cluster/services/idm: init
This commit is contained in:
parent
29f2c20e64
commit
44d874c5c6
3 changed files with 90 additions and 0 deletions
26
cluster/services/idm/client.nix
Normal file
26
cluster/services/idm/client.nix
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
{ cluster, pkgs, ... }:
|
||||
|
||||
let
|
||||
frontendLink = cluster.config.links.idm;
|
||||
in
|
||||
|
||||
{
|
||||
services.kanidm = {
|
||||
enableClient = true;
|
||||
clientSettings = {
|
||||
uri = frontendLink.url;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = let
|
||||
idmAlias = pkgs.runCommand "kanidm-idm-alias" {} ''
|
||||
mkdir -p $out/bin
|
||||
ln -s ${pkgs.kanidm}/bin/kanidm $out/bin/idm
|
||||
mkdir -p $out/share/bash-completion/completions
|
||||
cat >$out/share/bash-completion/completions/idm.bash <<EOF
|
||||
source ${pkgs.kanidm}/share/bash-completion/completions/kanidm.bash
|
||||
complete -F _kanidm -o bashdefault -o default idm
|
||||
EOF
|
||||
'';
|
||||
in [ idmAlias ];
|
||||
}
|
||||
20
cluster/services/idm/default.nix
Normal file
20
cluster/services/idm/default.nix
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
{ tools, ... }:
|
||||
|
||||
{
|
||||
links.idm = {
|
||||
ipv4 = "idm.${tools.meta.domain}";
|
||||
port = 443;
|
||||
protocol = "https";
|
||||
};
|
||||
|
||||
services.idm = {
|
||||
nodes = {
|
||||
server = [ "VEGAS" ];
|
||||
client = [ "checkmate" "VEGAS" "prophet" "thunderskin" ];
|
||||
};
|
||||
nixos = {
|
||||
server = ./server.nix;
|
||||
client = ./client.nix;
|
||||
};
|
||||
};
|
||||
}
|
||||
44
cluster/services/idm/server.nix
Normal file
44
cluster/services/idm/server.nix
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
{ cluster, config, lib, tools, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
|
||||
frontendLink = cluster.config.links.idm;
|
||||
|
||||
backendLink = config.links.idmBackend;
|
||||
|
||||
certDir = config.security.acme.certs."internal.${domain}".directory;
|
||||
in
|
||||
|
||||
{
|
||||
links.idmBackend.protocol = "https";
|
||||
|
||||
security.acme.certs = {
|
||||
"internal.${domain}".reloadServices = [ "kanidm.service" ];
|
||||
"idm.${domain}" = {
|
||||
dnsProvider = "pdns";
|
||||
webroot = lib.mkForce null;
|
||||
};
|
||||
};
|
||||
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
tls_chain = "${certDir}/fullchain.pem";
|
||||
tls_key = "${certDir}/key.pem";
|
||||
role = "WriteReplicaNoUI";
|
||||
bindaddress = backendLink.tuple;
|
||||
origin = frontendLink.url;
|
||||
inherit domain;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
|
||||
|
||||
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_ssl_name idm-backend.internal.${domain};
|
||||
proxy_ssl_trusted_certificate ${certDir}/chain.pem;
|
||||
'';
|
||||
};
|
||||
}
|
||||
Loading…
Reference in a new issue