Torjus Håkestad
538c2ad097
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Set owner/group to kanidm so the post-start provisioning script can read the idm_admin password. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
65 lines
1.6 KiB
Nix
65 lines
1.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
{
|
|
services.kanidm = {
|
|
package = pkgs.kanidmWithSecretProvisioning_1_8;
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = "home.2rjus.net";
|
|
origin = "https://auth.home.2rjus.net";
|
|
bindaddress = "0.0.0.0:443";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
|
|
tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
|
|
online_backup = {
|
|
path = "/var/lib/kanidm/backups";
|
|
schedule = "00 22 * * *";
|
|
versions = 7;
|
|
};
|
|
};
|
|
|
|
# Provisioning - initial users/groups
|
|
provision = {
|
|
enable = true;
|
|
idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
|
|
|
|
groups = {
|
|
admins = { };
|
|
users = { };
|
|
ssh-users = { };
|
|
};
|
|
|
|
persons.torjus = {
|
|
displayName = "Torjus";
|
|
groups = [ "admins" "users" "ssh-users" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
# Grant kanidm access to ACME certificates
|
|
users.users.kanidm.extraGroups = [ "acme" ];
|
|
|
|
# ACME certificate from internal CA
|
|
security.acme.certs."auth.home.2rjus.net" = {
|
|
listenHTTP = ":80";
|
|
reloadServices = [ "kanidm" ];
|
|
};
|
|
|
|
# Vault secret for idm_admin password
|
|
vault.secrets.kanidm-idm-admin = {
|
|
secretPath = "kanidm/idm-admin-password";
|
|
extractKey = "password";
|
|
services = [ "kanidm" ];
|
|
owner = "kanidm";
|
|
group = "kanidm";
|
|
};
|
|
|
|
# Monitoring scrape target
|
|
homelab.monitoring.scrapeTargets = [
|
|
{
|
|
job_name = "kanidm";
|
|
port = 443;
|
|
scheme = "https";
|
|
}
|
|
];
|
|
}
|