artemis/kanidm: setup again

Author: NyCodeGHG

hosts/artemis/applications/default.nix

@@ -19,5 +19,6 @@
     ./attic.nix
     ./changedetection.nix
     ./soju.nix
+    ./kanidm.nix
   ];
 }

hosts/artemis/applications/kanidm.nix

@@ -0,0 +1,39 @@
+{ config, pkgs, ... }:
+let
+  domain = "idm.marie.cologne";
+in
+{
+  services.kanidm = {
+    enableClient = true;
+    clientSettings = {
+      uri = "https://${domain}";
+    };
+
+    package = pkgs.kanidm_1_5;
+    
+    enableServer = true;
+    serverSettings = {
+      inherit domain;
+      origin = "https://${domain}";
+      tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
+      tls_key = "/var/lib/acme/${domain}/key.pem";
+      trust_x_forward_for = true;
+      bindaddress = "[::1]:8443";
+    };
+  };
+  security.acme.certs."${domain}" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "kanidm";
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/" = {
+      proxyPass = "https://${toString config.services.kanidm.serverSettings.bindaddress}";
+      extraConfig = ''
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_name ${domain};
+      '';
+    };
+  };
+}

infra/dns.tf

@@ -48,6 +48,14 @@ resource "cloudflare_record" "cache_marie_cologne" {
   type    = "CNAME"
 }
 
+resource "cloudflare_record" "kanidm" {
+  zone_id = data.cloudflare_zone.marie_cologne.id
+  name    = "idm.marie.cologne"
+  content = "artemis.marie.cologne"
+  type    = "CNAME"
+}
+
+
 resource "cloudflare_record" "git_marie_cologne" {
   zone_id = data.cloudflare_zone.marie_cologne.id
   name    = "git"