meow

2025-11-26 11:11:49 +01:00 · 2025-11-26 11:11:49 +01:00 · d74a131529
commit d74a131529
parent 0eb6953b0d
14 changed files with 259 additions and 67 deletions
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@ -0,0 +1,88 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) str nullOr pathWith;
+  absPath = pathWith {
+    inStore = false;
+    absolute = true;
+  };
+  cfg = config.xyno.services.kanidm;
+in
+{
+  options.xyno.services.kanidm.enable = mkEnableOption "enables kanidm";
+  options.xyno.services.kanidm.domain = mkOption {
+    default = "idm.xyno.systems";
+    type = str;
+  };
+  options.xyno.services.kanidm.isReplica = mkEnableOption "replica";
+  options.xyno.services.kanidm.setupTraefik = mkEnableOption "traefik";
+
+  options.xyno.services.kanidm.tls = {
+    keyPem = mkOption {
+      type = nullOr absPath;
+      default = null;
+      description = "autogenerated if unset";
+    };
+    certPem = mkOption {
+      default = "/run/generated/kanidm-tls/cert.pem";
+      type = absPath;
+    };
+  };
+  config = mkIf cfg.enable {
+    services.kanidm = {
+      enableServer = true;
+      enableClient = true;
+      adminPasswordFile = config.sops.secrets."kanidm.password".path;
+      provision = {
+        adminPasswordFile = config.sops.secrets."kanidm.password".path;
+      };
+      serverSettings = {
+        tls_key = if cfg.tls.keyPem != null then cfg.tls.keyPem else "/run/generated/key.pem";
+        tls_chain = cfg.tls.certPem;
+        bindaddress = "127.0.0.3:8443";
+      };
+    };
+    xyno.services.traefik.simpleProxy = mkIf cfg.setupTraefik {
+      host = cfg.domain;
+      internal = "https://127.0.0.3:8443";
+      transport = "kanidm-https";
+    };
+    services.traefik.dynamicConfigOptions.http = mkIf cfg.setupTraefik {
+      serversTransports."kanidm-https" = {
+        serverName = cfg.domain;
+        certificates = [
+          cfg.certPem
+        ];
+      };
+    };
+
+    systemd.services.generate-kanidm-tls = mkIf (cfg.tls.keyPem == null) {
+      serviceConfig = {
+        User = "root";
+        Group = "kanidm";
+      };
+      wantedBy = [
+        "kanidm.service"
+        "traefik.service"
+      ];
+      script = ''
+        mkdir -p /run/generated/kanidm-tls
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey ed25519 -noenc -subj "/CN=generated.${cfg.domain}" -addext "subjectAltName=DNS:${cfg.domain}" -keyout /run/generated/key.pem -out /run/generated/cert.pem
+      '';
+    };
+    sops.secrets."kanidm.password" = {
+      sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
+    };
+    # sops.templates."kanidm.env".content = ''
+    #   DESEC_TOKEN=${config.sops.placeholder.desec_token}
+    #   DESEC_PROPAGATION_TIMEOUT=1200
+    # '';
+    # sops.templates."kanidm.env".reloadUnits = [ "kanidm.service" ];
+
+  };
+}