forked from DGNum/infrastructure
feat(compute01): Deploy kanidm on sso.dgnum.eu
This commit is contained in:
Tom Hubrecht
parent
9fa7d44048
commit
17149184a9
4 changed files with 5708 additions and 0 deletions
|
|
@ -13,6 +13,7 @@ let
|
||||||
|
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
enabledServices = [
|
enabledServices = [
|
||||||
|
"kanidm"
|
||||||
"mastodon"
|
"mastodon"
|
||||||
"nextcloud"
|
"nextcloud"
|
||||||
];
|
];
|
||||||
|
|
|
||||||
75
machines/compute01/kanidm/default.nix
Normal file
75
machines/compute01/kanidm/default.nix
Normal file
|
|
@ -0,0 +1,75 @@
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "sso.dgnum.eu";
|
||||||
|
|
||||||
|
cert = config.security.acme.certs.${domain};
|
||||||
|
|
||||||
|
allowedSubDomains = [ "cloud" "git" "videos" "social" ];
|
||||||
|
in {
|
||||||
|
services.kanidm = {
|
||||||
|
enableServer = true;
|
||||||
|
|
||||||
|
serverSettings = {
|
||||||
|
inherit domain;
|
||||||
|
|
||||||
|
origin = "https://${domain}";
|
||||||
|
|
||||||
|
bindaddress = "127.0.0.1:8443";
|
||||||
|
ldapbindaddress = "0.0.0.0:636";
|
||||||
|
|
||||||
|
trust_x_forward_for = true;
|
||||||
|
|
||||||
|
tls_chain = "${cert.directory}/fullchain.pem";
|
||||||
|
tls_key = "${cert.directory}/key.pem";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.kanidm.extraGroups = [ cert.group ];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
virtualHosts.${domain} = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "https://127.0.0.1:8443";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||||
|
return 444;
|
||||||
|
}
|
||||||
|
|
||||||
|
set $origin $http_origin;
|
||||||
|
|
||||||
|
if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
|
||||||
|
set $origin 'https://${domain}';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($request_method = 'OPTIONS') {
|
||||||
|
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
||||||
|
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
||||||
|
|
||||||
|
add_header Access-Control-Max-Age 1728000;
|
||||||
|
add_header Content-Type 'text/plain charset=UTF-8';
|
||||||
|
add_header Content-Length 0;
|
||||||
|
return 204;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
||||||
|
add_header Access-Control-Allow-Origin "$origin" always;
|
||||||
|
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||||
|
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
||||||
|
add_header Access-Control-Allow-Credentials true always;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 636 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 636 ];
|
||||||
|
}
|
||||||
5628
nix-patches/246564.patch
Normal file
5628
nix-patches/246564.patch
Normal file
File diff suppressed because it is too large
Load diff
|
|
@ -1,5 +1,9 @@
|
||||||
{
|
{
|
||||||
"nixos-23.05" = [
|
"nixos-23.05" = [
|
||||||
|
# Plausible fix
|
||||||
./241126.patch
|
./241126.patch
|
||||||
|
|
||||||
|
# Kanidm 1.1.0-beta.13
|
||||||
|
./246564.patch
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue