mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 04:19:19 -08:00
feat(hakurei): kanidm access
This commit is contained in:
arcnmx
parent
a8cd175500
commit
b85e850dd6
10 changed files with 322 additions and 35 deletions
|
|
@ -1,9 +1,14 @@
|
|||
{
|
||||
config,
|
||||
meta,
|
||||
lib,
|
||||
access,
|
||||
...
|
||||
}: {
|
||||
}: let
|
||||
inherit (lib.modules) mkIf mkMerge;
|
||||
mediabox = access.systemFor "mediabox";
|
||||
tei = access.systemFor "tei";
|
||||
in {
|
||||
imports = let
|
||||
inherit (meta) nixos;
|
||||
in [
|
||||
|
|
@ -12,7 +17,10 @@
|
|||
nixos.reisen-ct
|
||||
nixos.tailscale
|
||||
nixos.cloudflared
|
||||
nixos.acme
|
||||
nixos.nginx
|
||||
nixos.access.global
|
||||
nixos.access.kanidm
|
||||
nixos.access.proxmox
|
||||
nixos.access.plex
|
||||
];
|
||||
|
|
@ -33,10 +41,56 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.access = {
|
||||
plex.url = let
|
||||
system = access.systemFor "mediabox";
|
||||
in "http://${system.networking.access.hostnameForNetwork.local}:32400";
|
||||
security.acme.certs = let
|
||||
inherit (config.services) nginx;
|
||||
inherit (nginx) access;
|
||||
in {
|
||||
${access.kanidm.domain} = {
|
||||
inherit (nginx) group;
|
||||
extraDomainNames = mkMerge [
|
||||
[ access.kanidm.localDomain ]
|
||||
(mkIf config.services.tailscale.enable [ access.kanidm.tailDomain ])
|
||||
];
|
||||
};
|
||||
${access.proxmox.domain} = {
|
||||
inherit (nginx) group;
|
||||
extraDomainNames = mkMerge [
|
||||
[ access.proxmox.localDomain ]
|
||||
(mkIf config.services.tailscale.enable [ access.proxmox.tailDomain ])
|
||||
];
|
||||
};
|
||||
${access.plex.domain} = {
|
||||
inherit (nginx) group;
|
||||
extraDomainNames = [ access.plex.localDomain ];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = let
|
||||
inherit (config.services.nginx) access;
|
||||
inherit (mediabox.services) plex;
|
||||
inherit (tei.services) kanidm;
|
||||
in {
|
||||
access.plex = assert plex.enable; {
|
||||
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400";
|
||||
};
|
||||
access.kanidm = assert kanidm.enableServer; {
|
||||
domain = kanidm.server.frontend.domain;
|
||||
host = tei.networking.access.hostnameForNetwork.local;
|
||||
port = kanidm.server.frontend.port;
|
||||
ldapPort = kanidm.server.ldap.port;
|
||||
};
|
||||
virtualHosts = {
|
||||
${access.kanidm.domain} = {
|
||||
useACMEHost = access.kanidm.domain;
|
||||
};
|
||||
${access.proxmox.domain} = {
|
||||
useACMEHost = access.proxmox.domain;
|
||||
};
|
||||
${access.plex.domain} = {
|
||||
addSSL = true;
|
||||
useACMEHost = access.plex.domain;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network.networks.eth0 = {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@
|
|||
nixos.access.gensokyo
|
||||
nixos.access.zigbee2mqtt
|
||||
nixos.access.home-assistant
|
||||
nixos.access.kanidm
|
||||
nixos.vouch
|
||||
nixos.kanidm
|
||||
nixos.mosquitto
|
||||
|
|
@ -26,6 +25,10 @@
|
|||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
|
||||
services.kanidm = {
|
||||
server.openFirewall = true;
|
||||
};
|
||||
|
||||
systemd.network.networks.eth0 = {
|
||||
name = "eth0";
|
||||
matchConfig = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue