{ config, pkgs, lib, ... }: let cfg = config.services.kanidm; certPath = "/etc/ssl-snakeoil/auth_feal_no"; ldapbindaddress = "0.0.0.0:636"; in { # Kanidm - Identity management / auth provider services.kanidm = { enableServer = true; serverSettings = { origin = "https://${cfg.serverSettings.domain}"; domain = "auth.feal.no"; bindaddress = "0.0.0.0:8300"; inherit ldapbindaddress; tls_chain = "/run/credentials/kanidm.service/cert.crt"; tls_key = "/run/credentials/kanidm.service/cert.key"; }; }; systemd.services.kanidm = { serviceConfig.LoadCredential = [ "cert.crt:${certPath}.crt" "cert.key:${certPath}.key" ]; }; environment = { systemPackages = [ pkgs.kanidm ]; etc."kanidm/config".text = '' uri="${cfg.serverSettings.origin}" ''; }; networking.firewall.allowedTCPPorts = [ 8300 ]; }