depot/cluster/services/idm/default.nix

{ config, depot, ... }:

{
  links = {
    idm = {
      ipv4 = "idm.${depot.lib.meta.domain}";
      port = 443;
      protocol = "https";
    };
    ldap = {
      hostname = "idm-ldap.internal.${depot.lib.meta.domain}";
      ipv4 = config.vars.mesh.VEGAS.meshIp;
      port = 636;
      protocol = "ldaps";
    };
  };

  services.idm = {
    nodes = {
      server = [ "VEGAS" ];
      client = [ "checkmate" "grail" "VEGAS" "prophet" "soda" "thunderskin" ];
      client-soda = [ "soda" ];
    };
    nixos = {
      server = [
        ./common.nix
        ./server.nix
      ];
      client = [
        ./common.nix
        ./client.nix
        ./modules/idm-nss-ready.nix
        ./modules/idm-tmpfiles.nix
        ./policies/infra-admins.nix
      ];
      client-soda = [
        ./policies/soda.nix
      ];
    };
    secrets.serviceAccountCredentials = {
      nodes = config.services.idm.nodes.client;
      shared = false;
    };
  };

  dns.records = let
    serverAddrsPublic =  map
      (node: depot.hours.${node}.interfaces.primary.addrPublic)
      config.services.idm.nodes.server;
    serverAddrsInternal =  map
      (node: config.vars.mesh.${node}.meshIp)
      config.services.idm.nodes.server;
  in {
    idm = {
      type = "A";
      target = serverAddrsPublic;
    };
    "idm-ldap.internal" = {
      type = "A";
      target = serverAddrsInternal;
    };
  };
}
treewide: massive refactor 2023-08-31 00:55:45 +02:00			`{ config, depot, ... }:`
cluster/services/idm: init 2023-06-10 17:54:03 +02:00
			`{`
cluster/services/idm: enable LDAP 2023-06-11 21:33:53 +02:00			`links = {`
			`idm = {`
treewide: massive refactor 2023-08-31 00:55:45 +02:00			`ipv4 = "idm.${depot.lib.meta.domain}";`
cluster/services/idm: enable LDAP 2023-06-11 21:33:53 +02:00			`port = 443;`
			`protocol = "https";`
			`};`
			`ldap = {`
treewide: massive refactor 2023-08-31 00:55:45 +02:00			`hostname = "idm-ldap.internal.${depot.lib.meta.domain}";`
cluster/services/idm: enable LDAP 2023-06-11 21:33:53 +02:00			`ipv4 = config.vars.mesh.VEGAS.meshIp;`
			`port = 636;`
			`protocol = "ldaps";`
			`};`
cluster/services/idm: init 2023-06-10 17:54:03 +02:00			`};`

			`services.idm = {`
			`nodes = {`
			`server = [ "VEGAS" ];`
cluster/services/idm: add grail to clients 2023-11-04 00:46:14 +01:00			`client = [ "checkmate" "grail" "VEGAS" "prophet" "soda" "thunderskin" ];`
cluster/services/idm: add policy for soda 2023-06-11 17:07:45 +02:00			`client-soda = [ "soda" ];`
cluster/services/idm: init 2023-06-10 17:54:03 +02:00			`};`
			`nixos = {`
cluster/services/idm: set kanidm package 2024-07-16 00:32:49 +02:00			`server = [`
			`./common.nix`
			`./server.nix`
			`];`
cluster/services/idm: enable unixd 2023-06-11 02:00:46 +02:00			`client = [`
cluster/services/idm: set kanidm package 2024-07-16 00:32:49 +02:00			`./common.nix`
cluster/services/idm: enable unixd 2023-06-11 02:00:46 +02:00			`./client.nix`
cluster/services/idm: allow infra admins to read systemd journal 2023-06-12 23:44:46 +02:00			`./modules/idm-nss-ready.nix`
			`./modules/idm-tmpfiles.nix`
cluster/services/idm: enable unixd 2023-06-11 02:00:46 +02:00			`./policies/infra-admins.nix`
			`];`
cluster/services/idm: add policy for soda 2023-06-11 17:07:45 +02:00			`client-soda = [`
			`./policies/soda.nix`
			`];`
cluster/services/idm: init 2023-06-10 17:54:03 +02:00			`};`
cluster/services/idm: use cluster secrets 2024-07-08 18:41:51 +02:00			`secrets.serviceAccountCredentials = {`
			`nodes = config.services.idm.nodes.client;`
			`shared = false;`
			`};`
cluster/services/idm: init 2023-06-10 17:54:03 +02:00			`};`
cluster/services/idm: add dns records 2023-12-03 23:04:15 +01:00
			`dns.records = let`
			`serverAddrsPublic = map`
			`(node: depot.hours.${node}.interfaces.primary.addrPublic)`
			`config.services.idm.nodes.server;`
			`serverAddrsInternal = map`
			`(node: config.vars.mesh.${node}.meshIp)`
			`config.services.idm.nodes.server;`
			`in {`
			`idm = {`
			`type = "A";`
			`target = serverAddrsPublic;`
			`};`
			`"idm-ldap.internal" = {`
			`type = "A";`
			`target = serverAddrsInternal;`
			`};`
			`};`
cluster/services/idm: init 2023-06-10 17:54:03 +02:00			`}`