("https://" + config.services.kanidm.serverSettings.domain);
+
+          online_backups = {
+            versions = lib.mkDefault 7; # Keep a week's worth of backups
+          };
+        };
+      };
+    }
+
+    (lib.mkIf kanidmCfg.enableServer {
+      services.nginx.virtualHosts.${kanidmCfg.serverSettings.domain} = {
+        locations."/" = {
+          proxyPass = kanidmCfg.serverSettings.bindaddress;
+        };
+      };
+    })
+  ];
+}