2023-03-06 21:12:14 +01:00
|
|
|
{ pkgs, config, ... }: let
|
|
|
|
cfg = config.services.kanidm;
|
|
|
|
in {
|
2023-03-08 14:32:39 +01:00
|
|
|
systemd.services.kanidm = let
|
|
|
|
certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
|
|
|
|
in {
|
|
|
|
requires = [ "acme-finished-${certName}.target" ];
|
2023-03-06 21:12:14 +01:00
|
|
|
serviceConfig.LoadCredential = let
|
2023-03-08 14:32:39 +01:00
|
|
|
certDir = config.security.acme.certs.${certName}.directory;
|
2023-03-06 21:12:14 +01:00
|
|
|
in [
|
|
|
|
"fullchain.pem:${certDir}/fullchain.pem"
|
|
|
|
"key.pem:${certDir}/key.pem"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
services.kanidm = {
|
|
|
|
enableServer = true;
|
|
|
|
# enablePAM = true;
|
|
|
|
serverSettings = let
|
|
|
|
credsDir = "/run/credentials/kanidm.service";
|
|
|
|
in {
|
|
|
|
origin = "https://${cfg.serverSettings.domain}";
|
|
|
|
domain = "auth.nani.wtf";
|
|
|
|
tls_chain = "${credsDir}/fullchain.pem";
|
|
|
|
tls_key = "${credsDir}/key.pem";
|
|
|
|
bindaddress = "localhost:8300";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
systemPackages = [ pkgs.kanidm ];
|
|
|
|
etc."kanidm/config".text = ''
|
|
|
|
uri="https://auth.nani.wtf"
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
}
|