From 952a55f03d392d504728065191f5edddebc453ba Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:57:27 -0300 Subject: [PATCH] Add Kanidm identity provider to alexandria Added Kanidm server configuration to serve as central identity provider for all services. Configuration includes: - Server on auth.baduhai.dev with HTTPS - LDAP support on port 636 for legacy integrations - Nginx reverse proxy with SSL termination - Added to shared services for DNS resolution Kanidm will provide OAuth2/OIDC authentication for Nextcloud, Vaultwarden, Forgejo, and other services. --- hosts/alexandria/kanidm.nix | 78 +++++++++++++++++++++++++++++++++++++ shared/services.nix | 10 ++++- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 hosts/alexandria/kanidm.nix diff --git a/hosts/alexandria/kanidm.nix b/hosts/alexandria/kanidm.nix new file mode 100644 index 0000000..ee56bc1 --- /dev/null +++ b/hosts/alexandria/kanidm.nix @@ -0,0 +1,78 @@ +{ + config, + lib, + inputs, + pkgs, + ... +}: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; + kanidmCertDir = "/var/lib/kanidm/certs"; +in + +{ + services.kanidm = { + enableServer = true; + package = pkgs.kanidm; + + serverSettings = { + domain = "auth.baduhai.dev"; + origin = "https://auth.baduhai.dev"; + bindaddress = "127.0.0.1:8443"; + ldapbindaddress = "127.0.0.1:636"; + trust_x_forward_for = true; + # Use self-signed certificates for internal TLS + tls_chain = "${kanidmCertDir}/cert.pem"; + tls_key = "${kanidmCertDir}/key.pem"; + }; + }; + + services.nginx.virtualHosts = mkNginxVHosts { + domains."auth.baduhai.dev" = { + locations."/" = { + proxyPass = "https://127.0.0.1:8443"; + extraConfig = '' + proxy_ssl_verify off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 636 ]; + + # Generate self-signed certificates for kanidm's internal TLS + systemd.services.kanidm-generate-certs = { + description = "Generate self-signed TLS certificates for Kanidm"; + wantedBy = [ "multi-user.target" ]; + before = [ "kanidm.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + mkdir -p ${kanidmCertDir} + if [ ! -f ${kanidmCertDir}/key.pem ]; then + ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \ + -keyout ${kanidmCertDir}/key.pem \ + -out ${kanidmCertDir}/cert.pem \ + -days 3650 -nodes \ + -subj "/CN=localhost" \ + -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" + chown -R kanidm:kanidm ${kanidmCertDir} + chmod 600 ${kanidmCertDir}/key.pem + chmod 644 ${kanidmCertDir}/cert.pem + fi + ''; + }; + + # Ensure certificate generation runs before kanidm starts + systemd.services.kanidm = { + after = [ "kanidm-generate-certs.service" ]; + wants = [ "kanidm-generate-certs.service" ]; + }; +} diff --git a/shared/services.nix b/shared/services.nix index fd4e440..8870258 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -1,9 +1,17 @@ # Shared service definitions for cross-host configuration # Used by: -# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin) +# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin, kanidm) # - trantor: DNS server (Tailnet) + service hosting (forgejo) { services = [ + { + name = "kanidm"; + domain = "auth.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8443; + } { name = "vaultwarden"; domain = "pass.baduhai.dev";