From 6ba09ac7ec82a41da7fd6b4dce1ca22bd3550497 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sun, 21 Jan 2024 16:35:30 -0800 Subject: [PATCH] feat(kanidm): expose ldap --- modules/nixos/kanidm.nix | 22 ++++---- nixos/access/kanidm.nix | 108 +++++++++++++++++++++++++++++++++++++++ nixos/kanidm.nix | 1 - systems/tei/nixos.nix | 1 + tf/cloudflare_records.tf | 1 + 5 files changed, 122 insertions(+), 11 deletions(-) create mode 100644 nixos/access/kanidm.nix diff --git a/modules/nixos/kanidm.nix b/modules/nixos/kanidm.nix index 7d6b5f90..0afd133a 100644 --- a/modules/nixos/kanidm.nix +++ b/modules/nixos/kanidm.nix @@ -4,7 +4,7 @@ config, ... }: let - inherit (lib) mkIf mkMerge mkDefault mkOptionDefault mkEnableOption mkOption; + inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption; cfg = config.services.kanidm; in { options.services.kanidm = with lib.types; { @@ -13,8 +13,7 @@ in { unencrypted = { enable = mkEnableOption "snake oil certificate"; domain = mkOption { - type = str; - default = cfg.server.frontend.domain; + type = listOf str; }; package = mkOption { type = package; @@ -42,7 +41,7 @@ in { }; port = mkOption { type = port; - default = 636; + default = 3636; }; }; }; @@ -55,12 +54,15 @@ in { ]; services.kanidm = { - server.unencrypted.package = let - cert = pkgs.mkSnakeOil { - name = "kanidm-cert"; - inherit (cfg.server.unencrypted) domain; - }; - in mkOptionDefault cert; + server.unencrypted = { + domain = mkBefore [ cfg.server.frontend.domain ]; + package = let + cert = pkgs.mkSnakeOil { + name = "kanidm-cert"; + inherit (cfg.server.unencrypted) domain; + }; + in mkOptionDefault cert; + }; clientSettings = mkIf cfg.enableServer { uri = mkDefault cfg.serverSettings.origin; }; diff --git a/nixos/access/kanidm.nix b/nixos/access/kanidm.nix new file mode 100644 index 00000000..dc905471 --- /dev/null +++ b/nixos/access/kanidm.nix @@ -0,0 +1,108 @@ +{ + config, + lib, + ... +}: +let + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; + inherit (lib.strings) optionalString; + cfg = config.services.kanidm; + access = config.services.nginx.access.kanidm; + proxyPass = mkDefault "http://${access.host}:${toString access.port}"; + locations = { + "/" = { + inherit proxyPass; + }; + "=/ca.pem" = { + alias = "${cfg.server.unencrypted.package.ca}"; + }; + }; + allows = optionalString config.services.tailscale.enable '' + allow fd7a:115c:a1e0::/96; + allow fd7a:115c:a1e0:ab12::/64; + allow 100.64.0.0/10; + '' + '' + allow 10.1.1.0/24; + allow fd0a::/64; + deny all; + ''; +in { + options.services.nginx.access.kanidm = with lib.types; { + host = mkOption { + type = str; + }; + domain = mkOption { + type = str; + }; + localDomain = mkOption { + type = str; + default = "id.local.${config.networking.domain}"; + }; + port = mkOption { + type = port; + }; + ldapPort = mkOption { + type = port; + }; + }; + config = { + services.nginx = { + access.kanidm = mkIf cfg.enableServer { + domain = mkOptionDefault cfg.server.frontend.domain; + host = mkOptionDefault "localhost"; + port = mkOptionDefault cfg.server.frontend.port; + ldapPort = mkOptionDefault cfg.server.ldap.port; + }; + streamConfig = '' + server { + listen 0.0.0.0:389; + listen [::]:389; + ${allows} + proxy_pass ${access.host}:${toString access.ldapPort}; + proxy_ssl on; + proxy_ssl_verify off; + } + server { + listen 0.0.0.0:636 ssl; + listen [::]:636 ssl; + ssl_certificate ${cfg.serverSettings.tls_chain}; + ssl_certificate_key ${cfg.serverSettings.tls_key}; + proxy_pass ${access.host}:${toString access.ldapPort}; + proxy_ssl on; + proxy_ssl_verify off; + } + ''; + + virtualHosts = { + ${access.domain} = { + inherit locations; + }; + ${access.localDomain} = { + local.enable = true; + inherit locations; + }; + "id.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable { + local.enable = true; + inherit locations; + }; + }; + }; + + services.kanidm.server.unencrypted.domain = mkMerge [ + [ + access.localDomain + config.networking.fqdn + config.networking.access.hostnameForNetwork.local + ] + (mkIf config.services.tailscale.enable [ + "id.tail.${config.networking.domain}" + config.networking.access.hostnameForNetwork.tail + ]) + ]; + + networking.firewall.allowedTCPPorts = [ + 389 636 + ]; + }; +} diff --git a/nixos/kanidm.nix b/nixos/kanidm.nix index bcaa11a7..7a6cb58d 100644 --- a/nixos/kanidm.nix +++ b/nixos/kanidm.nix @@ -11,7 +11,6 @@ in { enableClient = true; server = { unencrypted.enable = mkDefault true; - openFirewall = mkDefault true; frontend = { domain = mkDefault "id.${cfg.serverSettings.domain}"; address = mkDefault "0.0.0.0"; diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 5e6946e0..1e25e878 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -14,6 +14,7 @@ nixos.access.gensokyo nixos.access.zigbee2mqtt nixos.access.home-assistant + nixos.access.kanidm nixos.vouch nixos.kanidm nixos.mosquitto diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 917c80ce..93afd8ae 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -30,6 +30,7 @@ module "tewi_system_records" { local_v4 = "10.1.1.39" local_v6 = "fd0a::be24:11ff:fecc:6657" local_subdomains = [ + "id", "mqtt", "z2m", "home",