modules/nixos/mixins/kanidm.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

{ config, lib, pkgs, ... }:

let
  kanidmCfg = config.services.kanidm;

  inherit (kanidmCfg.serverSettings) domain;
  certDirectory = config.security.acme.certs.${domain}.directory;
  certGroup = config.users.groups.nginx-kanidm;
in

{
  config = lib.mkMerge [
    {
      services.kanidm = {
        package = pkgs.kanidm_1_5;

        clientSettings = {
          uri = lib.mkDefault kanidmCfg.serverSettings.origin;
        };

        serverSettings = {
          tls_chain = certDirectory + "/fullchain.pem";
          tls_key = certDirectory + "/key.pem";
          domain = lib.mkDefault ("auth." + config.networking.domain);
          origin = lib.mkDefault ("https://" + domain);

          online_backup = {
            versions = lib.mkDefault 7; # Keep a week's worth of backups
          };
        };
      };
    }

    (lib.mkIf kanidmCfg.enableServer {
      security.acme.certs.${domain} = {
        group = config.users.groups.nginx-kanidm.name;
      };

      services.nginx.virtualHosts.${domain} = {
        locations."/" = {
          proxyPass = "https://" + kanidmCfg.serverSettings.bindaddress;
        };
      };

      # Create a group for Kanidm and NGINX so they can share the domain's SSL certificate
      users = {
        groups.nginx-kanidm = { };

        users = {
          kanidm.extraGroups = [ certGroup.name ];
          ${config.services.nginx.user}.extraGroups = [ certGroup.name ];
        };
      };
    })
  ];
}