From 887020f39cca2dc5464ff2a6350d8681543dc769 Mon Sep 17 00:00:00 2001 From: Flakebi Date: Sun, 20 Nov 2022 18:10:15 +0100 Subject: [PATCH] nixos/kanidm: Add tls options Since 1.1.0-alpha.10 kanidm requires TLS to be set up or it won't start. --- nixos/modules/services/security/kanidm.nix | 8 ++++++++ nixos/tests/kanidm.nix | 19 +++++-------------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 788e06ffecf0..55120799c993 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -100,6 +100,14 @@ in readOnly = true; type = lib.types.path; }; + tls_chain = lib.mkOption { + description = lib.mdDoc "TLS chain in pem format."; + type = lib.types.path; + }; + tls_key = lib.mkOption { + description = lib.mdDoc "TLS key in pem format."; + type = lib.types.path; + }; log_level = lib.mkOption { description = lib.mdDoc "Log level of the server."; default = "default"; diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix index 7f8a4e501777..33c65026b9b1 100644 --- a/nixos/tests/kanidm.nix +++ b/nixos/tests/kanidm.nix @@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }: serverSettings = { origin = "https://${serverDomain}"; domain = serverDomain; - bindaddress = "[::1]:8443"; + bindaddress = "[::]:443"; ldapbindaddress = "[::1]:636"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts."${serverDomain}" = { - forceSSL = true; - sslCertificate = certs."${serverDomain}".cert; - sslCertificateKey = certs."${serverDomain}".key; - locations."/".proxyPass = "http://[::1]:8443"; + tls_chain = certs."${serverDomain}".cert; + tls_key = certs."${serverDomain}".key; }; }; security.pki.certificateFiles = [ certs.ca.cert ]; networking.hosts."::1" = [ serverDomain ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 443 ]; users.users.kanidm.shell = pkgs.bashInteractive; @@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }: start_all() server.wait_for_unit("kanidm.service") server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm") - server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'") + server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'") client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}") rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'") assert rv == 0