Adding kanidm

hosts/zora/default.nix

@@ -8,11 +8,13 @@
       ./hardware.nix
       ./networking.nix
       # ./disko-config.nix
+      ./reverse-proxy.nix
 
       ../../users/lyes
 
       ../../modules
       ../../modules/server
+      ../../modules/server/idm
 
       # disko.nixosModules.disko
       agenix.nixosModules.default

hosts/zora/hardware-configuration.nix

@@ -42,6 +42,12 @@
       options = [ "subvol=root" ];
     };
 
+  fileSystems."/var/data" =
+    { device = "/dev/md127";
+      fsType = "btrfs";
+      options = [ ];
+    };
+
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

hosts/zora/reverse-proxy.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "security@lyes.eu";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "auth.lyes.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
+        };
+      };
+    };
+  };
+}

modules/server/default.nix

@@ -6,6 +6,7 @@
   boot.swraid = {
     enable = true;
     mdadmConf = ''
+      MAILADDR root@lyes.eu
       DEVICE partitions
     '';
   };

modules/server/link/default.nix

@@ -0,0 +1,40 @@
+{ config, pkgs }:
+
+let
+  hostname = "auth.${config.networking.domain}";
+  port = "44300";
+in
+{
+  services.kanidm = {
+    package = pkgs.kanidmWithSecretProvisioning_1_7;
+
+    enableServer = true;
+    serverSettings = {
+      bindaddress = "127.0.0.1:${port}";
+      ldapbindaddress = "0.0.0.0:636";
+      domain = hostname;
+      origin = "https://${hostname}";
+      tls_chain = "/var/lib/acme/${hostname}/cert.pem";
+      tls_key = "/var/lib/acme/${hostname}/key.pem";
+
+      online_backup = {
+        path = "/var/data/backups/kanidm";
+        schedule = "00 06 * * *";
+        versions = 5;
+      };
+    };
+
+    enableClient = true;
+
+    clientSettings = {
+      uri = "https://127.0.0.1:${port}";
+      verify_ca = false;
+    };
+
+    provision = {
+      enable = true;
+      adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
+      idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
+    };
+  };
+}

secrets.nix

@@ -0,0 +1,15 @@
+let
+  lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHJ2Wjz+SYDfgX8kMpZtVLCNxwWT2XbKOqFyDwkHOg9 mail@lyes.eu";
+  users = [ lyes ];
+  zora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu+E8SJKMzvhezPLLvqpgJQUs/qa+GwieeW92dHlcVI root@zora";
+  hosts = [ zora ];
+  all = users ++ hosts;
+in
+{
+  # Lyes
+  # "lyes/name.age".publicKeys = [ lyes ];
+
+  # Zora
+  "secrets/zora/services/kanidm-admin-password.age".publicKeys = all;
+  "secrets/zora/services/kanidm-idm-admin-password.age".publicKeys = all;
+}

secrets/secrets.nix

@@ -1,8 +0,0 @@
-let
-  lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHJ2Wjz+SYDfgX8kMpZtVLCNxwWT2XbKOqFyDwkHOg9 mail@lyes.eu";
-  users = [ lyes ];
-in
-{
-  # Lyes
-  # "lyes/name.age".publicKeys = [ lyes ];
-}

secrets/zora/services/kanidm-admin-password.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 whuRpQ yaCtnbl+PhcqP6SAuO73GUnCnQdFp/Auz20/R2OXMH0
+N/TqTzciVJRo/FJdAALFBDLzEveIDBc/IMg4ogv6T8M
+-> ssh-ed25519 M75vQg yshoof4MQSFtFUYGmfiud0aAnQN3AHIunF+TBQ8s0jA
+xuE67ay+OVsNC6PQ7/lbJkpNWrbOP0/M/5PVyqQp08M
+--- CBH50TQjyCrMDho3hh/5Bp609h2EIrR326YH60111YQ
+Ä_p*MGƃ´”®­÷½TãèóËÜa‡ø7GßØZ¬nYé@¹òÖâ‰|‘’wšºæs¿‚+îªðöÇ=