Torjus Håkestad
ca0e3fd629
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
- New test-tier VM at 10.69.13.23 with role=auth - Kanidm 1.8 server with HTTPS (443) and LDAPS (636) - ACME certificate from internal CA (auth.home.2rjus.net) - Provisioned groups: admins, users, ssh-users - Provisioned user: torjus - Daily backups at 22:00 (7 versions) - Prometheus monitoring scrape target Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
62 lines
1.5 KiB
Nix
62 lines
1.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
{
|
|
services.kanidm = {
|
|
package = pkgs.kanidmWithSecretProvisioning_1_8;
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = "home.2rjus.net";
|
|
origin = "https://auth.home.2rjus.net";
|
|
bindaddress = "0.0.0.0:443";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
|
|
tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
|
|
online_backup = {
|
|
path = "/var/lib/kanidm/backups";
|
|
schedule = "00 22 * * *";
|
|
versions = 7;
|
|
};
|
|
};
|
|
|
|
# Provisioning - initial users/groups
|
|
provision = {
|
|
enable = true;
|
|
idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
|
|
|
|
groups = {
|
|
admins = { };
|
|
users = { };
|
|
ssh-users = { };
|
|
};
|
|
|
|
persons.torjus = {
|
|
displayName = "Torjus";
|
|
groups = [ "admins" "users" "ssh-users" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
# Grant kanidm access to ACME certificates
|
|
users.users.kanidm.extraGroups = [ "acme" ];
|
|
|
|
# ACME certificate from internal CA
|
|
security.acme.certs."auth.home.2rjus.net" = {
|
|
listenHTTP = ":80";
|
|
reloadServices = [ "kanidm" ];
|
|
};
|
|
|
|
# Vault secret for idm_admin password
|
|
vault.secrets.kanidm-idm-admin = {
|
|
secretPath = "kanidm/idm-admin-password";
|
|
extractKey = "password";
|
|
};
|
|
|
|
# Monitoring scrape target
|
|
homelab.monitoring.scrapeTargets = [
|
|
{
|
|
job_name = "kanidm";
|
|
port = 443;
|
|
scheme = "https";
|
|
}
|
|
];
|
|
}
|