nixos/kanidm: Add tls options
Since 1.1.0-alpha.10 kanidm requires TLS to be set up or it won't start.
This commit is contained in:
Flakebi
Martin Weinelt
parent
72779c7b0f
commit
887020f39c
2 changed files with 13 additions and 14 deletions
|
|
@ -100,6 +100,14 @@ in
|
||||||
readOnly = true;
|
readOnly = true;
|
||||||
type = lib.types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
|
tls_chain = lib.mkOption {
|
||||||
|
description = lib.mdDoc "TLS chain in pem format.";
|
||||||
|
type = lib.types.path;
|
||||||
|
};
|
||||||
|
tls_key = lib.mkOption {
|
||||||
|
description = lib.mdDoc "TLS key in pem format.";
|
||||||
|
type = lib.types.path;
|
||||||
|
};
|
||||||
log_level = lib.mkOption {
|
log_level = lib.mkOption {
|
||||||
description = lib.mdDoc "Log level of the server.";
|
description = lib.mdDoc "Log level of the server.";
|
||||||
default = "default";
|
default = "default";
|
||||||
|
|
|
||||||
|
|
@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
||||||
serverSettings = {
|
serverSettings = {
|
||||||
origin = "https://${serverDomain}";
|
origin = "https://${serverDomain}";
|
||||||
domain = serverDomain;
|
domain = serverDomain;
|
||||||
bindaddress = "[::1]:8443";
|
bindaddress = "[::]:443";
|
||||||
ldapbindaddress = "[::1]:636";
|
ldapbindaddress = "[::1]:636";
|
||||||
};
|
tls_chain = certs."${serverDomain}".cert;
|
||||||
};
|
tls_key = certs."${serverDomain}".key;
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
virtualHosts."${serverDomain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
sslCertificate = certs."${serverDomain}".cert;
|
|
||||||
sslCertificateKey = certs."${serverDomain}".key;
|
|
||||||
locations."/".proxyPass = "http://[::1]:8443";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
security.pki.certificateFiles = [ certs.ca.cert ];
|
security.pki.certificateFiles = [ certs.ca.cert ];
|
||||||
|
|
||||||
networking.hosts."::1" = [ serverDomain ];
|
networking.hosts."::1" = [ serverDomain ];
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 443 ];
|
||||||
|
|
||||||
users.users.kanidm.shell = pkgs.bashInteractive;
|
users.users.kanidm.shell = pkgs.bashInteractive;
|
||||||
|
|
||||||
|
|
@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
||||||
start_all()
|
start_all()
|
||||||
server.wait_for_unit("kanidm.service")
|
server.wait_for_unit("kanidm.service")
|
||||||
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
|
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
|
||||||
server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
|
server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
|
||||||
client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
|
client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
|
||||||
rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
|
rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
|
||||||
assert rv == 0
|
assert rv == 0
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue