idp: migrate to biotite

2025-02-14 13:51:50 +08:00 · 2025-02-14 13:51:50 +08:00 · 2e2968360c
commit 2e2968360c
parent 6bf1822141
13 changed files with 347 additions and 41 deletions
--- a/machines/biotite/services/kanidm.nix
+++ b/machines/biotite/services/kanidm.nix
@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  kanidm_listen_port = 5324;
+  inherit (config.my-lib.settings) idpUrl;
+in
+{
+  imports = [
+    ./kanidm-provision.nix
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    certs.${idpUrl} = {
+      email = "lixinyang411@gmail.com";
+      listenHTTP = "127.0.0.1:1360";
+      group = "kanidm";
+    };
+  };
+
+  services.kanidm = {
+    package = pkgs.kanidm.withSecretProvisioning;
+    enableServer = true;
+    serverSettings = {
+      domain = idpUrl;
+      origin = "https://${idpUrl}";
+      bindaddress = "[::]:${toString kanidm_listen_port}";
+      tls_key = ''${config.security.acme.certs.${idpUrl}.directory}/key.pem'';
+      tls_chain = ''${config.security.acme.certs.${idpUrl}.directory}/fullchain.pem'';
+      online_backup.versions = 7;
+      # db_path = "/var/lib/kanidm/kanidm.db";
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."http://${idpUrl}".extraConfig = ''
+      reverse_proxy ${config.security.acme.certs.${idpUrl}.listenHTTP}
+    '';
+    virtualHosts."https://${idpUrl}".extraConfig = ''
+      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
+          header_up Host {upstream_hostport}
+          header_down Access-Control-Allow-Origin "*"
+          transport http {
+              tls_server_name ${config.services.kanidm.serverSettings.domain}
+          }
+      }
+    '';
+  };
+}