cluster/services/idm: init

2023-06-10 17:54:03 +02:00 · 2023-06-10 17:54:03 +02:00 · 44d874c5c6
commit 44d874c5c6
parent 29f2c20e64
3 changed files with 90 additions and 0 deletions
--- a/cluster/services/idm/client.nix
+++ b/cluster/services/idm/client.nix
@ -0,0 +1,26 @@
 { cluster, pkgs, ... }:
 let
  frontendLink = cluster.config.links.idm;
 in
 {
  services.kanidm = {
    enableClient = true;
    clientSettings = {
      uri = frontendLink.url;
    };
  };
  environment.systemPackages = let
    idmAlias = pkgs.runCommand "kanidm-idm-alias" {} ''
      mkdir -p $out/bin
      ln -s ${pkgs.kanidm}/bin/kanidm $out/bin/idm
      mkdir -p $out/share/bash-completion/completions
      cat >$out/share/bash-completion/completions/idm.bash <<EOF
      source ${pkgs.kanidm}/share/bash-completion/completions/kanidm.bash
      complete -F _kanidm -o bashdefault -o default idm
      EOF
    '';
  in [ idmAlias ];
 }
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@ -0,0 +1,20 @@
 { tools, ... }:
 {
  links.idm = {
    ipv4 = "idm.${tools.meta.domain}";
    port = 443;
    protocol = "https";
  };
  services.idm = {
    nodes = {
      server = [ "VEGAS" ];
      client = [ "checkmate" "VEGAS" "prophet" "thunderskin" ];
    };
    nixos = {
      server = ./server.nix;
      client = ./client.nix;
    };
  };
 }
--- a/cluster/services/idm/server.nix
+++ b/cluster/services/idm/server.nix
@ -0,0 +1,44 @@
 { cluster, config, lib, tools, ... }:
 let
  inherit (tools.meta) domain;
  frontendLink = cluster.config.links.idm;
  backendLink = config.links.idmBackend;
  certDir = config.security.acme.certs."internal.${domain}".directory;
 in
 {
  links.idmBackend.protocol = "https";
  security.acme.certs = {
    "internal.${domain}".reloadServices = [ "kanidm.service" ];
    "idm.${domain}" = {
      dnsProvider = "pdns";
      webroot = lib.mkForce null;
    };
  };
  services.kanidm = {
    enableServer = true;
    serverSettings = {
      tls_chain = "${certDir}/fullchain.pem";
      tls_key = "${certDir}/key.pem";
      role = "WriteReplicaNoUI";
      bindaddress = backendLink.tuple;
      origin = frontendLink.url;
      inherit domain;
    };
  };
  systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
  services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) {
    locations."/".extraConfig = ''
      proxy_ssl_name idm-backend.internal.${domain};
      proxy_ssl_trusted_certificate ${certDir}/chain.pem;
    '';
  };
 }