From 8201bc4bf590f9c0f32177cdf2c6d6326c08213d Mon Sep 17 00:00:00 2001
From: DerGrumpf <phil.keier@hotmail.com>
Date: Fri, 15 May 2026 10:31:31 +0200
Subject: [PATCH] Added Kanidm with nginx

---
 hosts/cyper-controller/configuration.nix |  1 +
 nixos/roles/gitea.nix                    |  2 +-
 nixos/roles/kanidm.nix                   | 58 ++++++++++++++++++++++++
 nixos/roles/keycloack.nix                | 28 ------------
 nixos/roles/nginx.nix                    | 10 ++++
 5 files changed, 70 insertions(+), 29 deletions(-)
 create mode 100644 nixos/roles/kanidm.nix
 delete mode 100644 nixos/roles/keycloack.nix

diff --git a/hosts/cyper-controller/configuration.nix b/hosts/cyper-controller/configuration.nix
index 750ed91..b88947d 100644
--- a/hosts/cyper-controller/configuration.nix
+++ b/hosts/cyper-controller/configuration.nix
@@ -14,6 +14,7 @@
     #    ../../nixos/roles/paperless-ngx.nix
     ../../nixos/roles/octoprint.nix
     ../../nixos/roles/matrix/postgres-backup.nix
+    ../../nixos/roles/kanidm.nix
   ];
 
   networking = {
diff --git a/nixos/roles/gitea.nix b/nixos/roles/gitea.nix
index 4d3a6b9..ad1386d 100644
--- a/nixos/roles/gitea.nix
+++ b/nixos/roles/gitea.nix
@@ -81,7 +81,7 @@ in
 
     lfs = {
       enable = true;
-      contentDir = "${config.services.gitea.stateDir}/data/lfs";
+      contentDir = "/storage/fast/lfs";
     };
 
     database = {
diff --git a/nixos/roles/kanidm.nix b/nixos/roles/kanidm.nix
new file mode 100644
index 0000000..57868d7
--- /dev/null
+++ b/nixos/roles/kanidm.nix
@@ -0,0 +1,58 @@
+# FIRST TIME SETUP (after nixos-rebuild switch on cyper-controller):
+#   $ sudo kanidmd recover-account admin
+#   $ sudo kanidmd recover-account idm_admin
+#
+{ pkgs, ... }:
+let
+  domain = "auth.cyperpunk.de";
+  port = 8443;
+  certDir = "/var/lib/kanidm/tls";
+in
+{
+  systemd.services.kanidm-selfsigned-cert = {
+    description = "Generate self-signed TLS certificate for Kanidm";
+    wantedBy = [ "kanidm.service" ];
+    before = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ ! -f ${certDir}/cert.pem ]; then
+        mkdir -p ${certDir}
+        ${pkgs.openssl}/bin/openssl req -x509 \
+          -newkey rsa:4096 \
+          -keyout ${certDir}/key.pem \
+          -out    ${certDir}/cert.pem \
+          -days   3650 \
+          -nodes  \
+          -subj   "/CN=${domain}"
+        chown -R kanidm:kanidm ${certDir}
+        chmod 750 ${certDir}
+        chmod 640 ${certDir}/cert.pem ${certDir}/key.pem
+      fi
+    '';
+  };
+
+  services.kanidm = {
+    enableServer = true;
+
+    serverSettings = {
+      inherit domain;
+      origin = "https://${domain}";
+
+      tls_chain = "${certDir}/cert.pem";
+      tls_key = "${certDir}/key.pem";
+
+      bindaddress = "0.0.0.0:${toString port}";
+
+      db_path = "/var/lib/kanidm/kanidm.db";
+      log_level = "info";
+    };
+
+    enableClient = true;
+    clientSettings.uri = "https://${domain}";
+  };
+
+  networking.firewall.allowedTCPPorts = [ port ];
+}
diff --git a/nixos/roles/keycloack.nix b/nixos/roles/keycloack.nix
deleted file mode 100644
index 0d7f491..0000000
--- a/nixos/roles/keycloack.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ config, ... }:
-{
-  services = {
-    nginx.virtualHosts."www.cyperpunk.de".locations."/cloak" = {
-      proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/cloak/";
-    };
-
-    keycloak = {
-      enable = true;
-
-      database = {
-        type = "postgresql";
-        createLocally = true;
-
-        username = "keycloak";
-        passwordFile = "/etc/nixos/secrets/keycloak_psql_pass";
-      };
-
-      settings = {
-        hostname = "cyperpunk.de";
-        http-relative-path = "/cloak";
-        http-port = 38080;
-        proxy = "passthrough";
-        http-enabled = true;
-      };
-    };
-  };
-}
diff --git a/nixos/roles/nginx.nix b/nixos/roles/nginx.nix
index 6792839..68e8343 100644
--- a/nixos/roles/nginx.nix
+++ b/nixos/roles/nginx.nix
@@ -19,6 +19,15 @@ let
         proxyWebsockets = true;
       };
     };
+
+  mkHttpsProxy = port: {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "https://${upstream}:${toString port}";
+      extraConfig = "proxy_ssl_verify off;";
+    };
+  };
 in
 {
   networking.firewall.allowedTCPPorts = [
@@ -50,6 +59,7 @@ in
       "ngx.cyperpunk.de" = mkWsProxy 28101;
       "vault.cyperpunk.de" = mkWsProxy 8222;
       "calvin.cyperpunk.de" = mkWsProxy 15006;
+      "auth.cyperpunk.de" = mkHttpsProxy 8443;
 
       "www.cyperpunk.de" = {
         forceSSL = true;