From 44d874c5c67dc2380684971518d5cedf9fd6fc6f Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Sat, 10 Jun 2023 17:54:03 +0200
Subject: [PATCH] cluster/services/idm: init

---
 cluster/services/idm/client.nix  | 26 +++++++++++++++++++
 cluster/services/idm/default.nix | 20 +++++++++++++++
 cluster/services/idm/server.nix  | 44 ++++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 cluster/services/idm/client.nix
 create mode 100644 cluster/services/idm/default.nix
 create mode 100644 cluster/services/idm/server.nix

diff --git a/cluster/services/idm/client.nix b/cluster/services/idm/client.nix
new file mode 100644
index 0000000..6aa795a
--- /dev/null
+++ b/cluster/services/idm/client.nix
@@ -0,0 +1,26 @@
+{ cluster, pkgs, ... }:
+
+let
+  frontendLink = cluster.config.links.idm;
+in
+
+{
+  services.kanidm = {
+    enableClient = true;
+    clientSettings = {
+      uri = frontendLink.url;
+    };
+  };
+
+  environment.systemPackages = let
+    idmAlias = pkgs.runCommand "kanidm-idm-alias" {} ''
+      mkdir -p $out/bin
+      ln -s ${pkgs.kanidm}/bin/kanidm $out/bin/idm
+      mkdir -p $out/share/bash-completion/completions
+      cat >$out/share/bash-completion/completions/idm.bash <<EOF
+      source ${pkgs.kanidm}/share/bash-completion/completions/kanidm.bash
+      complete -F _kanidm -o bashdefault -o default idm
+      EOF
+    '';
+  in [ idmAlias ];
+}
diff --git a/cluster/services/idm/default.nix b/cluster/services/idm/default.nix
new file mode 100644
index 0000000..94d8348
--- /dev/null
+++ b/cluster/services/idm/default.nix
@@ -0,0 +1,20 @@
+{ tools, ... }:
+
+{
+  links.idm = {
+    ipv4 = "idm.${tools.meta.domain}";
+    port = 443;
+    protocol = "https";
+  };
+
+  services.idm = {
+    nodes = {
+      server = [ "VEGAS" ];
+      client = [ "checkmate" "VEGAS" "prophet" "thunderskin" ];
+    };
+    nixos = {
+      server = ./server.nix;
+      client = ./client.nix;
+    };
+  };
+}
diff --git a/cluster/services/idm/server.nix b/cluster/services/idm/server.nix
new file mode 100644
index 0000000..b622ccd
--- /dev/null
+++ b/cluster/services/idm/server.nix
@@ -0,0 +1,44 @@
+{ cluster, config, lib, tools, ... }:
+
+let
+  inherit (tools.meta) domain;
+
+  frontendLink = cluster.config.links.idm;
+
+  backendLink = config.links.idmBackend;
+
+  certDir = config.security.acme.certs."internal.${domain}".directory;
+in
+
+{
+  links.idmBackend.protocol = "https";
+
+  security.acme.certs = {
+    "internal.${domain}".reloadServices = [ "kanidm.service" ];
+    "idm.${domain}" = {
+      dnsProvider = "pdns";
+      webroot = lib.mkForce null;
+    };
+  };
+
+  services.kanidm = {
+    enableServer = true;
+    serverSettings = {
+      tls_chain = "${certDir}/fullchain.pem";
+      tls_key = "${certDir}/key.pem";
+      role = "WriteReplicaNoUI";
+      bindaddress = backendLink.tuple;
+      origin = frontendLink.url;
+      inherit domain;
+    };
+  };
+
+  systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
+
+  services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) {
+    locations."/".extraConfig = ''
+      proxy_ssl_name idm-backend.internal.${domain};
+      proxy_ssl_trusted_certificate ${certDir}/chain.pem;
+    '';
+  };
+}