lytedev/nix
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Something is starting at least

Browse source
This commit is contained in:
Daniel Flanagan 2024-08-06 13:09:31 -05:00
parent 7c1b5afc31
commit e7b4d34399
1 changed files with 147 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

166
nixos/beefcake.nix
View file

@ -999,46 +999,162 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
26966
];
}
{
# kanidm
services.kanidm = {
enableClient = true;
enablePam = true;
enableServer = true;
serverSettings = {
bindaddress = "[::]:8443";
# ldapbindaddress
# TODO: these will need permissions?
tls_chain = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.crt";
tls_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.key";
({options, ...}: let
toml = pkgs.formats.toml {};
package = pkgs.kanidm;
domain = "idm.h.lyte.dev";
origin = "https://idm.h.lyte.dev";
# log_level
name = "kanidm";
storage = "/storage/${name}";
cert = "${storage}/certs/idm.h.lyte.dev.crt";
key = "${storage}/certs/idm.h.lyte.dev.key";
serverSettings = {
inherit domain;
bindaddress = "localhost:8443";
# ldapbindaddress
tls_chain = cert;
tls_key = key;
origin = "https://${domain}";
db_path = "${storage}/data/kanidm.db";
log_level = "debug";
online_backup = {
path = "/storage/kanidm/backups/";
path = "${storage}/backups/";
schedule = "00 22 * * *";
# versions = 7;
};
};
user = name;
group = name;
serverConfigFile = toml.generate "server.toml" serverSettings;
in {
# kanidm
unixSettings = {
uri = "https://idm.h.lyte.dev";
pam_allowed_login_groups = [];
# ca_path = "/path/to/ca.pem";
config = {
# we need a mechanism to get the certificates that caddy provisions for us
systemd.timers."copy-kanidm-certificates-from-caddy" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "10m"; # 10 minutes after booting
OnUnitActiveSec = "5m"; # every 5 minutes afterwards
Unit = "copy-kanidm-certificates-from-caddy.service";
};
};
clientSettings = {
uri = "https://idm.h.lyte.dev";
# ca_path = "/tmp/cert.pem";
systemd.services."copy-kanidm-certificates-from-caddy" = {
script = ''
umask 077
install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs"
rsync --no-perms --no-owner --no-group /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev/idm.h.lyte.dev.crt "${cert}"
rsync --no-perms --no-owner --no-group /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev/idm.h.lyte.dev.key "${key}"
chown "${user}:${group}" "${cert}" "${key}"
'';
path = with pkgs; [rsync];
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
environment.systemPackages = [package];
# TODO: should I use this for /storage/kanidm/certs etc.?
systemd.tmpfiles.settings."10-kanidm" = {
"${serverSettings.online_backup.path}".d = {
inherit user group;
mode = "0700";
};
"${storage}/data".d = {
inherit user group;
mode = "0700";
};
};
users.groups = {
${group} = {};
};
users.users.${user} = {
inherit group;
description = "kanidm server";
isSystemUser = true;
packages = [package];
};
# the kanidm module in nixpkgs was not working for me, so I rolled my own
# loosely based off it
systemd.services.kanidm = {
description = "kanidm identity management daemon";
wantedBy = ["multi-user.target"];
after = ["network.target"];
requires = ["copy-kanidm-certificates-from-caddy.service"];
# environment.RUST_LOG = serverSettings.log_level;
serviceConfig = {
StateDirectory = name;
StateDirectoryMode = "0700";
RuntimeDirectory = "${name}d";
ExecStart = "${package}/bin/kanidmd server -c ${serverConfigFile}";
User = user;
Group = group;
AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
PrivateUsers = lib.mkForce false;
PrivateNetwork = lib.mkForce false;
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
# TemporaryFileSystem = "/:ro";
DeviceAllow = "";
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
BindReadOnlyPaths = [
"${storage}/certs"
];
BindPaths = [
"${storage}/data"
# socket
"/run/${name}d:/run/${name}d"
# backups
serverSettings.online_backup.path
];
};
};
# environment.etc."kanidm/server.toml" = {
# mode = "0600";
# group = "kanidm";
# user = "kanidm";
# };
# environment.etc."kanidm/config" = {
# mode = "0600";
# group = "kanidm";
# user = "kanidm";
# };
services.caddy.virtualHosts."idm.h.lyte.dev" = {
extraConfig = ''reverse_proxy :8443'';
};
}
};
})
];
# TODO: non-root processes and services that access secrets need to be part of