Added Kanidm with nginx

2026-05-15 10:31:31 +02:00
parent c0b0d89fcf
commit 8201bc4bf5
5 changed files with 70 additions and 29 deletions
@@ -0,0 +1,58 @@
+# FIRST TIME SETUP (after nixos-rebuild switch on cyper-controller):
+#   $ sudo kanidmd recover-account admin
+#   $ sudo kanidmd recover-account idm_admin
+#
+{ pkgs, ... }:
+let
+  domain = "auth.cyperpunk.de";
+  port = 8443;
+  certDir = "/var/lib/kanidm/tls";
+in
+{
+  systemd.services.kanidm-selfsigned-cert = {
+    description = "Generate self-signed TLS certificate for Kanidm";
+    wantedBy = [ "kanidm.service" ];
+    before = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ ! -f ${certDir}/cert.pem ]; then
+        mkdir -p ${certDir}
+        ${pkgs.openssl}/bin/openssl req -x509 \
+          -newkey rsa:4096 \
+          -keyout ${certDir}/key.pem \
+          -out    ${certDir}/cert.pem \
+          -days   3650 \
+          -nodes  \
+          -subj   "/CN=${domain}"
+        chown -R kanidm:kanidm ${certDir}
+        chmod 750 ${certDir}
+        chmod 640 ${certDir}/cert.pem ${certDir}/key.pem
+      fi
+    '';
+  };
+
+  services.kanidm = {
+    enableServer = true;
+
+    serverSettings = {
+      inherit domain;
+      origin = "https://${domain}";
+
+      tls_chain = "${certDir}/cert.pem";
+      tls_key = "${certDir}/key.pem";
+
+      bindaddress = "0.0.0.0:${toString port}";
+
+      db_path = "/var/lib/kanidm/kanidm.db";
+      log_level = "info";
+    };
+
+    enableClient = true;
+    clientSettings.uri = "https://${domain}";
+  };
+
+  networking.firewall.allowedTCPPorts = [ port ];
+}