nixos/kanidm: Add tls options

Since 1.1.0-alpha.10 kanidm requires TLS to be set up or it won't start.
2022-11-20 18:10:15 +01:00 · 2022-11-20 18:10:15 +01:00 · 887020f39c
commit 887020f39c
parent 72779c7b0f
2 changed files with 13 additions and 14 deletions
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@ -100,6 +100,14 @@ in
            readOnly = true;
            type = lib.types.path;
          };
+          tls_chain = lib.mkOption {
+            description = lib.mdDoc "TLS chain in pem format.";
+            type = lib.types.path;
+          };
+          tls_key = lib.mkOption {
+            description = lib.mdDoc "TLS key in pem format.";
+            type = lib.types.path;
+          };
          log_level = lib.mkOption {
            description = lib.mdDoc "Log level of the server.";
            default = "default";
--- a/nixos/tests/kanidm.nix
+++ b/nixos/tests/kanidm.nix
@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }:
        serverSettings = {
          origin = "https://${serverDomain}";
          domain = serverDomain;
-          bindaddress = "[::1]:8443";
+          bindaddress = "[::]:443";
          ldapbindaddress = "[::1]:636";
-        };
-      };
-
-      services.nginx = {
-        enable = true;
-        recommendedProxySettings = true;
-        virtualHosts."${serverDomain}" = {
-          forceSSL = true;
-          sslCertificate = certs."${serverDomain}".cert;
-          sslCertificateKey = certs."${serverDomain}".key;
-          locations."/".proxyPass = "http://[::1]:8443";
+          tls_chain = certs."${serverDomain}".cert;
+          tls_key = certs."${serverDomain}".key;
        };
      };

      security.pki.certificateFiles = [ certs.ca.cert ];

      networking.hosts."::1" = [ serverDomain ];
-      networking.firewall.allowedTCPPorts = [ 80 443 ];
+      networking.firewall.allowedTCPPorts = [ 443 ];

      users.users.kanidm.shell = pkgs.bashInteractive;

@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
        start_all()
        server.wait_for_unit("kanidm.service")
        server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
-        server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
+        server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
        client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
        rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
        assert rv == 0