DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Kanidm with nginx

Browse Source
This commit is contained in:
DerGrumpf
2026-05-15 10:31:31 +02:00
parent c0b0d89fcf
commit 8201bc4bf5
5 changed files with 70 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/cyper-controller/configuration.nix
+1
View File
@@ -14,6 +14,7 @@
# ../../nixos/roles/paperless-ngx.nix # ../../nixos/roles/paperless-ngx.nix
../../nixos/roles/octoprint.nix ../../nixos/roles/octoprint.nix
../../nixos/roles/matrix/postgres-backup.nix ../../nixos/roles/matrix/postgres-backup.nix
../../nixos/roles/kanidm.nix
]; ];
networking = { networking = {
nixos/roles/gitea.nix
+1 -1
View File
@@ -81,7 +81,7 @@ in
lfs = { lfs = {
enable = true; enable = true;
contentDir = "${config.services.gitea.stateDir}/data/lfs"; contentDir = "/storage/fast/lfs";
}; };
database = { database = {
nixos/roles/kanidm.nix
+58
View File
@@ -0,0 +1,58 @@
# FIRST TIME SETUP (after nixos-rebuild switch on cyper-controller):
# $ sudo kanidmd recover-account admin
# $ sudo kanidmd recover-account idm_admin
#
{ pkgs, ... }:
let
domain = "auth.cyperpunk.de";
port = 8443;
certDir = "/var/lib/kanidm/tls";
in
{
systemd.services.kanidm-selfsigned-cert = {
description = "Generate self-signed TLS certificate for Kanidm";
wantedBy = [ "kanidm.service" ];
before = [ "kanidm.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -f ${certDir}/cert.pem ]; then
mkdir -p ${certDir}
${pkgs.openssl}/bin/openssl req -x509 \
-newkey rsa:4096 \
-keyout ${certDir}/key.pem \
-out ${certDir}/cert.pem \
-days 3650 \
-nodes \
-subj "/CN=${domain}"
chown -R kanidm:kanidm ${certDir}
chmod 750 ${certDir}
chmod 640 ${certDir}/cert.pem ${certDir}/key.pem
fi
'';
};
services.kanidm = {
enableServer = true;
serverSettings = {
inherit domain;
origin = "https://${domain}";
tls_chain = "${certDir}/cert.pem";
tls_key = "${certDir}/key.pem";
bindaddress = "0.0.0.0:${toString port}";
db_path = "/var/lib/kanidm/kanidm.db";
log_level = "info";
};
enableClient = true;
clientSettings.uri = "https://${domain}";
};
networking.firewall.allowedTCPPorts = [ port ];
}
nixos/roles/keycloack.nix
-28
View File
@@ -1,28 +0,0 @@
{ config, ... }:
{
services = {
nginx.virtualHosts."www.cyperpunk.de".locations."/cloak" = {
proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/cloak/";
};
keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
username = "keycloak";
passwordFile = "/etc/nixos/secrets/keycloak_psql_pass";
};
settings = {
hostname = "cyperpunk.de";
http-relative-path = "/cloak";
http-port = 38080;
proxy = "passthrough";
http-enabled = true;
};
};
};
}
nixos/roles/nginx.nix
+10
View File
@@ -19,6 +19,15 @@ let
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
mkHttpsProxy = port: {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "https://${upstream}:${toString port}";
extraConfig = "proxy_ssl_verify off;";
};
};
in in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@@ -50,6 +59,7 @@ in
"ngx.cyperpunk.de" = mkWsProxy 28101; "ngx.cyperpunk.de" = mkWsProxy 28101;
"vault.cyperpunk.de" = mkWsProxy 8222; "vault.cyperpunk.de" = mkWsProxy 8222;
"calvin.cyperpunk.de" = mkWsProxy 15006; "calvin.cyperpunk.de" = mkWsProxy 15006;
"auth.cyperpunk.de" = mkHttpsProxy 8443;
"www.cyperpunk.de" = { "www.cyperpunk.de" = {
forceSSL = true; forceSSL = true;