Set up kanidm

2025-10-17 22:40:32 +02:00 · 2025-10-17 22:40:32 +02:00 · 7fceb61b5e
commit 7fceb61b5e
parent bb9b5c0867
3 changed files with 63 additions and 2 deletions
--- a/machines/beagle/modules/kanidm.nix
+++ b/machines/beagle/modules/kanidm.nix
@ -0,0 +1,32 @@
+{pkgs, ...}: {
+  services.kanidm = {
+    enableServer = true;
+    enableClient = true;
+
+    package = pkgs.kanidm_1_7;
+
+    serverSettings = {
+      version = "2"; # Configuration file version.
+      origin = "https://idm.peprolinbot.com";
+      domain = "idm.peprolinbot.com";
+      bindaddress = "[::1]:8443";
+      ldapbindaddress = "[::]:636";
+      http_client_address_info.x-forward-for = ["::1"];
+      tls_chain = "/var/lib/kanidm/cert.pem";
+      tls_key = "/var/lib/kanidm/key.pem";
+    };
+
+    clientSettings = {
+      uri = "https://idm.peprolinbot.com";
+    };
+  };
+
+  security.acme.certs."idm.peprolinbot.com" = {
+    postRun = ''
+      cp -Lv {cert,key,chain}.pem /var/lib/kanidm/
+      chown kanidm:kanidm /var/lib/kanidm/{cert,key,chain}.pem
+      chmod 400 /var/lib/kanidm/{cert,key,chain}.pem
+    '';
+    reloadServices = ["kanidm.service"];
+  };
+}