From d5ae85092ce23e0280d4c2834f4f6f76c96a8385 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Mon, 6 Mar 2023 21:12:14 +0100
Subject: [PATCH] tsuki: set up kanidm

---
 hosts/tsuki/configuration.nix          |  1 +
 hosts/tsuki/services/kanidm.nix        | 34 ++++++++++++++++++++++++++
 hosts/tsuki/services/nginx/default.nix |  6 ++++-
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 hosts/tsuki/services/kanidm.nix

diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index e37e464..7385963 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -11,6 +11,7 @@
     ./services/hydra.nix
     # ./services/jitsi.nix
     ./services/jupyter.nix
+    ./services/kanidm.nix
     # ./services/keycloak.nix
     ./services/matrix
     ./services/minecraft
diff --git a/hosts/tsuki/services/kanidm.nix b/hosts/tsuki/services/kanidm.nix
new file mode 100644
index 0000000..298d08b
--- /dev/null
+++ b/hosts/tsuki/services/kanidm.nix
@@ -0,0 +1,34 @@
+{ pkgs, config, ... }: let
+  cfg = config.services.kanidm;
+in {
+  systemd.services.kanidm = {
+    requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ];
+    serviceConfig.LoadCredential = let
+      certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory;
+    in [
+      "fullchain.pem:${certDir}/fullchain.pem"
+      "key.pem:${certDir}/key.pem"
+    ];
+  };
+
+  services.kanidm = {
+    enableServer = true;
+    # enablePAM = true;
+    serverSettings = let
+      credsDir = "/run/credentials/kanidm.service";
+    in {
+      origin = "https://${cfg.serverSettings.domain}";
+      domain = "auth.nani.wtf";
+      tls_chain = "${credsDir}/fullchain.pem";
+      tls_key = "${credsDir}/key.pem";
+      bindaddress = "localhost:8300";
+    };
+  };
+
+  environment = {
+    systemPackages = [ pkgs.kanidm ];
+    etc."kanidm/config".text = ''
+      uri="https://auth.nani.wtf"
+    '';
+  }; 
+}
diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix
index 93849c1..865adec 100644
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@@ -109,7 +109,11 @@
       })
       (proxy ["dyn"] "http://localhost:${s ports.minecraft.dynmap}" {})
       (proxy ["osu"] "http://localhost:${s ports.osuchan}" {})
-      (proxy ["vpn"] "http://localhost:${s ports.headscale}" {})
+      (proxy ["auth"] "https://localhost:8300" {
+        extraConfig = ''
+          proxy_ssl_verify off;
+        '';
+      })
       (proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
     ] ++ (let
       stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {