lyes/nixfiles
1
0
Fork 0
Code Issues Pull requests Activity Actions

Adding kanidm

Browse source
This commit is contained in:
Lyes Saadi 2025-10-12 23:42:31 +02:00
parent 630f7f6d68
commit b25c686151
Signed by: lyes
GPG key ID: 55A1D803917CF39A
9 changed files with 95 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/zora/default.nix
View file

@ -8,11 +8,13 @@
./hardware.nix
./networking.nix
# ./disko-config.nix
./reverse-proxy.nix
../../users/lyes
../../modules
../../modules/server
../../modules/server/idm
# disko.nixosModules.disko
agenix.nixosModules.default

6
hosts/zora/hardware-configuration.nix
View file

@ -42,6 +42,12 @@
options = [ "subvol=root" ];
};
fileSystems."/var/data" =
{ device = "/dev/md127";
fsType = "btrfs";
options = [ ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

24
hosts/zora/reverse-proxy.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "security@lyes.eu";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"auth.lyes.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
};
};
};
};
}

1
modules/server/default.nix
View file

@ -6,6 +6,7 @@
boot.swraid = {
enable = true;
mdadmConf = ''
MAILADDR root@lyes.eu
DEVICE partitions
'';
};

40
modules/server/link/default.nix Normal file
View file

@ -0,0 +1,40 @@
{ config, pkgs }:
let
hostname = "auth.${config.networking.domain}";
port = "44300";
in
{
services.kanidm = {
package = pkgs.kanidmWithSecretProvisioning_1_7;
enableServer = true;
serverSettings = {
bindaddress = "127.0.0.1:${port}";
ldapbindaddress = "0.0.0.0:636";
domain = hostname;
origin = "https://${hostname}";
tls_chain = "/var/lib/acme/${hostname}/cert.pem";
tls_key = "/var/lib/acme/${hostname}/key.pem";
online_backup = {
path = "/var/data/backups/kanidm";
schedule = "00 06 * * *";
versions = 5;
};
};
enableClient = true;
clientSettings = {
uri = "https://127.0.0.1:${port}";
verify_ca = false;
};
provision = {
enable = true;
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
};
};
}

15
secrets.nix Normal file
View file

@ -0,0 +1,15 @@
let
lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHJ2Wjz+SYDfgX8kMpZtVLCNxwWT2XbKOqFyDwkHOg9 mail@lyes.eu";
users = [ lyes ];
zora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu+E8SJKMzvhezPLLvqpgJQUs/qa+GwieeW92dHlcVI root@zora";
hosts = [ zora ];
all = users ++ hosts;
in
{
# Lyes
# "lyes/name.age".publicKeys = [ lyes ];
# Zora
"secrets/zora/services/kanidm-admin-password.age".publicKeys = all;
"secrets/zora/services/kanidm-idm-admin-password.age".publicKeys = all;
}

8
secrets/secrets.nix
View file

@ -1,8 +0,0 @@
let
lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHJ2Wjz+SYDfgX8kMpZtVLCNxwWT2XbKOqFyDwkHOg9 mail@lyes.eu";
users = [ lyes ];
in
{
# Lyes
# "lyes/name.age".publicKeys = [ lyes ];
}

7
secrets/zora/services/kanidm-admin-password.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 whuRpQ yaCtnbl+PhcqP6SAuO73GUnCnQdFp/Auz20/R2OXMH0
N/TqTzciVJRo/FJdAALFBDLzEveIDBc/IMg4ogv6T8M
-> ssh-ed25519 M75vQg yshoof4MQSFtFUYGmfiud0aAnQN3AHIunF+TBQ8s0jA
xuE67ay+OVsNC6PQ7/lbJkpNWrbOP0/M/5PVyqQp08M
--- CBH50TQjyCrMDho3hh/5Bp609h2EIrR326YH60111YQ
Ä_p*MGƃ´®­÷½TãèóËÜa‡ø7GßØZ¬nYé@¹ò Öâ‰|wšºæs¿‚+îªðöÇ=

BIN
secrets/zora/services/kanidm-idm-admin-password.age Normal file
View file

Binary file not shown.