mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 04:19:19 -08:00
42 lines
1.1 KiB
Nix
42 lines
1.1 KiB
Nix
{ pkgs, config, tf,... }: let
|
|
conf = import ./snakeoil-certs.nix;
|
|
domain = conf.domain;
|
|
unencryptedCert = with pkgs; runCommand "kanidm-cert" {
|
|
domain = "id.gensokyo.zone";
|
|
nativeBuildInputs = [ minica ];
|
|
} ''
|
|
install -d $out
|
|
cd $out
|
|
minica \
|
|
--ca-key ca.key.pem \
|
|
--ca-cert ca.cert.pem \
|
|
--domains $domain
|
|
cat $domain/cert.pem ca.cert.pem > $domain.pem
|
|
'';
|
|
in {
|
|
networks.gensokyo = {
|
|
tcp = [ 8081 636 ];
|
|
};
|
|
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
enablePam = false;
|
|
enableClient = true;
|
|
clientSettings = {
|
|
uri = "https://id.gensokyo.zone";
|
|
verify_ca = true;
|
|
verify_hostnames = true;
|
|
};
|
|
serverSettings = {
|
|
domain = "gensokyo.zone";
|
|
origin = "https://id.gensokyo.zone";
|
|
role = "WriteReplica";
|
|
log_level = "default";
|
|
db_fs_type = "zfs";
|
|
bindaddress = "0.0.0.0:8081";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
tls_chain = "${unencryptedCert}/${unencryptedCert.domain}.pem";
|
|
tls_key = "${unencryptedCert}/${unencryptedCert.domain}/key.pem";
|
|
};
|
|
};
|
|
}
|