Fix baka shark

hosts/shark/configuration.nix

@@ -5,6 +5,9 @@
       ./hardware-configuration.nix
       ../../base.nix
       ../../misc/metrics-exporters.nix
+
+      ./services/nginx.nix
+      ./services/kanidm.nix
     ];
 
   sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
@@ -15,25 +18,16 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "shark"; # Define your hostname.
+  networking.hostName = "shark";
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "23.05"; # Did you read the comment?
 
 }

hosts/shark/services/kanidm.nix

@@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.kanidm;
+  domain = "idmtest.pvv.ntnu.no";
+  bindaddr_web = "127.0.0.1:8300"; #
+  bindaddr_ldaps = "0.0.0.0:636";
+in {
+  # Kanidm - Identity management / auth provider
+  services.kanidm = {
+    enableServer = true;
+
+    serverSettings = let
+      credsDir = "/run/credentials/kanidm.service";
+    in {
+      inherit domain;
+      ldapbindaddress = bindaddr_ldaps;
+      bindaddress = bindaddr_web;
+      origin = "https://${domain}";
+
+      tls_chain = "${credsDir}/fullchain.pem";
+      tls_key = "${credsDir}/key.pem";
+    };
+  };
+
+  systemd.services.kanidm = {
+    requires = [ "acme-finished-${domain}.target" ];
+    serviceConfig.LoadCredential = let
+      certDir = config.security.acme.certs.${domain}.directory;
+    in [
+      "fullchain.pem:${certDir}/fullchain.pem"
+      "key.pem:${certDir}/key.pem"
+    ];
+  };
+
+  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "https://${cfg.serverSettings.bindaddress}";
+  };
+
+  environment = {
+    systemPackages = [ pkgs.kanidm ]; # CLI tool
+    etc."kanidm/config".text = ''
+      uri="${cfg.serverSettings.origin}"
+    '';
+  };
+ }

hosts/shark/services/nginx.nix

@@ -0,0 +1,29 @@
+{ config, values, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    enableReload = true;
+
+    defaultListenAddresses = [
+      values.hosts.shark.ipv4
+      "[${values.hosts.shark.ipv6}]"
+
+      "127.0.0.1"
+      "127.0.0.2"
+      "[::1]"
+    ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}