feat(compute01): Deploy kanidm on sso.dgnum.eu

2023-09-14 08:04:48 +02:00 · 2023-09-14 08:04:48 +02:00 · 17149184a9
commit 17149184a9
parent 9fa7d44048
4 changed files with 5708 additions and 0 deletions
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -13,6 +13,7 @@ let

  # List of services to enable
  enabledServices = [
+    "kanidm"
    "mastodon"
    "nextcloud"
  ];
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@ -0,0 +1,75 @@
+{ config, ... }:
+
+let
+  domain = "sso.dgnum.eu";
+
+  cert = config.security.acme.certs.${domain};
+
+  allowedSubDomains = [ "cloud" "git" "videos" "social" ];
+in {
+  services.kanidm = {
+    enableServer = true;
+
+    serverSettings = {
+      inherit domain;
+
+      origin = "https://${domain}";
+
+      bindaddress = "127.0.0.1:8443";
+      ldapbindaddress = "0.0.0.0:636";
+
+      trust_x_forward_for = true;
+
+      tls_chain = "${cert.directory}/fullchain.pem";
+      tls_key = "${cert.directory}/key.pem";
+    };
+  };
+
+  users.users.kanidm.extraGroups = [ cert.group ];
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:8443";
+
+        extraConfig = ''
+          if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
+              return 444;
+          }
+
+          set $origin $http_origin;
+
+          if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
+              set $origin 'https://${domain}';
+          }
+
+          if ($request_method = 'OPTIONS') {
+              add_header 'Access-Control-Allow-Origin' "$origin" always;
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
+              add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
+              add_header 'Access-Control-Allow-Credentials' 'true' always;
+
+              add_header Access-Control-Max-Age 1728000;
+              add_header Content-Type 'text/plain charset=UTF-8';
+              add_header Content-Length 0;
+              return 204;
+          }
+
+          if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
+              add_header Access-Control-Allow-Origin "$origin" always;
+              add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
+              add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
+              add_header Access-Control-Allow-Credentials true always;
+          }
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 636 ];
+  networking.firewall.allowedUDPPorts = [ 636 ];
+}
--- a/nix-patches/246564.patch
+++ b/nix-patches/246564.patch
--- a/nix-patches/default.nix
+++ b/nix-patches/default.nix
@ -1,5 +1,9 @@
 {
  "nixos-23.05" = [
+    # Plausible fix
    ./241126.patch
+
+    # Kanidm 1.1.0-beta.13
+    ./246564.patch
  ];
 }