feat(kanidm): expose ldap

2026-02-09 12:29:19 -08:00 · 2024-01-21 16:35:30 -08:00 · 2024-01-21 16:35:30 -08:00 · 6ba09ac7ec
commit 6ba09ac7ec
parent 24a8471427
5 changed files with 122 additions and 11 deletions
--- a/modules/nixos/kanidm.nix
+++ b/modules/nixos/kanidm.nix
@ -4,7 +4,7 @@
  config,
  ...
 }: let
-  inherit (lib) mkIf mkMerge mkDefault mkOptionDefault mkEnableOption mkOption;
+  inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption;
  cfg = config.services.kanidm;
 in {
  options.services.kanidm = with lib.types; {
@ -13,8 +13,7 @@ in {
      unencrypted = {
        enable = mkEnableOption "snake oil certificate";
        domain = mkOption {
-          type = str;
-          default = cfg.server.frontend.domain;
+          type = listOf str;
        };
        package = mkOption {
          type = package;
@ -42,7 +41,7 @@ in {
        };
        port = mkOption {
          type = port;
-          default = 636;
+          default = 3636;
        };
      };
    };
@ -55,12 +54,15 @@ in {
    ];

    services.kanidm = {
-      server.unencrypted.package = let
+      server.unencrypted = {
+        domain = mkBefore [ cfg.server.frontend.domain ];
+        package = let
          cert = pkgs.mkSnakeOil {
            name = "kanidm-cert";
            inherit (cfg.server.unencrypted) domain;
          };
        in mkOptionDefault cert;
+      };
      clientSettings = mkIf cfg.enableServer {
        uri = mkDefault cfg.serverSettings.origin;
      };
--- a/nixos/access/kanidm.nix
+++ b/nixos/access/kanidm.nix
@ -0,0 +1,108 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.strings) optionalString;
+  cfg = config.services.kanidm;
+  access = config.services.nginx.access.kanidm;
+  proxyPass = mkDefault "http://${access.host}:${toString access.port}";
+  locations = {
+    "/" = {
+      inherit proxyPass;
+    };
+    "=/ca.pem" = {
+      alias = "${cfg.server.unencrypted.package.ca}";
+    };
+  };
+  allows = optionalString config.services.tailscale.enable ''
+    allow fd7a:115c:a1e0::/96;
+    allow fd7a:115c:a1e0:ab12::/64;
+    allow 100.64.0.0/10;
+  '' + ''
+    allow 10.1.1.0/24;
+    allow fd0a::/64;
+    deny all;
+  '';
+in {
+  options.services.nginx.access.kanidm = with lib.types; {
+    host = mkOption {
+      type = str;
+    };
+    domain = mkOption {
+      type = str;
+    };
+    localDomain = mkOption {
+      type = str;
+      default = "id.local.${config.networking.domain}";
+    };
+    port = mkOption {
+      type = port;
+    };
+    ldapPort = mkOption {
+      type = port;
+    };
+  };
+  config = {
+    services.nginx = {
+      access.kanidm = mkIf cfg.enableServer {
+        domain = mkOptionDefault cfg.server.frontend.domain;
+        host = mkOptionDefault "localhost";
+        port = mkOptionDefault cfg.server.frontend.port;
+        ldapPort = mkOptionDefault cfg.server.ldap.port;
+      };
+      streamConfig = ''
+        server {
+          listen 0.0.0.0:389;
+          listen [::]:389;
+          ${allows}
+          proxy_pass ${access.host}:${toString access.ldapPort};
+          proxy_ssl on;
+          proxy_ssl_verify off;
+        }
+        server {
+          listen 0.0.0.0:636 ssl;
+          listen [::]:636 ssl;
+          ssl_certificate ${cfg.serverSettings.tls_chain};
+          ssl_certificate_key ${cfg.serverSettings.tls_key};
+          proxy_pass ${access.host}:${toString access.ldapPort};
+          proxy_ssl on;
+          proxy_ssl_verify off;
+        }
+      '';
+
+      virtualHosts = {
+        ${access.domain} = {
+          inherit locations;
+        };
+        ${access.localDomain} = {
+          local.enable = true;
+          inherit locations;
+        };
+        "id.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
+          local.enable = true;
+          inherit locations;
+        };
+      };
+    };
+
+    services.kanidm.server.unencrypted.domain = mkMerge [
+      [
+        access.localDomain
+        config.networking.fqdn
+        config.networking.access.hostnameForNetwork.local
+      ]
+      (mkIf config.services.tailscale.enable [
+        "id.tail.${config.networking.domain}"
+        config.networking.access.hostnameForNetwork.tail
+      ])
+    ];
+
+    networking.firewall.allowedTCPPorts = [
+      389 636
+    ];
+  };
+}
--- a/nixos/kanidm.nix
+++ b/nixos/kanidm.nix
@ -11,7 +11,6 @@ in {
    enableClient = true;
    server = {
      unencrypted.enable = mkDefault true;
-      openFirewall = mkDefault true;
      frontend = {
        domain = mkDefault "id.${cfg.serverSettings.domain}";
        address = mkDefault "0.0.0.0";
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@ -14,6 +14,7 @@
    nixos.access.gensokyo
    nixos.access.zigbee2mqtt
    nixos.access.home-assistant
+    nixos.access.kanidm
    nixos.vouch
    nixos.kanidm
    nixos.mosquitto
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@ -30,6 +30,7 @@ module "tewi_system_records" {
  local_v4     = "10.1.1.39"
  local_v6     = "fd0a::be24:11ff:fecc:6657"
  local_subdomains = [
+    "id",
    "mqtt",
    "z2m",
    "home",