massicot: add kanidm service
This commit is contained in:
parent
74ad2b8425
commit
b3744b41ce
3 changed files with 76 additions and 35 deletions
|
|
@ -1,5 +1,27 @@
|
|||
{ config, pkgs, inputs, ... }:
|
||||
let
|
||||
kanidm_listen_port = 5324;
|
||||
in
|
||||
{
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
certs."auth.xinyang.life" = {
|
||||
email = "lixinyang411@gmail.com";
|
||||
listenHTTP = "127.0.0.1:1360";
|
||||
group = "kanidm";
|
||||
};
|
||||
};
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
domain = "auth.xinyang.life";
|
||||
origin = "https://auth.xinyang.life";
|
||||
bindaddress = "[::]:${toString kanidm_listen_port}";
|
||||
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
|
||||
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
|
||||
# db_path = "/var/lib/kanidm/kanidm.db";
|
||||
};
|
||||
};
|
||||
services.matrix-conduit = {
|
||||
enable = true;
|
||||
# package = inputs.conduit.packages.${pkgs.system}.default;
|
||||
|
|
@ -20,8 +42,13 @@
|
|||
host = "xinyang.life";
|
||||
letsencrypt-enabled = false;
|
||||
bind-address = "localhost";
|
||||
landing-page-user = "me";
|
||||
instance-expose-public-timeline = true;
|
||||
oidc-enabled = true;
|
||||
oidc-idp-name = "Kanidm";
|
||||
oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
|
||||
oidc-client-id = "gts";
|
||||
oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5";
|
||||
oidc-link-existing = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -53,15 +80,32 @@
|
|||
header Access-Control-Allow-Origin "*"
|
||||
respond `{"m.server": "xinyang.life:443"}`
|
||||
}
|
||||
|
||||
reverse_proxy * http://localhost:8080 {
|
||||
flush_interval -1
|
||||
}
|
||||
'';
|
||||
virtualHosts."git.xinyang.life:443".extraConfig = ''
|
||||
tls internal
|
||||
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
|
||||
'';
|
||||
|
||||
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
|
||||
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
|
||||
route {
|
||||
reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
|
||||
abort
|
||||
}
|
||||
'';
|
||||
virtualHosts."https://auth.xinyang.life:443".extraConfig = ''
|
||||
reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} {
|
||||
header_up Host {upstream_hostport}
|
||||
transport http {
|
||||
tls_server_name ${config.services.kanidm.serverSettings.domain}
|
||||
}
|
||||
}
|
||||
'';
|
||||
#
|
||||
# respond `Hello World`
|
||||
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue