feat(router0-dmz0, sj-srv1/containers/webserver): set up kanidm
This commit is contained in:
parent
7f97ee3d47
commit
4c71887ea6
7 changed files with 181 additions and 13 deletions
|
|
@ -17,16 +17,19 @@ in {
|
|||
lib,
|
||||
repoFlake,
|
||||
nodeFlake,
|
||||
system,
|
||||
...
|
||||
}: {
|
||||
system.stateVersion = "22.05"; # Did you read the comment?
|
||||
|
||||
disabledModules = [
|
||||
"services/misc/forgejo.nix"
|
||||
"services/security/kanidm.nix"
|
||||
];
|
||||
|
||||
imports = [
|
||||
"${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
|
||||
"${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
|
||||
|
||||
../profiles/containers/configuration.nix
|
||||
|
||||
|
|
@ -90,6 +93,16 @@ in {
|
|||
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
|
||||
'';
|
||||
};
|
||||
|
||||
virtualHosts."kanidm.${domain}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
|
||||
transport http {
|
||||
tls_server_name ${config.services.kanidm.serverSettings.domain}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.hedgedoc = {
|
||||
|
|
@ -116,12 +129,34 @@ in {
|
|||
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
|
||||
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
|
||||
# these are set via the `environmentFile`
|
||||
bindCredentials = "$LDAP_ADMIN_PASSWORD";
|
||||
# bindCredentials = "$LDAP_ADMIN_PASSWORD";
|
||||
searchBase = "ou=people,dc=stefanjunker,dc=de";
|
||||
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
|
||||
useridField = "uid";
|
||||
};
|
||||
|
||||
oauth2 = let
|
||||
originURL = config.services.kanidm.serverSettings.origin;
|
||||
in {
|
||||
providerName = "kanidm (${originURL})";
|
||||
|
||||
authorizationURL = "${originURL}/ui/oauth2";
|
||||
tokenURL = "${originURL}/oauth2/token";
|
||||
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
|
||||
|
||||
scope = "openid email profile";
|
||||
# rolesClaim = "roles";
|
||||
# accessRole = "role/hedgedoc";
|
||||
|
||||
userProfileUsernameAttr = "name";
|
||||
userProfileDisplayNameAttr = "displayname";
|
||||
userProfileEmailAttr = "email";
|
||||
|
||||
clientID = "hedgedoc";
|
||||
# set via the `environmentFile`
|
||||
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
|
||||
};
|
||||
|
||||
uploadsPath = "/var/lib/hedgedoc/uploads";
|
||||
};
|
||||
|
||||
|
|
@ -268,6 +303,108 @@ in {
|
|||
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
|
||||
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
|
||||
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
|
||||
|
||||
# combine a path watcher with a service that transfers the certs by caddy to kanidm
|
||||
systemd.paths.kanidm-tls-watch = {
|
||||
enable = true;
|
||||
requiredBy = ["kanidm.service"];
|
||||
pathConfig = {
|
||||
PathChanged = [
|
||||
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
|
||||
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
|
||||
];
|
||||
Unit = "kanidm-tls-update.service";
|
||||
};
|
||||
};
|
||||
systemd.services.kanidm-tls-update = let
|
||||
dbDir =
|
||||
builtins.dirOf
|
||||
config.services.kanidm.serverSettings.db_path;
|
||||
in {
|
||||
enable = true;
|
||||
requiredBy = ["kanidm.service"];
|
||||
unitConfig = {
|
||||
# ConditionPathExists = [
|
||||
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
|
||||
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
|
||||
# ];
|
||||
};
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = let
|
||||
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
|
||||
in ''
|
||||
set -xe
|
||||
|
||||
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
|
||||
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
|
||||
|
||||
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
|
||||
chmod 400 tls.{key,chain}
|
||||
|
||||
# create the kanidm directory in case it's missing
|
||||
if [[ ! -d ${tlsDir} ]]; then
|
||||
mkdir -p ${tlsDir}
|
||||
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
|
||||
chmod 700 ${tlsDir}
|
||||
fi
|
||||
|
||||
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
|
||||
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
|
||||
|
||||
if [[ ! -d ${dbDir} ]]; then
|
||||
mkdir -p ${dbDir}
|
||||
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
|
||||
chmod 700 ${dbDir}
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.kanidm.serviceConfig = let
|
||||
dbDir =
|
||||
builtins.dirOf
|
||||
config.services.kanidm.serverSettings.db_path;
|
||||
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
|
||||
in {
|
||||
# ExecStartPre = ''
|
||||
# mkdir -p ${dbDir}
|
||||
# '';
|
||||
BindPaths = [
|
||||
dbDir
|
||||
# stateDir
|
||||
];
|
||||
};
|
||||
|
||||
services.kanidm = let
|
||||
dataDir = "/var/lib/kanidm";
|
||||
in {
|
||||
package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
|
||||
|
||||
enablePam = false;
|
||||
enableClient = false;
|
||||
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
role = "WriteReplica";
|
||||
log_level = "debug";
|
||||
|
||||
domain = "kanidm.${domain}";
|
||||
origin = "https://kanidm.${domain}";
|
||||
|
||||
db_path = "${dataDir}/db/kanidm.db";
|
||||
|
||||
bindaddress = "127.0.0.1:8444";
|
||||
|
||||
# don't expose ldap
|
||||
# ldapbindaddress = "[::1]:6636";
|
||||
|
||||
tls_key = "${dataDir}/tls/tls.key";
|
||||
tls_chain = "${dataDir}/tls/tls.chain";
|
||||
|
||||
online_backup = {
|
||||
schedule = "00 06 * * *";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
inherit autoStart;
|
||||
|
|
@ -306,6 +443,11 @@ in {
|
|||
hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"/var/lib/kanidm" = {
|
||||
hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
privateNetwork = true;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue