depot/cluster/services/idm/server.nix

48 lines
1.2 KiB
Nix
Raw Normal View History

2023-08-31 01:55:45 +03:00
{ cluster, config, lib, depot, ... }:
2023-06-10 18:54:03 +03:00
let
2023-08-31 01:55:45 +03:00
inherit (depot.lib.meta) domain;
2023-06-10 18:54:03 +03:00
frontendLink = cluster.config.links.idm;
backendLink = config.links.idmBackend;
2023-06-11 22:33:53 +03:00
ldapLink = cluster.config.links.ldap;
2023-06-10 18:54:03 +03:00
certDir = config.security.acme.certs."internal.${domain}".directory;
in
{
links.idmBackend.protocol = "https";
security.acme.certs = {
"internal.${domain}".reloadServices = [ "kanidm.service" ];
"idm.${domain}" = {
2023-12-04 20:31:03 +02:00
dnsProvider = "exec";
2023-06-10 18:54:03 +03:00
webroot = lib.mkForce null;
};
};
services.kanidm = {
enableServer = true;
serverSettings = {
tls_chain = "${certDir}/fullchain.pem";
tls_key = "${certDir}/key.pem";
role = "WriteReplicaNoUI";
bindaddress = backendLink.tuple;
2023-06-11 22:33:53 +03:00
ldapbindaddress = "${ldapLink.ipv4}:${ldapLink.portStr}";
2023-06-10 18:54:03 +03:00
origin = frontendLink.url;
inherit domain;
};
};
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
2023-08-31 01:55:45 +03:00
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy backendLink.url) {
2023-06-10 18:54:03 +03:00
locations."/".extraConfig = ''
proxy_ssl_name idm-backend.internal.${domain};
proxy_ssl_trusted_certificate ${certDir}/chain.pem;
'';
};
}