WIP kanidm deployment

2024-08-05 20:42:50 -05:00 · 2024-08-05 20:42:50 -05:00 · ab03e929d4
parent 63047aec55
commit ab03e929d4
6 changed files with 47 additions and 0 deletions
--- a/modules/nixos/kanidm/client.toml
+++ b/modules/nixos/kanidm/client.toml
@ -0,0 +1,2 @@
+uri = "https://idm.foxtrot.hare-cod.ts.net:8443"
+ca_path = "/tmp/cert.pem"
--- a/modules/nixos/kanidm/kanidm.db
+++ b/modules/nixos/kanidm/kanidm.db
--- a/modules/nixos/kanidm/server.toml
+++ b/modules/nixos/kanidm/server.toml
@ -0,0 +1,10 @@
+bindaddress = "[::]:8443"
+db_path = "/home/daniel/code/nix/modules/nixos/kanidm/kanidm.db"
+tls_chain = "/tmp/cert.pem"
+tls_key = "/tmp/key.pem"
+domain = "idm.foxtrot.hare-cod.ts.net"
+origin = "https://idm.foxtrot.hare-cod.ts.net:8443"
+
+[online_backup]
+path = "/tmp/kanidm/backups/"
+schedule = "00 22 * * *"
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@ -999,6 +999,38 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
        26966
      ];
    }
+    {
+      # kanidm
+      services.kanidm = {
+        enableClient = true;
+        enablePam = true;
+        enableServer = true;
+
+        serverSettings = {
+          bindaddress = "[::]:8443";
+          db_path = "/storage/kanidm/data/kanidm.db";
+          # TODO: these will need permissions?
+          tls_chain = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.crt";
+          tls_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.key";
+          domain = "idm.foxtrot.hare-cod.ts.net";
+          origin = "https://idm.h.lyte.dev:8443";
+
+          online_backup = {
+            path = "/storage/kanidm/backups/";
+            schedule = "00 22 * * *";
+          };
+        };
+
+        clientSettings = {
+          uri = "https://idm.h.lyte.dev";
+          # ca_path = "/tmp/cert.pem";
+        };
+      };
+
+      services.caddy.virtualHosts."idm.h.lyte.dev" = {
+        extraConfig = ''reverse_proxy :8443'';
+      };
+    }
  ];

  # TODO: non-root processes and services that access secrets need to be part of
--- a/nixos/router.nix
+++ b/nixos/router.nix
@ -46,6 +46,7 @@
      additionalHosts = [
        ".beefcake.lan"
        "nix.h.lyte.dev"
+        "idm.h.lyte.dev"
        "git.lyte.dev"
        "video.lyte.dev"
        "a.lyte.dev"
--- a/templates/rust/flake.nix
+++ b/templates/rust/flake.nix
@ -52,6 +52,8 @@
        src = ./.;
        hash = pkgs.lib.fakeHash;
        cargoHash = "sha256-W7VQlMktGsRPQL9VGVmxYV6C5u2eJ48S7eTpOM+3n8U=";
+
+        RUSTFLAGS = pkgs.lib.optionalString pkgs.stdenv.isLinux "-C link-arg=-fuse-ld=mold";
      };

      default = outputs.packages.${pkgs.system}.my-package;