Initial commit

2025-08-20 18:24:02 +03:00
commit 2dec42d487
116 changed files with 6591 additions and 0 deletions
--- a/hosts/cepheus/kanidm.nix
+++ b/hosts/cepheus/kanidm.nix
@@ -0,0 +1,107 @@
+{ config, pkgs, lib, ... }:
+let
+  kanidmPort = 1888;
+in {
+  age.secrets.kanidm-admin-password = lib.mkSecret "kanidm";
+  age.secrets.kanidm-idm-admin-password = lib.mkSecret "kanidm";
+  users.groups.kanidm = {};
+  users.users.kanidm.group = "kanidm";
+  users.users.kanidm.isSystemUser = true;
+
+  containers.kanidm = {
+    autoStart = true;
+    bindMounts = {
+      "/certs" = { hostPath = "/nix/persist/services/kanidm/certs"; isReadOnly = false; };
+      "/var/lib/kanidm" = { hostPath = "/nix/persist/services/kanidm/db"; isReadOnly = false; };
+      # "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
+      "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
+    };
+    # tmpfs = [ "/" ];
+    hostAddress = "192.168.101.10";
+    localAddress = "192.168.101.11";
+    privateNetwork = true;
+    # privateNetwork = false;
+
+    config = { lib, ... }: {
+      imports = [
+        # ../../modules/global/nix.nix
+        ../../modules/global/dnscrypt-proxy.nix
+      ];
+
+      services.kanidm = {
+        enableServer = true;
+        package = pkgs.kanidmWithSecretProvisioning;
+        enableClient = true;
+        serverSettings = {
+          domain = "idm.nothing.run";
+          origin = "https://idm.nothing.run";
+          # bindaddress = "127.0.0.1:${toString kanidmPort}";
+          bindaddress = "0.0.0.0:${toString kanidmPort}";
+          log_level = "trace";
+          trust_x_forward_for = true;
+
+          tls_chain = "/certs/chain.pem";
+          tls_key = "/certs/key.pem";
+        };
+        clientSettings = {
+          uri = "https://127.0.0.1:${toString kanidmPort}";
+          verify_ca = false;
+          verify_hostnames = false;
+        };
+        provision = lib.mkMerge [
+          { enable = lib.mkForce true; }
+          config.services.kanidm.provision
+        ];
+      };
+
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [ kanidmPort ];
+      };
+      system.stateVersion = "25.05";
+    };
+  };
+
+  services.kanidm.provision = {
+    acceptInvalidCerts = true;
+    instanceUrl = "https://127.0.0.1:${toString kanidmPort}";
+
+    adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
+    idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
+    groups.admins = {};
+    
+    persons = {
+      "thary" = {
+        "displayName" = "Thary";
+        "mailAddresses" = [
+          "thary@riseup.net"
+          "thary@nothing.run"
+        ];
+        groups = [
+          "gitea.access" "gitea.admins"
+          "miniflux.access"
+        ];
+      };
+    };
+  };
+
+  imp.home.dirs = [ ".cache/kanidm_tokens" ];
+  services.kanidm.enableClient = true;
+  services.kanidm.clientSettings = {
+    uri = "https://idm.nothing.run";
+    verify_ca = true;
+    verify_hostnames = true;
+  };
+  
+  services.caddy.virtualHosts = {
+    "idm.nothing.run".extraConfig = ''
+      reverse_proxy https://192.168.101.11:${toString kanidmPort} {
+        transport http {
+          tls
+          tls_insecure_skip_verify
+        }
+      }
+    '';
+  };
+
+}