mirror/github.com-tboerger-nixos-config
1
0
Fork 0
mirror of https://github.com/tboerger/nixos-config synced 2024-11-22 18:21:58 +01:00
Code Issues
master
github.com-tboerger-nixos-c.../shared/services/auth.nix
Thomas Boerger 221c398a5f
feat: integrate most required services
2024-07-17 16:05:33 +02:00

158 lines
3.2 KiB
Nix
Raw Permalink Blame History

{ pkgs, lib, config, options, fetchurl, ... }:
with lib;
let
cfg = config.personal.services.auth;
hostAddress = "192.168.100.40";
containerAddress = "192.168.100.41";
in
{
options = {
personal = {
services = {
auth = {
enable = mkEnableOption "Auth";
};
};
};
};
config = mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 636 ];
};
containers = {
auth = {
autoStart = true;
privateNetwork = true;
ephemeral = true;
hostAddress = hostAddress;
localAddress = containerAddress;
forwardPorts = [{
protocol = "tcp";
hostPort = 636;
containerPort = 636;
}];
bindMounts = {
"/var/lib/acme" = {
hostPath = "/var/lib/acme";
isReadOnly = true;
};
"/var/lib/kanidm" = {
hostPath = "/var/lib/kanidm";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
system = {
stateVersion = "23.11";
};
systemd = {
tmpfiles = {
rules = [ "d /var/lib/kanidm 0700 kanidm kanidm" ];
};
};
environment = {
systemPackages = with pkgs; [
sqlite
];
};
services = {
resolved = {
enable = true;
};
kanidm = {
enableServer = true;
serverSettings = {
bindaddress = "0.0.0.0:8443";
ldapbindaddress = "0.0.0.0:636";
domain = "auth.boerger.ws";
origin = "https://auth.boerger.ws";
log_level = "info";
tls_key = "/var/lib/acme/boerger.ws/key.pem";
tls_chain = "/var/lib/acme/boerger.ws/fullchain.pem";
};
enableClient = true;
clientSettings = {
uri = "https://auth.boerger.ws";
};
};
};
networking = {
useHostResolvConf = mkForce false;
firewall = {
enable = true;
allowedTCPPorts = [ 636 8443 ];
};
};
ids.uids = {
acme = 400;
};
ids.gids = {
acme = 400;
};
users = {
users = {
acme = {
home = "/var/lib/acme";
group = "acme";
isSystemUser = true;
uid = config.ids.uids.acme;
};
kanidm = {
extraGroups = [
"acme"
];
};
};
};
users.groups = {
acme = {
gid = config.ids.gids.acme;
};
};
};
};
};
personal = {
services = {
acme = {
enable = true;
};
webserver = {
enable = true;
hosts = [
{
domain = "auth.boerger.ws";
proxy = "https://${containerAddress}:8443";
}
];
};
};
};
};
}
View Git Blame Copy Permalink