swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[server]: improve kanidm config

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-11-17 22:45:44 +01:00
parent 4464041c31
commit 80afe6964d
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
2 changed files with 64 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

39
SwarselSystems.org
View file

@ -9694,8 +9694,18 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
certBase = "/etc/ssl"; certBase = "/etc/ssl";
certsDir = "${certBase}/certs"; certsDir = "${certBase}/certs";
privateDir = "${certBase}/private"; privateDir = "${certBase}/private";
certPath = "${certsDir}/${serviceName}.crt"; certPathBase = "${certsDir}/${serviceName}.crt";
keyPath = "${privateDir}/${serviceName}.key"; certPath =
if config.swarselsystems.isImpermanence then
"/persist${certPathBase}"
else
"${certPathBase}";
keyPathBase = "${privateDir}/${serviceName}.key";
keyPath =
if config.swarselsystems.isImpermanence then
"/persist${keyPathBase}"
else
"${keyPathBase}";
in in
{ {
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -9728,6 +9738,16 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
globals.services.${serviceName}.domain = serviceDomain; globals.services.${serviceName}.domain = serviceDomain;
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
certPathBase
keyPathBase
];
};
system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
};
system.activationScripts."generateSSLCert-${serviceName}" = system.activationScripts."generateSSLCert-${serviceName}" =
let let
daysValid = 3650; daysValid = 3650;
@ -9738,13 +9758,15 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
set -eu set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
need_gen=0 need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
need_gen=1 need_gen=1
else else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)" enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)" now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch )) seconds_left=$(( end_epoch - now_epoch ))
@ -9766,7 +9788,10 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi fi
''; '';
deps = [ "etc" ]; deps = [
"etc"
(lib.mkIf config.swarselsystems.isImpermanence "specialfs")
];
}; };
services = { services = {
@ -9777,9 +9802,9 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
domain = serviceDomain; domain = serviceDomain;
origin = "https://${serviceDomain}"; origin = "https://${serviceDomain}";
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPath; tls_chain = certPathBase;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path; # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPath; tls_key = keyPathBase;
bindaddress = "0.0.0.0:${toString servicePort}"; bindaddress = "0.0.0.0:${toString servicePort}";
trust_x_forward_for = true; trust_x_forward_for = true;
}; };

39
modules/nixos/server/kanidm.nix
View file

@ -20,8 +20,18 @@ let
certBase = "/etc/ssl"; certBase = "/etc/ssl";
certsDir = "${certBase}/certs"; certsDir = "${certBase}/certs";
privateDir = "${certBase}/private"; privateDir = "${certBase}/private";
certPath = "${certsDir}/${serviceName}.crt"; certPathBase = "${certsDir}/${serviceName}.crt";
keyPath = "${privateDir}/${serviceName}.key"; certPath =
if config.swarselsystems.isImpermanence then
"/persist${certPathBase}"
else
"${certPathBase}";
keyPathBase = "${privateDir}/${serviceName}.key";
keyPath =
if config.swarselsystems.isImpermanence then
"/persist${keyPathBase}"
else
"${keyPathBase}";
in in
{ {
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -54,6 +64,16 @@ in
globals.services.${serviceName}.domain = serviceDomain; globals.services.${serviceName}.domain = serviceDomain;
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
certPathBase
keyPathBase
];
};
system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
};
system.activationScripts."generateSSLCert-${serviceName}" = system.activationScripts."generateSSLCert-${serviceName}" =
let let
daysValid = 3650; daysValid = 3650;
@ -64,13 +84,15 @@ in
set -eu set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
need_gen=0 need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
need_gen=1 need_gen=1
else else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)" enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)" now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch )) seconds_left=$(( end_epoch - now_epoch ))
@ -92,7 +114,10 @@ in
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi fi
''; '';
deps = [ "etc" ]; deps = [
"etc"
(lib.mkIf config.swarselsystems.isImpermanence "specialfs")
];
}; };
services = { services = {
@ -103,9 +128,9 @@ in
domain = serviceDomain; domain = serviceDomain;
origin = "https://${serviceDomain}"; origin = "https://${serviceDomain}";
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPath; tls_chain = certPathBase;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path; # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPath; tls_key = keyPathBase;
bindaddress = "0.0.0.0:${toString servicePort}"; bindaddress = "0.0.0.0:${toString servicePort}";
trust_x_forward_for = true; trust_x_forward_for = true;
}; };