From 4788bd8cd4c973e3dcfea6b393607702c1f8aad6 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 14:09:34 +0200 Subject: [PATCH] Changed lldap to kanidm configuration --- hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/auth.nix | 34 ------------------------- modules/home/containers/caddy.nix | 6 ++--- modules/home/containers/kanidm.nix | 40 ++++++++++++++++++++++++++++++ modules/home/default.nix | 2 +- 5 files changed, 45 insertions(+), 38 deletions(-) delete mode 100644 modules/home/containers/auth.nix create mode 100644 modules/home/containers/kanidm.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index a9a38c1..9df957b 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -40,6 +40,7 @@ nginx.enable = true; caddy.enable = true; + kanidm.enable = true; }; }; diff --git a/modules/home/containers/auth.nix b/modules/home/containers/auth.nix deleted file mode 100644 index 9c5b3e2..0000000 --- a/modules/home/containers/auth.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.settings.containers.nginx; -in { - options = { - settings.containers.auth.enable = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Enable authelia and lldap container - ''; - }; - }; - - config = mkIf cfg.enable { - services.podman.containers.lldap = { - image = "lldap/lldap:stable"; - network = "proxy"; - volumes = [ - "%h/containers/lldap/data:/data" - ]; - environment = { - TZ = "Europe/Amsterdam"; - LLDAP_JWT_SECRET = ""; - LLDAP_KEY_SEED = ""; - LLDAP_LDAP_BASE_DN = "dc=tbmrs,dc=nl"; - LLDAP_LDAP_USER_PASS= "changeme!"; - }; - }; - }; -} diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 607bd24..25f0955 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -42,9 +42,9 @@ in { respond "Hello there" } - @lldap host ldap.tbmrs.nl - handle @lldap { - reverse_proxy lldap:17170 + @kanidm host auth.tbmrs.nl + handle @kanidm { + reverse_proxy https://auth.tbmrs.nl:8443 } } ''; diff --git a/modules/home/containers/kanidm.nix b/modules/home/containers/kanidm.nix new file mode 100644 index 0000000..4098640 --- /dev/null +++ b/modules/home/containers/kanidm.nix @@ -0,0 +1,40 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.kanidm.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable kanidm container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.kanidm = { + image = "kanidm/server:latest"; + network = "proxy"; + networkAlias = [ + "auth.tbmrs.nl" + ]; + volumes = [ + "%h/containers/kanidm/data:/data" + "%h/containers/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.tbmrs.nl:/data/keys" + ]; + environment = { + KANIDM_VERSION = "2"; + KANIDM_BINDADDRESS = "[::]:8443"; + KANIDM_DB_PATH = "/data/kanidm.db"; + KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt"; + KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key"; + KANIDM_DOMAIN = "auth.tbmrs.nl"; + KANIDM_ORIGIN = "https://auth.tbmrs.nl"; + }; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 3bed31b..000e70f 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -24,8 +24,8 @@ ./containers/network.nix - ./containers/auth.nix ./containers/caddy.nix + ./containers/kanidm.nix ./containers/nginx.nix ]; }