jml/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

even more backups of things

Browse source
This commit is contained in:
Jay Looney 2025-10-28 16:11:45 -05:00
parent b8d125d448
commit 630f9b0074
46 changed files with 1166 additions and 197 deletions
Download patch file Download diff file Expand all files Collapse all files

103
hosts/lithium/services/kanidm.nix
View file

@ -1,33 +1,91 @@
{ config, pkgs, lib, ... }:
{ inputs, config, pkgs, lib, ... }:
let
svcDomain = "id.${config.networking.domain}";
caddyCertsRoot = "${config.services.caddy.dataDir}/.local/share/caddy/certificates";
caddyCertsDir = "${caddyCertsRoot}/acme-v02.api.letsencrypt.org-directory";
certsDir = "/var/lib/kanidm/certs";
homelabDomain = inputs.nixos-secrets.homelabDomain;
svcDomain = "id.${homelabDomain}";
kanidmCertDir = "/var/lib/kanidm/certs";
caddyCertStore = "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${svcDomain}";
#kcertloc = "${caddyCertsStore}/${svcDomain}/";
certRenewalScript = pkgs.writeShellScript "copy-kanidm-cert-hook" ''
set -Eeuo pipefail
mkdir -p ${kanidmCertDir}
cp ${caddyCertStore}/${svcDomain}.crt ${kanidmCertDir}/cert.pem
cp ${caddyCertStore}/${svcDomain}.key ${kanidmCertDir}/key.pem
chown kanidm:kanidm ${kanidmCertDir}/*.pem
${pkgs.systemd}/bin/systemctl restart kanidm.service
'';
kanidmCertCopier = "kanidm-cert-copier";
in
{
# NOTE: Domains are serious when they are the root of identity/authnz.
# Recommendation from Kanidm docs for "Maximum" security is to maintain
# Both `example.com` and `id.example-auth.com`, the latter for idm infra exclusively.
# I consider that to be untenable and even more risky.
# The next recommendation is to follow a pattern like so
# id.example.com
# australia.id.example.com
# id-test.example.com
# australia.id-test.example.com
# Example of yoinking certs from caddy:
# https://github.com/marcusramberg/nix-config/blob/e558914dd3705150511c5ef76278fc50bb4604f3/nixos/kanidm.nix#L3
# TODO: If possible, consider specifying the cert location here instead of the following kludge.
services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
reverse_proxy :8443 {
header_up Host {host}
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
transport http {
tls_server_name ${svcDomain}
}
}
'';
# NOTE: Attempted kludge due to caddy generating (and therefore owning the certs)
# NOTE: Cleanup old rules
# systemd.tmpfiles.rules = lib.filter(rule: ! (lib.strings.hasPrefix "C ${kanidmCertDir}" rule)) config.systemd.tmpfiles.rules;
systemd.tmpfiles.rules = [
"d ${certsDir} 0750 kanidm caddy -"
"C ${certsDir}/cert.pem - kanidm - - ${caddyCertsDir}/${svcDomain}/${svcDomain}.crt"
"C ${certsDir}/key.key - kanidm - - ${caddyCertsDir}/${svcDomain}/${svcDomain}.key"
"d ${kanidmCertDir} 0750 kanidm kanidm -"
];
systemd.services.kanidm = {
after = [ "systemd-tmpfiles-setup.service" ];
requires = [ "caddy.service" "systemd-tmpfiles-setup.service" ];
# NOTE: Include automation for copying cert files on renewal.
# systemd.services.caddy.serviceConfig = {
# ExecStartPost = [
# "${certRenewalScript}/bin/copy-kanidm-cert-hook"
# ];
# ExecReload = [
# "${pkgs.caddy}/bin/caddy reload --config ${config.services.caddy.configFile}"
# "${certRenewalScript}/bin/copy-kanidm-cert-hook"
# ];
# };
systemd.services.${kanidmCertCopier} = {
description = "Copy Caddy certificates for Kanidm";
requires = [ "caddy.service" ];
after = [ "caddy.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart = "${certRenewalScript}";
};
};
# systemd.services.caddy.wantedBy = [ "multi-user.target" ];
# systemd.services.caddy.wants = [ kanidmCertCopier ];
systemd.services.caddy.reloadTriggers = [ kanidmCertCopier ];
systemd.timers.kanidm-cert-copier-daily = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5min";
OnCalendar = "daily";
Unit = kanidmCertCopier;
};
};
# systemd.services.kanidm = {
# after = [ kanidmCertCopier ];
# requires = [ kanidmCertCopier ];
# };
users.users.kanidm.extraGroups = [
"caddy"
];
@ -43,21 +101,25 @@ in
};
};
services.kanidm = {
package = pkgs.kanidmWithSecretProvisioning;
package = pkgs.kanidmWithSecretProvisioning_1_7;
enableServer = true;
serverSettings = {
# NOTE: Required to start the server: https://kanidm.github.io/kanidm/stable/server_configuration.html
# domain, origin, tls_chain, tls_key
domain = svcDomain;
origin = "https://${svcDomain}";
tls_chain = "${certsDir}/cert.pem";
tls_key = "${certsDir}/key.key";
tls_chain = "${kanidmCertDir}/cert.pem";
tls_key = "${kanidmCertDir}/key.pem";
# tls_chain = "${caddyCertStore}/${svcDomain}.crt";
# tls_key = "${caddyCertStore}/${svcDomain}.key";
# NOTE: Optional Settings
# TODO: Configure the rest of the binding properly, should be 363 and maybe 8443
ldapbindaddress = "127.0.0.1:3636"; # For Jellyfin LDAP integration.
# trust_x_forwarded_for = true;
#trust_x_forwarded_for = true;
};
enableClient = true;
@ -74,6 +136,7 @@ in
home_alias = "name";
};
# TODO: Migrate the secrets from here to `nixos-secrets`
# NOTE: There are manual steps required as root to allow a user to set
# their own credentials, or to confiugre an account as posix. As-is this
# module doesn't support provisioning a complete user /w credentials.
@ -82,7 +145,9 @@ in
# https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#onboarding-a-new-person--resetting-credentials
provision = {
enable = true;
autoRemove = false;
autoRemove = true;
acceptInvalidCerts = true;
adminPasswordFile = config.sops.secrets."kanidm/admin-password".path;
idmAdminPasswordFile = config.sops.secrets."kanidm/idm-admin-password".path;
@ -98,6 +163,8 @@ in
"git.users"
"git.admins"
"tv.users"
"immich.users"
"miniflux.users"
];
};
};
@ -107,6 +174,8 @@ in
"git.admins" = {};
"tv.users" = {};
"tv.admins" = {};
"immich.users" = {};
"miniflux.users" = {};
};
};
};