feat(kanidm): expose ldap

2026-02-09 12:29:19 -08:00 · 2024-01-21 16:35:30 -08:00 · 2024-01-21 16:35:30 -08:00 · 6ba09ac7ec
commit 6ba09ac7ec
parent 24a8471427
5 changed files with 122 additions and 11 deletions
--- a/nixos/access/kanidm.nix
+++ b/nixos/access/kanidm.nix
@ -0,0 +1,108 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.strings) optionalString;
+  cfg = config.services.kanidm;
+  access = config.services.nginx.access.kanidm;
+  proxyPass = mkDefault "http://${access.host}:${toString access.port}";
+  locations = {
+    "/" = {
+      inherit proxyPass;
+    };
+    "=/ca.pem" = {
+      alias = "${cfg.server.unencrypted.package.ca}";
+    };
+  };
+  allows = optionalString config.services.tailscale.enable ''
+    allow fd7a:115c:a1e0::/96;
+    allow fd7a:115c:a1e0:ab12::/64;
+    allow 100.64.0.0/10;
+  '' + ''
+    allow 10.1.1.0/24;
+    allow fd0a::/64;
+    deny all;
+  '';
+in {
+  options.services.nginx.access.kanidm = with lib.types; {
+    host = mkOption {
+      type = str;
+    };
+    domain = mkOption {
+      type = str;
+    };
+    localDomain = mkOption {
+      type = str;
+      default = "id.local.${config.networking.domain}";
+    };
+    port = mkOption {
+      type = port;
+    };
+    ldapPort = mkOption {
+      type = port;
+    };
+  };
+  config = {
+    services.nginx = {
+      access.kanidm = mkIf cfg.enableServer {
+        domain = mkOptionDefault cfg.server.frontend.domain;
+        host = mkOptionDefault "localhost";
+        port = mkOptionDefault cfg.server.frontend.port;
+        ldapPort = mkOptionDefault cfg.server.ldap.port;
+      };
+      streamConfig = ''
+        server {
+          listen 0.0.0.0:389;
+          listen [::]:389;
+          ${allows}
+          proxy_pass ${access.host}:${toString access.ldapPort};
+          proxy_ssl on;
+          proxy_ssl_verify off;
+        }
+        server {
+          listen 0.0.0.0:636 ssl;
+          listen [::]:636 ssl;
+          ssl_certificate ${cfg.serverSettings.tls_chain};
+          ssl_certificate_key ${cfg.serverSettings.tls_key};
+          proxy_pass ${access.host}:${toString access.ldapPort};
+          proxy_ssl on;
+          proxy_ssl_verify off;
+        }
+      '';
+
+      virtualHosts = {
+        ${access.domain} = {
+          inherit locations;
+        };
+        ${access.localDomain} = {
+          local.enable = true;
+          inherit locations;
+        };
+        "id.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
+          local.enable = true;
+          inherit locations;
+        };
+      };
+    };
+
+    services.kanidm.server.unencrypted.domain = mkMerge [
+      [
+        access.localDomain
+        config.networking.fqdn
+        config.networking.access.hostnameForNetwork.local
+      ]
+      (mkIf config.services.tailscale.enable [
+        "id.tail.${config.networking.domain}"
+        config.networking.access.hostnameForNetwork.tail
+      ])
+    ];
+
+    networking.firewall.allowedTCPPorts = [
+      389 636
+    ];
+  };
+}