nixos-config/hosts/cepheus/kanidm.nix

{ config, pkgs, lib, ... }:
let
  kanidmPort = 1888;
in {
  age.secrets.kanidm-admin-password = lib.mkSecret "kanidm";
  age.secrets.kanidm-idm-admin-password = lib.mkSecret "kanidm";
  users.groups.kanidm = {};
  users.users.kanidm.group = "kanidm";
  users.users.kanidm.isSystemUser = true;

  containers.kanidm = {
    autoStart = true;
    bindMounts = {
      "/certs" = { hostPath = "/nix/persist/services/kanidm/certs"; isReadOnly = false; };
      "/var/lib/kanidm" = { hostPath = "/nix/persist/services/kanidm/db"; isReadOnly = false; };
      # "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
      "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
    };
    # tmpfs = [ "/" ];
    hostAddress = "192.168.101.10";
    localAddress = "192.168.101.11";
    privateNetwork = true;
    # privateNetwork = false;

    config = { lib, ... }: {
      imports = [
        # ../../modules/global/nix.nix
        ../../modules/global/dnscrypt-proxy.nix
      ];

      services.kanidm = {
        enableServer = true;
        package = pkgs.kanidmWithSecretProvisioning;
        enableClient = true;
        serverSettings = {
          domain = "idm.nothing.run";
          origin = "https://idm.nothing.run";
          # bindaddress = "127.0.0.1:${toString kanidmPort}";
          bindaddress = "0.0.0.0:${toString kanidmPort}";
          log_level = "trace";
          trust_x_forward_for = true;

          tls_chain = "/certs/chain.pem";
          tls_key = "/certs/key.pem";
        };
        clientSettings = {
          uri = "https://127.0.0.1:${toString kanidmPort}";
          verify_ca = false;
          verify_hostnames = false;
        };
        provision = lib.mkMerge [
          { enable = lib.mkForce true; }
          config.services.kanidm.provision
        ];
      };

      networking.firewall = {
        enable = true;
        allowedTCPPorts = [ kanidmPort ];
      };
      system.stateVersion = "25.05";
    };
  };

  services.kanidm.provision = {
    acceptInvalidCerts = true;
    instanceUrl = "https://127.0.0.1:${toString kanidmPort}";

    adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
    idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
    groups.admins = {};
    
    persons = {
      "thary" = {
        "displayName" = "Thary";
        "mailAddresses" = [
          "thary@riseup.net"
          "thary@nothing.run"
        ];
        groups = [
          "gitea.access" "gitea.admins"
          "miniflux.access"
        ];
      };
    };
  };

  imp.home.dirs = [ ".cache/kanidm_tokens" ];
  services.kanidm.enableClient = true;
  services.kanidm.clientSettings = {
    uri = "https://idm.nothing.run";
    verify_ca = true;
    verify_hostnames = true;
  };
  
  services.caddy.virtualHosts = {
    "idm.nothing.run".extraConfig = ''
      reverse_proxy https://192.168.101.11:${toString kanidmPort} {
        transport http {
          tls
          tls_insecure_skip_verify
        }
      }
    '';
  };

}
Initial commit 2025-08-20 18:24:02 +03:00			`{ config, pkgs, lib, ... }:`
			`let`
			`kanidmPort = 1888;`
			`in {`
			`age.secrets.kanidm-admin-password = lib.mkSecret "kanidm";`
			`age.secrets.kanidm-idm-admin-password = lib.mkSecret "kanidm";`
			`users.groups.kanidm = {};`
			`users.users.kanidm.group = "kanidm";`
			`users.users.kanidm.isSystemUser = true;`

			`containers.kanidm = {`
			`autoStart = true;`
			`bindMounts = {`
			`"/certs" = { hostPath = "/nix/persist/services/kanidm/certs"; isReadOnly = false; };`
			`"/var/lib/kanidm" = { hostPath = "/nix/persist/services/kanidm/db"; isReadOnly = false; };`
			`# "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };`
			`"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };`
			`};`
			`# tmpfs = [ "/" ];`
			`hostAddress = "192.168.101.10";`
			`localAddress = "192.168.101.11";`
			`privateNetwork = true;`
			`# privateNetwork = false;`

			`config = { lib, ... }: {`
			`imports = [`
			`# ../../modules/global/nix.nix`
			`../../modules/global/dnscrypt-proxy.nix`
			`];`

			`services.kanidm = {`
			`enableServer = true;`
			`package = pkgs.kanidmWithSecretProvisioning;`
			`enableClient = true;`
			`serverSettings = {`
			`domain = "idm.nothing.run";`
			`origin = "https://idm.nothing.run";`
			`# bindaddress = "127.0.0.1:${toString kanidmPort}";`
			`bindaddress = "0.0.0.0:${toString kanidmPort}";`
			`log_level = "trace";`
			`trust_x_forward_for = true;`

			`tls_chain = "/certs/chain.pem";`
			`tls_key = "/certs/key.pem";`
			`};`
			`clientSettings = {`
			`uri = "https://127.0.0.1:${toString kanidmPort}";`
			`verify_ca = false;`
			`verify_hostnames = false;`
			`};`
			`provision = lib.mkMerge [`
			`{ enable = lib.mkForce true; }`
			`config.services.kanidm.provision`
			`];`
			`};`

			`networking.firewall = {`
			`enable = true;`
			`allowedTCPPorts = [ kanidmPort ];`
			`};`
			`system.stateVersion = "25.05";`
			`};`
			`};`

			`services.kanidm.provision = {`
			`acceptInvalidCerts = true;`
			`instanceUrl = "https://127.0.0.1:${toString kanidmPort}";`

			`adminPasswordFile = config.age.secrets.kanidm-admin-password.path;`
			`idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;`
			`groups.admins = {};`

			`persons = {`
			`"thary" = {`
			`"displayName" = "Thary";`
			`"mailAddresses" = [`
			`"thary@riseup.net"`
			`"thary@nothing.run"`
			`];`
			`groups = [`
			`"gitea.access" "gitea.admins"`
			`"miniflux.access"`
			`];`
			`};`
			`};`
			`};`

			`imp.home.dirs = [ ".cache/kanidm_tokens" ];`
			`services.kanidm.enableClient = true;`
			`services.kanidm.clientSettings = {`
			`uri = "https://idm.nothing.run";`
			`verify_ca = true;`
			`verify_hostnames = true;`
			`};`

			`services.caddy.virtualHosts = {`
			`"idm.nothing.run".extraConfig = ''`
			`reverse_proxy https://192.168.101.11:${toString kanidmPort} {`
			`transport http {`
			`tls`
			`tls_insecure_skip_verify`
			`}`
			`}`
			`'';`
			`};`

			`}`