stuff
This commit is contained in:
Shelvacu
@@ -1,15 +1,11 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
...
|
||||
}:
|
||||
let
|
||||
container = config.containers.mira-auth;
|
||||
port = 8443;
|
||||
domain = "auth.for.miras.pet";
|
||||
in
|
||||
{
|
||||
# vacu.databases.mira-auth = {
|
||||
# # user = "mira-auth";
|
||||
# fromContainer = "mira-auth";
|
||||
# };
|
||||
|
||||
vacu.proxiedServices.mira-auth = {
|
||||
inherit domain port;
|
||||
fromContainer = "mira-auth";
|
||||
@@ -27,21 +23,18 @@ in
|
||||
ephemeral = false;
|
||||
restartIfChanged = true;
|
||||
|
||||
# bindMounts."/mira-auth" = {
|
||||
# hostPath = "/trip/mira-auth";
|
||||
# isReadOnly = false;
|
||||
# };
|
||||
|
||||
config =
|
||||
let
|
||||
outer_config = config;
|
||||
in
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
certtool = "${pkgs.gnutls.bin}/bin/certtool";
|
||||
cert_dir = "/var/lib/kanidm/certs";
|
||||
cert_chain = "${cert_dir}/chain.pem";
|
||||
cert_key = "${cert_dir}/key.pem";
|
||||
in
|
||||
{
|
||||
system.stateVersion = "24.11";
|
||||
|
||||
@@ -49,6 +42,14 @@ in
|
||||
networking.useHostResolvConf = lib.mkForce false;
|
||||
services.resolved.enable = true;
|
||||
|
||||
systemd.services.kanidm.preStart = ''
|
||||
mkdir -p ${lib.escapeShellArg cert_dir}
|
||||
if [[ ! -f ${lib.escapeShellArg cert_chain} ]]; then
|
||||
${certtool} --generate-privkey --outfile=${lib.escapeShellArg cert_key} --key-type=rsa --sec-param=high
|
||||
${certtool} --generate-self-signed --load-privkey=${lib.escapeShellArg cert_key} --outfile=${lib.escapeShellArg cert_chain} --template=/dev/null
|
||||
fi
|
||||
'';
|
||||
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
@@ -56,6 +57,7 @@ in
|
||||
db_path = "/var/lib/kanidm/kanidm.db";
|
||||
inherit domain;
|
||||
origin = "https://${domain}";
|
||||
trust_x_forward_for = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user