refactor: finish decoupling the library functions from config

2025-10-11 07:10:39 +02:00 · 2023-07-01 01:11:58 +02:00 · 2023-07-01 01:11:58 +02:00 · 80e7c1bdbf
commit 80e7c1bdbf
parent 68bb9731d3
59 changed files with 984 additions and 786 deletions
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -1,76 +0,0 @@
-{
-  config,
-  lib,
-  nodes,
-  pkgs,
-  utils,
-  ...
-}: let
-  sentinelCfg = nodes.sentinel.config;
-  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
-  kanidmPort = 8300;
-in {
-  meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
-
-  age.secrets."kanidm-self-signed.crt" = {
-    rekeyFile = ./secrets/kanidm-self-signed.crt.age;
-    mode = "440";
-    group = "kanidm";
-  };
-
-  age.secrets."kanidm-self-signed.key" = {
-    rekeyFile = ./secrets/kanidm-self-signed.key.age;
-    mode = "440";
-    group = "kanidm";
-  };
-
-  nodes.sentinel = {
-    networking.providedDomains.kanidm = kanidmDomain;
-
-    services.nginx = {
-      upstreams.kanidm = {
-        servers."${config.services.kanidm.serverSettings.bindaddress}" = {};
-        extraConfig = ''
-          zone kanidm 64k;
-          keepalive 2;
-        '';
-      };
-      virtualHosts.${kanidmDomain} = {
-        forceSSL = true;
-        useACMEWildcardHost = true;
-        locations."/".proxyPass = "https://kanidm";
-        # Allow using self-signed certs to satisfy kanidm's requirement
-        # for TLS connections. (Although this is over wireguard anyway)
-        extraConfig = ''
-          proxy_ssl_verify off;
-        '';
-      };
-    };
-  };
-
-  services.kanidm = {
-    enableServer = true;
-    # enablePAM = true;
-    serverSettings = {
-      domain = kanidmDomain;
-      origin = "https://${kanidmDomain}";
-      tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
-      tls_key = config.age.secrets."kanidm-self-signed.key".path;
-      bindaddress = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
-      trust_x_forward_for = true;
-    };
-  };
-
-  environment.systemPackages = [pkgs.kanidm];
-
-  services.kanidm = {
-    enableClient = true;
-    clientSettings = {
-      uri = config.services.kanidm.serverSettings.origin;
-      verify_ca = true;
-      verify_hostnames = true;
-    };
-  };
-
-  systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
-}