tsuki: set up kanidm

hosts/tsuki/configuration.nix

@@ -11,6 +11,7 @@
     ./services/hydra.nix
     # ./services/jitsi.nix
     ./services/jupyter.nix
+    ./services/kanidm.nix
     # ./services/keycloak.nix
     ./services/matrix
     ./services/minecraft

hosts/tsuki/services/kanidm.nix

@@ -0,0 +1,34 @@
+{ pkgs, config, ... }: let
+  cfg = config.services.kanidm;
+in {
+  systemd.services.kanidm = {
+    requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ];
+    serviceConfig.LoadCredential = let
+      certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory;
+    in [
+      "fullchain.pem:${certDir}/fullchain.pem"
+      "key.pem:${certDir}/key.pem"
+    ];
+  };
+
+  services.kanidm = {
+    enableServer = true;
+    # enablePAM = true;
+    serverSettings = let
+      credsDir = "/run/credentials/kanidm.service";
+    in {
+      origin = "https://${cfg.serverSettings.domain}";
+      domain = "auth.nani.wtf";
+      tls_chain = "${credsDir}/fullchain.pem";
+      tls_key = "${credsDir}/key.pem";
+      bindaddress = "localhost:8300";
+    };
+  };
+
+  environment = {
+    systemPackages = [ pkgs.kanidm ];
+    etc."kanidm/config".text = ''
+      uri="https://auth.nani.wtf"
+    '';
+  }; 
+}

hosts/tsuki/services/nginx/default.nix

@@ -109,7 +109,11 @@
       })
       (proxy ["dyn"] "http://localhost:${s ports.minecraft.dynmap}" {})
       (proxy ["osu"] "http://localhost:${s ports.osuchan}" {})
-      (proxy ["vpn"] "http://localhost:${s ports.headscale}" {})
+      (proxy ["auth"] "https://localhost:8300" {
+        extraConfig = ''
+          proxy_ssl_verify off;
+        '';
+      })
       (proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
     ] ++ (let
       stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {