torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
834 Commits 9 Branches 0 Tags
de36b9d01641847e598c3962db77e7786786569a
Commit Graph

4 Commits

Author SHA1 Message Date
Torjus Håkestad
de36b9d016 kanidm: add hostname SAN to ACME certificate
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details 
Include both auth.home.2rjus.net (CNAME) and kanidm01.home.2rjus.net
(A record) as SANs in the TLS certificate. This fixes Prometheus
scraping which connects via the hostname, not the CNAME.

Fixes: x509: certificate is valid for auth.home.2rjus.net, not kanidm01.home.2rjus.net

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-08 03:29:54 +01:00
Torjus Håkestad
538c2ad097 kanidm: fix secret file permissions for provisioning
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details 
Set owner/group to kanidm so the post-start provisioning
script can read the idm_admin password.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-08 00:24:41 +01:00
Torjus Håkestad
d99c82c74c kanidm: fix service ordering for vault secret
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details 
Ensure vault-secret-kanidm-idm-admin runs before kanidm.service
by adding services dependency.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-08 00:21:11 +01:00
Torjus Håkestad
ca0e3fd629 kanidm01: add kanidm authentication server
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details 
- New test-tier VM at 10.69.13.23 with role=auth
- Kanidm 1.8 server with HTTPS (443) and LDAPS (636)
- ACME certificate from internal CA (auth.home.2rjus.net)
- Provisioned groups: admins, users, ssh-users
- Provisioned user: torjus
- Daily backups at 22:00 (7 versions)
- Prometheus monitoring scrape target

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-08 00:13:59 +01:00