Set up kanidm

machines/beagle/configuration.nix

@@ -1,6 +1,6 @@
 {
   imports = [
+    ./modules/kanidm.nix
+    ./modules/reverse-proxy.nix
   ];
-
-  # New machine!
 }

machines/beagle/modules/kanidm.nix

@@ -0,0 +1,32 @@
+{pkgs, ...}: {
+  services.kanidm = {
+    enableServer = true;
+    enableClient = true;
+
+    package = pkgs.kanidm_1_7;
+
+    serverSettings = {
+      version = "2"; # Configuration file version.
+      origin = "https://idm.peprolinbot.com";
+      domain = "idm.peprolinbot.com";
+      bindaddress = "[::1]:8443";
+      ldapbindaddress = "[::]:636";
+      http_client_address_info.x-forward-for = ["::1"];
+      tls_chain = "/var/lib/kanidm/cert.pem";
+      tls_key = "/var/lib/kanidm/key.pem";
+    };
+
+    clientSettings = {
+      uri = "https://idm.peprolinbot.com";
+    };
+  };
+
+  security.acme.certs."idm.peprolinbot.com" = {
+    postRun = ''
+      cp -Lv {cert,key,chain}.pem /var/lib/kanidm/
+      chown kanidm:kanidm /var/lib/kanidm/{cert,key,chain}.pem
+      chmod 400 /var/lib/kanidm/{cert,key,chain}.pem
+    '';
+    reloadServices = ["kanidm.service"];
+  };
+}

machines/beagle/modules/reverse-proxy.nix

@@ -0,0 +1,29 @@
+{config, ...}: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "personal+letsencrypt@peprolinbot.com";
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "idm.peprolinbot.com" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/" = {
+          proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
+        };
+      };
+    };
+  };
+}