depot/cluster/services/idm/default.nix

{ config, depot, ... }:

{
  links = {
    idm = {
      ipv4 = "idm.${depot.lib.meta.domain}";
      port = 443;
      protocol = "https";
    };
    ldap = {
      hostname = "idm-ldap.internal.${depot.lib.meta.domain}";
      ipv4 = config.vars.mesh.VEGAS.meshIp;
      port = 636;
      protocol = "ldaps";
    };
  };

  services.idm = {
    nodes = {
      server = [ "VEGAS" ];
      client = [ "checkmate" "grail" "VEGAS" "prophet" "soda" "thunderskin" ];
      client-soda = [ "soda" ];
    };
    nixos = {
      server = [
        ./common.nix
        ./server.nix
      ];
      client = [
        ./common.nix
        ./client.nix
        ./modules/idm-nss-ready.nix
        ./modules/idm-tmpfiles.nix
        ./policies/infra-admins.nix
      ];
      client-soda = [
        ./policies/soda.nix
      ];
    };
    secrets.serviceAccountCredentials = {
      nodes = config.services.idm.nodes.client;
      shared = false;
    };
  };

  dns.records = let
    serverAddrsPublic =  map
      (node: depot.hours.${node}.interfaces.primary.addrPublic)
      config.services.idm.nodes.server;
    serverAddrsInternal =  map
      (node: config.vars.mesh.${node}.meshIp)
      config.services.idm.nodes.server;
  in {
    idm = {
      type = "A";
      target = serverAddrsPublic;
    };
    "idm-ldap.internal" = {
      type = "A";
      target = serverAddrsInternal;
    };
  };
}