Flake
This commit is contained in:
parent
c7e033e1d6
commit
30cddbdc37
2 changed files with 50 additions and 40 deletions
|
@ -265,8 +265,11 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
beefcake = nixpkgs.lib.nixosSystem {
|
beefcake = let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
in
|
||||||
|
nixpkgs.lib.nixosSystem {
|
||||||
|
inherit system;
|
||||||
modules = with nixosModules; [
|
modules = with nixosModules; [
|
||||||
home-manager-defaults
|
home-manager-defaults
|
||||||
|
|
||||||
|
@ -294,6 +297,10 @@
|
||||||
fonts
|
fonts
|
||||||
|
|
||||||
./nixos/beefcake.nix
|
./nixos/beefcake.nix
|
||||||
|
|
||||||
|
{
|
||||||
|
services.kanidm.package = (unstable.pkgsFor system).kanidm;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1250,10 +1250,13 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
port
|
port
|
||||||
];
|
];
|
||||||
})
|
})
|
||||||
({options, ...}: let
|
({
|
||||||
/*
|
config,
|
||||||
|
options,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
toml = pkgs.formats.toml {};
|
toml = pkgs.formats.toml {};
|
||||||
package = pkgs.kanidm;
|
kanidm-package = config.services.kanidm.package;
|
||||||
domain = "idm.h.lyte.dev";
|
domain = "idm.h.lyte.dev";
|
||||||
name = "kanidm";
|
name = "kanidm";
|
||||||
storage = "/storage/${name}";
|
storage = "/storage/${name}";
|
||||||
|
@ -1332,12 +1335,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
# Does not work well with the temporary root
|
# Does not work well with the temporary root
|
||||||
#UMask = "0066";
|
#UMask = "0066";
|
||||||
};
|
};
|
||||||
*/
|
|
||||||
in {
|
in {
|
||||||
# kanidm
|
# kanidm
|
||||||
/*
|
|
||||||
config = {
|
config = {
|
||||||
# we need a mechanism to get the certificates that caddy provisions for us
|
# reload certs from caddy every 5 minutes
|
||||||
|
# TODO: ideally some kind of file watcher service would make way more sense here?
|
||||||
|
# or we could simply setup the permissions properly somehow?
|
||||||
systemd.timers."copy-kanidm-certificates-from-caddy" = {
|
systemd.timers."copy-kanidm-certificates-from-caddy" = {
|
||||||
wantedBy = ["timers.target"];
|
wantedBy = ["timers.target"];
|
||||||
timerConfig = {
|
timerConfig = {
|
||||||
|
@ -1348,8 +1351,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services."copy-kanidm-certificates-from-caddy" = {
|
systemd.services."copy-kanidm-certificates-from-caddy" = {
|
||||||
|
# get the certificates that caddy provisions for us
|
||||||
script = ''
|
script = ''
|
||||||
umask 077
|
umask 077
|
||||||
|
# this line should be unnecessary now that we have this in tmpfiles
|
||||||
install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs"
|
install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs"
|
||||||
cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
|
cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
|
||||||
install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs"
|
install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs"
|
||||||
|
@ -1361,9 +1366,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [package];
|
environment.systemPackages = [kanidm-package];
|
||||||
|
|
||||||
# TODO: should I use this for /storage/kanidm/certs etc.?
|
|
||||||
systemd.tmpfiles.settings."10-kanidm" = {
|
systemd.tmpfiles.settings."10-kanidm" = {
|
||||||
"${serverSettings.online_backup.path}".d = {
|
"${serverSettings.online_backup.path}".d = {
|
||||||
inherit user group;
|
inherit user group;
|
||||||
|
@ -1393,7 +1397,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
inherit group;
|
inherit group;
|
||||||
description = "kanidm server";
|
description = "kanidm server";
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
packages = [package];
|
packages = [kanidm-package];
|
||||||
};
|
};
|
||||||
users.users."${user}-unixd" = {
|
users.users."${user}-unixd" = {
|
||||||
group = "${group}-unixd";
|
group = "${group}-unixd";
|
||||||
|
@ -1405,7 +1409,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
# loosely based off it
|
# loosely based off it
|
||||||
systemd.services.kanidm = {
|
systemd.services.kanidm = {
|
||||||
enable = true;
|
enable = true;
|
||||||
path = with pkgs; [openssl] ++ [package];
|
path = with pkgs; [openssl] ++ [kanidm-package];
|
||||||
description = "kanidm identity management daemon";
|
description = "kanidm identity management daemon";
|
||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
after = ["network.target"];
|
after = ["network.target"];
|
||||||
|
@ -1414,7 +1418,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
pwd
|
pwd
|
||||||
ls -la
|
ls -la
|
||||||
ls -laR /storage/kanidm
|
ls -laR /storage/kanidm
|
||||||
${package}/bin/kanidmd server -c ${serverConfigFile}
|
${kanidm-package}/bin/kanidmd server -c ${serverConfigFile}
|
||||||
'';
|
'';
|
||||||
# environment.RUST_LOG = serverSettings.log_level;
|
# environment.RUST_LOG = serverSettings.log_level;
|
||||||
serviceConfig = lib.mkMerge [
|
serviceConfig = lib.mkMerge [
|
||||||
|
@ -1459,7 +1463,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
CacheDirectory = "${name}-unixd";
|
CacheDirectory = "${name}-unixd";
|
||||||
CacheDirectoryMode = "0700";
|
CacheDirectoryMode = "0700";
|
||||||
RuntimeDirectory = "${name}-unixd";
|
RuntimeDirectory = "${name}-unixd";
|
||||||
ExecStart = "${package}/bin/kanidm_unixd";
|
ExecStart = "${kanidm-package}/bin/kanidm_unixd";
|
||||||
User = "${user}-unixd";
|
User = "${user}-unixd";
|
||||||
Group = "${group}-unixd";
|
Group = "${group}-unixd";
|
||||||
|
|
||||||
|
@ -1493,7 +1497,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
partOf = ["kanidm-unixd.service"];
|
partOf = ["kanidm-unixd.service"];
|
||||||
restartTriggers = [unixdConfigFile clientConfigFile];
|
restartTriggers = [unixdConfigFile clientConfigFile];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${package}/bin/kanidm_unixd_tasks";
|
ExecStart = "${kanidm-package}/bin/kanidm_unixd_tasks";
|
||||||
|
|
||||||
BindReadOnlyPaths = [
|
BindReadOnlyPaths = [
|
||||||
"/nix/store"
|
"/nix/store"
|
||||||
|
@ -1531,7 +1535,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
"kanidm/unixd".source = unixdConfigFile;
|
"kanidm/unixd".source = unixdConfigFile;
|
||||||
};
|
};
|
||||||
|
|
||||||
system.nssModules = [package];
|
system.nssModules = [kanidm-package];
|
||||||
|
|
||||||
system.nssDatabases.group = [name];
|
system.nssDatabases.group = [name];
|
||||||
system.nssDatabases.passwd = [name];
|
system.nssDatabases.passwd = [name];
|
||||||
|
@ -1559,7 +1563,6 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
*/
|
|
||||||
})
|
})
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.settings = {
|
systemd.tmpfiles.settings = {
|
||||||
|
|
Loading…
Reference in a new issue