This commit is contained in:
Daniel Flanagan 2024-11-03 11:08:49 -06:00
parent c7e033e1d6
commit 30cddbdc37
2 changed files with 50 additions and 40 deletions

View file

@ -265,8 +265,11 @@
}; };
nixosConfigurations = { nixosConfigurations = {
beefcake = nixpkgs.lib.nixosSystem { beefcake = let
system = "x86_64-linux"; system = "x86_64-linux";
in
nixpkgs.lib.nixosSystem {
inherit system;
modules = with nixosModules; [ modules = with nixosModules; [
home-manager-defaults home-manager-defaults
@ -294,6 +297,10 @@
fonts fonts
./nixos/beefcake.nix ./nixos/beefcake.nix
{
services.kanidm.package = (unstable.pkgsFor system).kanidm;
}
]; ];
}; };

View file

@ -1250,10 +1250,13 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
port port
]; ];
}) })
({options, ...}: let ({
/* config,
options,
...
}: let
toml = pkgs.formats.toml {}; toml = pkgs.formats.toml {};
package = pkgs.kanidm; kanidm-package = config.services.kanidm.package;
domain = "idm.h.lyte.dev"; domain = "idm.h.lyte.dev";
name = "kanidm"; name = "kanidm";
storage = "/storage/${name}"; storage = "/storage/${name}";
@ -1332,12 +1335,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# Does not work well with the temporary root # Does not work well with the temporary root
#UMask = "0066"; #UMask = "0066";
}; };
*/
in { in {
# kanidm # kanidm
/*
config = { config = {
# we need a mechanism to get the certificates that caddy provisions for us # reload certs from caddy every 5 minutes
# TODO: ideally some kind of file watcher service would make way more sense here?
# or we could simply setup the permissions properly somehow?
systemd.timers."copy-kanidm-certificates-from-caddy" = { systemd.timers."copy-kanidm-certificates-from-caddy" = {
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
@ -1348,8 +1351,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
systemd.services."copy-kanidm-certificates-from-caddy" = { systemd.services."copy-kanidm-certificates-from-caddy" = {
# get the certificates that caddy provisions for us
script = '' script = ''
umask 077 umask 077
# this line should be unnecessary now that we have this in tmpfiles
install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs" install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs"
cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs" install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs"
@ -1361,9 +1366,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
}; };
environment.systemPackages = [package]; environment.systemPackages = [kanidm-package];
# TODO: should I use this for /storage/kanidm/certs etc.?
systemd.tmpfiles.settings."10-kanidm" = { systemd.tmpfiles.settings."10-kanidm" = {
"${serverSettings.online_backup.path}".d = { "${serverSettings.online_backup.path}".d = {
inherit user group; inherit user group;
@ -1393,7 +1397,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
inherit group; inherit group;
description = "kanidm server"; description = "kanidm server";
isSystemUser = true; isSystemUser = true;
packages = [package]; packages = [kanidm-package];
}; };
users.users."${user}-unixd" = { users.users."${user}-unixd" = {
group = "${group}-unixd"; group = "${group}-unixd";
@ -1405,7 +1409,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# loosely based off it # loosely based off it
systemd.services.kanidm = { systemd.services.kanidm = {
enable = true; enable = true;
path = with pkgs; [openssl] ++ [package]; path = with pkgs; [openssl] ++ [kanidm-package];
description = "kanidm identity management daemon"; description = "kanidm identity management daemon";
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
after = ["network.target"]; after = ["network.target"];
@ -1414,7 +1418,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
pwd pwd
ls -la ls -la
ls -laR /storage/kanidm ls -laR /storage/kanidm
${package}/bin/kanidmd server -c ${serverConfigFile} ${kanidm-package}/bin/kanidmd server -c ${serverConfigFile}
''; '';
# environment.RUST_LOG = serverSettings.log_level; # environment.RUST_LOG = serverSettings.log_level;
serviceConfig = lib.mkMerge [ serviceConfig = lib.mkMerge [
@ -1459,7 +1463,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
CacheDirectory = "${name}-unixd"; CacheDirectory = "${name}-unixd";
CacheDirectoryMode = "0700"; CacheDirectoryMode = "0700";
RuntimeDirectory = "${name}-unixd"; RuntimeDirectory = "${name}-unixd";
ExecStart = "${package}/bin/kanidm_unixd"; ExecStart = "${kanidm-package}/bin/kanidm_unixd";
User = "${user}-unixd"; User = "${user}-unixd";
Group = "${group}-unixd"; Group = "${group}-unixd";
@ -1493,7 +1497,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
partOf = ["kanidm-unixd.service"]; partOf = ["kanidm-unixd.service"];
restartTriggers = [unixdConfigFile clientConfigFile]; restartTriggers = [unixdConfigFile clientConfigFile];
serviceConfig = { serviceConfig = {
ExecStart = "${package}/bin/kanidm_unixd_tasks"; ExecStart = "${kanidm-package}/bin/kanidm_unixd_tasks";
BindReadOnlyPaths = [ BindReadOnlyPaths = [
"/nix/store" "/nix/store"
@ -1531,7 +1535,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
"kanidm/unixd".source = unixdConfigFile; "kanidm/unixd".source = unixdConfigFile;
}; };
system.nssModules = [package]; system.nssModules = [kanidm-package];
system.nssDatabases.group = [name]; system.nssDatabases.group = [name];
system.nssDatabases.passwd = [name]; system.nssDatabases.passwd = [name];
@ -1559,7 +1563,6 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
''; '';
}; };
}; };
*/
}) })
{ {
systemd.tmpfiles.settings = { systemd.tmpfiles.settings = {