From 8f6640d2f16b17d1e10abd39e7b28a007b671cb6 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 16 Dec 2025 15:13:59 +0100 Subject: [PATCH] feat(self_host/sso): now using kanidm (w/ SecretsProvisionning) --- services/self_host/sso.nix | 39 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index f1712a2..cd77456 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -8,6 +8,7 @@ let cfg = config.service.selfhost.sso; kanidm-admin = config.age.secrets."kanidm-admin".path; + kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; in { config = lib.mkIf cfg { @@ -22,25 +23,7 @@ in security.acme.certs."auth.enium.eu".group = "nginx"; services = { kanidm = { - package = pkgs.kanidm_1_8; - provision = { - idmAdminPasswordFile = kanidm-admin; - persons = { - raphael = { - legalName = "Raphael Parodi"; - displayName = "Raphael"; - mailAddresses = [ - "raphael@enium.eu" - ]; - groups = [ - "users" - "idm_admins" - ]; - }; - }; - }; - enableClient = true; - clientSettings.uri = "https://auth.enium.eu"; + package = pkgs.kanidmWithSecretProvisioning_1_8; enableServer = true; serverSettings = { role = "WriteReplica"; @@ -50,6 +33,23 @@ in tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; }; + enableClient = true; + clientSettings.uri = config.services.kanidm.serverSettings.origin; + provision = { + enable = true; + autoRemove = false; + adminPasswordFile = kanidm-admin; + idmAdminPasswordFile = kanidm-idmAdmin; + persons = { + raphael = { + displayName = "Raphael"; + legalName = "Raphael Parodi"; + mailAddresses = [ + "raphael@enium.eu" + ]; + }; + }; + }; }; nginx.virtualHosts."auth.enium.eu" = { enableACME = true; @@ -57,7 +57,6 @@ in locations."/" = { proxyPass = "https://127.0.0.1:9000"; proxyWebsockets = true; - extraConfig = '' proxy_ssl_verify off; proxy_set_header Host $host;