stuff

2025-02-08 23:59:58 -08:00
parent 9bf1fc575e
commit 9be8572670
1 changed files with 40 additions and 10 deletions
--- a/triple-dezert/proxied/services/mira-auth.nix
+++ b/triple-dezert/proxied/services/mira-auth.nix
@@ -16,8 +16,8 @@ in

  containers.mira-auth = {
    privateNetwork = true;
-    hostAddress  = "192.168.100.36";
-    localAddress = "192.168.100.37";
+    hostAddress  = "192.168.100.38";
+    localAddress = "192.168.100.39";

    autoStart = true;
    ephemeral = false;
@@ -31,7 +31,16 @@ in
      }:
      let
        certtool = "${pkgs.gnutls.bin}/bin/certtool";
-        cert_dir = "/var/lib/kanidm/certs";
+        template_text = ''
+          organization = "Foobar"
+          country = GR
+          cn = "localhost"
+          signing_key
+          encryption_key
+          tls_www_server
+        '';
+        template_file = pkgs.writeText "selfsigned-template" template_text;
+        cert_dir = "/kanidm-certs";
        cert_chain = "${cert_dir}/chain.pem";
        cert_key = "${cert_dir}/key.pem";
      in
@@ -42,16 +51,37 @@ in
        networking.useHostResolvConf = lib.mkForce false;
        services.resolved.enable = true;

-        systemd.services.kanidm.preStart = ''
-          mkdir -p ${lib.escapeShellArg cert_dir}
-          if [[ ! -f ${lib.escapeShellArg cert_chain} ]]; then
-            ${certtool} --generate-privkey --outfile=${lib.escapeShellArg cert_key} --key-type=rsa --sec-param=high
-            ${certtool} --generate-self-signed --load-privkey=${lib.escapeShellArg cert_key} --outfile=${lib.escapeShellArg cert_chain} --template=/dev/null
-          fi
-        '';
+        systemd.tmpfiles.settings."10-kanidm" = {
+          ${cert_dir}.d = {
+            mode = "0700";
+            user = "kanidm";
+            group = "kanidm";
+          };
+        };
+
+        systemd.services.make-kanidm-self-signed-cert = {
+          script = ''
+            if [[ ! -f ${lib.escapeShellArg cert_chain} ]]; then
+              ${certtool} --generate-privkey --outfile=${lib.escapeShellArg cert_key} --key-type=rsa --sec-param=high
+              ${certtool} --generate-self-signed --load-privkey=${lib.escapeShellArg cert_key} --outfile=${lib.escapeShellArg cert_chain} --template=${lib.escapeShellArg template_file}
+            fi
+          '';
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            User = "kanidm";
+            Group = "kanidm";
+          };
+        };
+
+        systemd.services.kanidm.unitConfig = {
+          Requires = [ "make-kanidm-self-signed-cert.service" ];
+          After = [ "make-kanidm-self-signed-cert.service" ];
+        };

        services.kanidm = {
          enableServer = true;
+          enableClient = true;
          serverSettings = {
            bindaddress = "[::]:${toString port}";
            inherit domain;