WIP kanidm deployment
This commit is contained in:
parent
63047aec55
commit
ab03e929d4
6 changed files with 47 additions and 0 deletions
2
modules/nixos/kanidm/client.toml
Normal file
2
modules/nixos/kanidm/client.toml
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
uri = "https://idm.foxtrot.hare-cod.ts.net:8443"
|
||||||
|
ca_path = "/tmp/cert.pem"
|
||||||
BIN
modules/nixos/kanidm/kanidm.db
Normal file
BIN
modules/nixos/kanidm/kanidm.db
Normal file
Binary file not shown.
10
modules/nixos/kanidm/server.toml
Normal file
10
modules/nixos/kanidm/server.toml
Normal file
|
|
@ -0,0 +1,10 @@
|
||||||
|
bindaddress = "[::]:8443"
|
||||||
|
db_path = "/home/daniel/code/nix/modules/nixos/kanidm/kanidm.db"
|
||||||
|
tls_chain = "/tmp/cert.pem"
|
||||||
|
tls_key = "/tmp/key.pem"
|
||||||
|
domain = "idm.foxtrot.hare-cod.ts.net"
|
||||||
|
origin = "https://idm.foxtrot.hare-cod.ts.net:8443"
|
||||||
|
|
||||||
|
[online_backup]
|
||||||
|
path = "/tmp/kanidm/backups/"
|
||||||
|
schedule = "00 22 * * *"
|
||||||
|
|
@ -999,6 +999,38 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
26966
|
26966
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
# kanidm
|
||||||
|
services.kanidm = {
|
||||||
|
enableClient = true;
|
||||||
|
enablePam = true;
|
||||||
|
enableServer = true;
|
||||||
|
|
||||||
|
serverSettings = {
|
||||||
|
bindaddress = "[::]:8443";
|
||||||
|
db_path = "/storage/kanidm/data/kanidm.db";
|
||||||
|
# TODO: these will need permissions?
|
||||||
|
tls_chain = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.crt";
|
||||||
|
tls_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.key";
|
||||||
|
domain = "idm.foxtrot.hare-cod.ts.net";
|
||||||
|
origin = "https://idm.h.lyte.dev:8443";
|
||||||
|
|
||||||
|
online_backup = {
|
||||||
|
path = "/storage/kanidm/backups/";
|
||||||
|
schedule = "00 22 * * *";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
clientSettings = {
|
||||||
|
uri = "https://idm.h.lyte.dev";
|
||||||
|
# ca_path = "/tmp/cert.pem";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."idm.h.lyte.dev" = {
|
||||||
|
extraConfig = ''reverse_proxy :8443'';
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
# TODO: non-root processes and services that access secrets need to be part of
|
# TODO: non-root processes and services that access secrets need to be part of
|
||||||
|
|
|
||||||
|
|
@ -46,6 +46,7 @@
|
||||||
additionalHosts = [
|
additionalHosts = [
|
||||||
".beefcake.lan"
|
".beefcake.lan"
|
||||||
"nix.h.lyte.dev"
|
"nix.h.lyte.dev"
|
||||||
|
"idm.h.lyte.dev"
|
||||||
"git.lyte.dev"
|
"git.lyte.dev"
|
||||||
"video.lyte.dev"
|
"video.lyte.dev"
|
||||||
"a.lyte.dev"
|
"a.lyte.dev"
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,8 @@
|
||||||
src = ./.;
|
src = ./.;
|
||||||
hash = pkgs.lib.fakeHash;
|
hash = pkgs.lib.fakeHash;
|
||||||
cargoHash = "sha256-W7VQlMktGsRPQL9VGVmxYV6C5u2eJ48S7eTpOM+3n8U=";
|
cargoHash = "sha256-W7VQlMktGsRPQL9VGVmxYV6C5u2eJ48S7eTpOM+3n8U=";
|
||||||
|
|
||||||
|
RUSTFLAGS = pkgs.lib.optionalString pkgs.stdenv.isLinux "-C link-arg=-fuse-ld=mold";
|
||||||
};
|
};
|
||||||
|
|
||||||
default = outputs.packages.${pkgs.system}.my-package;
|
default = outputs.packages.${pkgs.system}.my-package;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue