diff options
Diffstat (limited to 'modules/nixos')
| -rw-r--r-- | modules/nixos/mixins/kanidm.nix | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/modules/nixos/mixins/kanidm.nix b/modules/nixos/mixins/kanidm.nix index 46d43b3..c7fa9c9 100644 --- a/modules/nixos/mixins/kanidm.nix +++ b/modules/nixos/mixins/kanidm.nix @@ -2,7 +2,10 @@ let kanidmCfg = config.services.kanidm; - certDirectory = config.security.acme.certs.${kanidmCfg.serverSettings.domain}.directory; + + inherit (kanidmCfg.serverSettings) domain; + certDirectory = config.security.acme.certs.${domain}.directory; + certGroup = config.users.groups.nginx-kanidm; in { @@ -17,7 +20,7 @@ in tls_chain = certDirectory + "/fullchain.pem"; tls_key = certDirectory + "/key.pem"; domain = lib.mkDefault ("auth." + config.networking.domain); - origin = lib.mkDefault ("https://" + config.services.kanidm.serverSettings.domain); + origin = lib.mkDefault ("https://" + domain); online_backup = { versions = lib.mkDefault 7; # Keep a week's worth of backups @@ -27,11 +30,25 @@ in } (lib.mkIf kanidmCfg.enableServer { - services.nginx.virtualHosts.${kanidmCfg.serverSettings.domain} = { + security.acme.certs.${domain} = { + group = config.users.groups.nginx-kanidm.name; + }; + + services.nginx.virtualHosts.${domain} = { locations."/" = { proxyPass = "https://" + kanidmCfg.serverSettings.bindaddress; }; }; + + # Create a group for Kanidm and NGINX so they can share the domain's SSL certificate + users = { + groups.nginx-kanidm = { }; + + users = { + kanidm.extraGroups = [ certGroup.name ]; + ${config.services.nginx.user}.extraGroups = [ certGroup.name ]; + }; + }; }) ]; } |