49 lines
1.2 KiB
Nix
49 lines
1.2 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
let
|
|
hostname = "auth.${config.networking.domain}";
|
|
port = "44300";
|
|
in
|
|
{
|
|
import = [
|
|
./client.nix
|
|
];
|
|
|
|
users.users.kanidm.extraGroups = [ "nginx" ];
|
|
services.kanidm = {
|
|
package = pkgs.kanidmWithSecretProvisioning_1_7;
|
|
|
|
enableServer = true;
|
|
serverSettings = {
|
|
bindaddress = "127.0.0.1:${port}";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
domain = hostname;
|
|
origin = "https://${hostname}";
|
|
tls_chain = "/var/lib/acme/${hostname}/cert.pem";
|
|
tls_key = "/var/lib/acme/${hostname}/key.pem";
|
|
|
|
online_backup = {
|
|
path = "/var/data/backups/kanidm";
|
|
schedule = "00 06 * * *";
|
|
versions = 5;
|
|
};
|
|
};
|
|
|
|
provision = {
|
|
enable = true;
|
|
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
|
|
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
|
|
};
|
|
};
|
|
|
|
age.secrets = {
|
|
kanidm-admin-password = {
|
|
owner = "kanidm";
|
|
file = ../../../secrets/zora/services/kanidm-admin-password.age;
|
|
};
|
|
kanidm-idm-admin-password = {
|
|
owner = "kanidm";
|
|
file = ../../../secrets/zora/services/kanidm-idm-admin-password.age;
|
|
};
|
|
};
|
|
}
|