infrastructure/modules/nixos/kanidm.nix

{
  lib,
  pkgs,
  config,
  ...
}: let
  inherit (lib) mkIf mkMerge mkDefault mkOptionDefault mkEnableOption mkOption;
  cfg = config.services.kanidm;
in {
  options.services.kanidm = with lib.types; {
    server = {
      openFirewall = mkEnableOption "firewall ports";
      unencrypted = {
        enable = mkEnableOption "snake oil certificate";
        domain = mkOption {
          type = str;
          default = cfg.server.frontend.domain;
        };
        package = mkOption {
          type = package;
        };
      };
      frontend = {
        domain = mkOption {
          type = nullOr str;
          default = cfg.serverSettings.domain;
        };
        address = mkOption {
          type = str;
          default = "127.0.0.1";
        };
        port = mkOption {
          type = port;
          default = 8081;
        };
      };
      ldap = {
        enable = mkEnableOption "LDAP interface";
        address = mkOption {
          type = str;
          default = "127.0.0.1";
        };
        port = mkOption {
          type = port;
          default = 636;
        };
      };
    };
  };

  config = {
    networking.firewall.allowedTCPPorts = mkIf (cfg.enableServer && cfg.server.openFirewall) [
      cfg.server.frontend.port
      cfg.server.ldap.port
    ];

    services.kanidm = {
      server.unencrypted.package = let
        cert = pkgs.runCommand "kanidm-cert" {
          inherit (cfg.server.unencrypted) domain;
          nativeBuildInputs = [ pkgs.buildPackages.minica ];
        } ''
          install -d $out
          cd $out
          minica \
            --ca-key ca.key.pem \
            --ca-cert ca.cert.pem \
            --domains $domain
          cat $domain/cert.pem ca.cert.pem > $domain.pem
        '';
      in mkOptionDefault cert;
      clientSettings = mkIf cfg.enableServer {
        uri = mkDefault cfg.serverSettings.origin;
      };
      serverSettings = mkMerge [
        {
          domain = mkDefault config.networking.domain;
          origin = mkDefault "https://${cfg.server.frontend.domain}";
          bindaddress = mkDefault "${cfg.server.frontend.address}:${toString cfg.server.frontend.port}";
          ldapbindaddress = mkIf cfg.server.ldap.enable (
            mkDefault "${cfg.server.ldap.address}:${toString cfg.server.ldap.port}"
          );
        }
        (mkIf cfg.server.unencrypted.enable {
          tls_chain = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}.pem";
          tls_key = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}/key.pem";
        })
      ];
    };
  };
}