2023-08-31 01:55:45 +03:00
|
|
|
{ cluster, config, lib, depot, ... }:
|
2023-06-10 18:54:03 +03:00
|
|
|
|
|
|
|
let
|
2023-08-31 01:55:45 +03:00
|
|
|
inherit (depot.lib.meta) domain;
|
2023-06-10 18:54:03 +03:00
|
|
|
|
|
|
|
frontendLink = cluster.config.links.idm;
|
|
|
|
|
|
|
|
backendLink = config.links.idmBackend;
|
|
|
|
|
2023-06-11 22:33:53 +03:00
|
|
|
ldapLink = cluster.config.links.ldap;
|
|
|
|
|
2023-06-10 18:54:03 +03:00
|
|
|
certDir = config.security.acme.certs."internal.${domain}".directory;
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
links.idmBackend.protocol = "https";
|
|
|
|
|
|
|
|
security.acme.certs = {
|
|
|
|
"internal.${domain}".reloadServices = [ "kanidm.service" ];
|
|
|
|
"idm.${domain}" = {
|
2023-12-04 20:31:03 +02:00
|
|
|
dnsProvider = "exec";
|
2023-06-10 18:54:03 +03:00
|
|
|
webroot = lib.mkForce null;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.kanidm = {
|
|
|
|
enableServer = true;
|
|
|
|
serverSettings = {
|
|
|
|
tls_chain = "${certDir}/fullchain.pem";
|
|
|
|
tls_key = "${certDir}/key.pem";
|
|
|
|
role = "WriteReplicaNoUI";
|
|
|
|
bindaddress = backendLink.tuple;
|
2023-06-11 22:33:53 +03:00
|
|
|
ldapbindaddress = "${ldapLink.ipv4}:${ldapLink.portStr}";
|
2023-06-10 18:54:03 +03:00
|
|
|
origin = frontendLink.url;
|
|
|
|
inherit domain;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
|
|
|
|
|
2023-08-31 01:55:45 +03:00
|
|
|
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy backendLink.url) {
|
2023-06-10 18:54:03 +03:00
|
|
|
locations."/".extraConfig = ''
|
|
|
|
proxy_ssl_name idm-backend.internal.${domain};
|
|
|
|
proxy_ssl_trusted_certificate ${certDir}/chain.pem;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
}
|