beagle: kanidm: configure clan states

2025-12-06 13:14:46 +01:00 · 2025-12-06 13:14:46 +01:00 · 6da5d909f0
commit 6da5d909f0
parent 877bf6e204
1 changed files with 46 additions and 3 deletions
--- a/machines/beagle/modules/kanidm.nix
+++ b/machines/beagle/modules/kanidm.nix
@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
  services.kanidm = {
    enableServer = true;
    enableClient = true;
@ -11,7 +17,7 @@
      domain = "idm.peprolinbot.com";
      bindaddress = "[::1]:8443";
      ldapbindaddress = "[::]:636";
-      http_client_address_info.x-forward-for = ["::1"];
+      http_client_address_info.x-forward-for = [ "::1" ];
      tls_chain = "/var/lib/kanidm/cert.pem";
      tls_key = "/var/lib/kanidm/key.pem";
    };
@ -27,6 +33,43 @@
      chown kanidm:kanidm /var/lib/kanidm/{cert,key,chain}.pem
      chmod 400 /var/lib/kanidm/{cert,key,chain}.pem
    '';
-    reloadServices = ["kanidm.service"];
+    reloadServices = [ "kanidm.service" ];
+  };
+
+  clan.core.state.kanidm = {
+    folders = [ "/var/backup/kanidm" ];
+
+    preBackupScript = ''
+      export PATH=${
+        lib.makeBinPath [
+          pkgs.coreutils
+          config.services.kanidm.package
+        ]
+      }
+
+      mkdir -p /var/backup/kanidm
+
+      kanidmd database backup /var/backup/kanidm/backup.json
+    '';
+
+    postRestoreScript = ''
+      export PATH=${
+        lib.makeBinPath [
+          config.systemd.package
+          pkgs.coreutils
+          config.services.kanidm.package
+        ]
+      }
+
+      service_status="$(systemctl is-active kanidm)"
+
+      systemctl stop kanidm
+
+      kanidmd database restore /var/backup/kanidm/backup.json
+
+      if [ "$service_status" = "active" ]; then
+        systemctl start kanidm
+      fi
+    '';
  };
 }