massicot: add kanidm service

2023-09-28 10:58:29 +00:00 · 2023-09-28 10:58:29 +00:00 · b3744b41ce
commit b3744b41ce
parent 74ad2b8425
3 changed files with 76 additions and 35 deletions
--- a/flake.lock
+++ b/flake.lock
@ -128,11 +128,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1692799911,
-        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@ -181,11 +181,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694375657,
-        "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=",
+        "lastModified": 1694469544,
+        "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7",
+        "rev": "5171f5ef654425e09d9c2100f856d887da595437",
        "type": "github"
      },
      "original": {
@ -201,11 +201,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1694395166,
-        "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=",
+        "lastModified": 1694481387,
+        "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "e6c8e1659000d07804526e42b99fa5f15190c324",
+        "rev": "3901c1225944eda6c85f09a57c338f87f06748d2",
        "type": "github"
      },
      "original": {
@ -237,11 +237,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1693718952,
-        "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=",
+        "lastModified": 1694432324,
+        "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35",
+        "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779",
        "type": "github"
      },
      "original": {
@ -269,11 +269,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1694304580,
-        "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=",
+        "lastModified": 1694426803,
+        "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760",
+        "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a",
        "type": "github"
      },
      "original": {
@ -301,27 +301,23 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1694183432,
-        "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b",
-        "type": "github"
+        "lastModified": 1694538145,
+        "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=",
+        "path": "/home/xin/nixpkgs",
+        "type": "path"
      },
      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "path": "/home/xin/nixpkgs",
+        "type": "path"
      }
    },
    "nur": {
      "locked": {
-        "lastModified": 1694400936,
-        "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=",
+        "lastModified": 1694533535,
+        "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "1850109f159c735841f7f6a51100b05d5b055113",
+        "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a",
        "type": "github"
      },
      "original": {
@ -396,11 +392,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1693898833,
-        "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
+        "lastModified": 1694495315,
+        "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
+        "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,7 +1,8 @@
 {
  inputs = {
    # Pin nixpkgs to a specific commit
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "path:/home/xin/nixpkgs";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05";

    home-manager = {
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -1,5 +1,27 @@
 { config, pkgs, inputs, ... }:
+let
+  kanidm_listen_port = 5324;
+in
 {
+  security.acme = {
+    acceptTerms = true;
+    certs."auth.xinyang.life" = {
+        email = "lixinyang411@gmail.com";
+        listenHTTP = "127.0.0.1:1360";
+        group = "kanidm";
+    };
+  };
+  services.kanidm = {
+    enableServer = true;
+    serverSettings = {
+      domain = "auth.xinyang.life";
+      origin = "https://auth.xinyang.life";
+      bindaddress = "[::]:${toString kanidm_listen_port}";
+      tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
+      tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
+      # db_path = "/var/lib/kanidm/kanidm.db";
+    };
+  };
  services.matrix-conduit = {
    enable = true;
    # package = inputs.conduit.packages.${pkgs.system}.default;
@ -20,8 +42,13 @@
      host = "xinyang.life";
      letsencrypt-enabled = false;
      bind-address = "localhost";
-      landing-page-user = "me";
      instance-expose-public-timeline = true;
+      oidc-enabled = true;
+      oidc-idp-name = "Kanidm";
+      oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
+      oidc-client-id = "gts";
+      oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5";
+      oidc-link-existing = true;
    };
  };

@ -53,15 +80,32 @@
          header Access-Control-Allow-Origin "*"
          respond `{"m.server": "xinyang.life:443"}`
      }
-
      reverse_proxy * http://localhost:8080 {
          flush_interval -1
      }
    '';
    virtualHosts."git.xinyang.life:443".extraConfig = ''
-      tls internal
      reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
    '';
+    
+    virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
+        reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
+        route {
+           reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
+           abort
+        }
+    '';
+    virtualHosts."https://auth.xinyang.life:443".extraConfig = ''
+      reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} {
+          header_up Host {upstream_hostport}
+          transport http {
+              tls_server_name ${config.services.kanidm.serverSettings.domain}
+          }
+      }
+    '';
+    # 
+    # respond `Hello World`
+
  };

  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];