Commit 7fc30df7 authored by Flakebi's avatar Flakebi Committed by github-actions[bot]
Browse files

nixos/kanidm: Add tls options 

Since 1.1.0-alpha.10 kanidm requires TLS to be set up or it won't start.

(cherry picked from commit 887020f3)
parent 9378ea05

nixos/modules/services/security/kanidm.nix

+8 −0
Original line number Diff line number Diff line
@@ -100,6 +100,14 @@ in 
            readOnly = true;

            type = lib.types.path;

          };

          tls_chain = lib.mkOption {

            description = lib.mdDoc "TLS chain in pem format.";

            type = lib.types.path;

          };

          tls_key = lib.mkOption {

            description = lib.mdDoc "TLS key in pem format.";

            type = lib.types.path;

          };

          log_level = lib.mkOption {

            description = lib.mdDoc "Log level of the server.";

            default = "default";

nixos/tests/kanidm.nix

+5 −14
Original line number Diff line number Diff line
@@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }: 
        serverSettings = {

          origin = "https://${serverDomain}";

          domain = serverDomain;

          bindaddress = "[::1]:8443";

          bindaddress = "[::]:443";

          ldapbindaddress = "[::1]:636";

        };

      };



      services.nginx = {

        enable = true;

        recommendedProxySettings = true;

        virtualHosts."${serverDomain}" = {

          forceSSL = true;

          sslCertificate = certs."${serverDomain}".cert;

          sslCertificateKey = certs."${serverDomain}".key;

          locations."/".proxyPass = "http://[::1]:8443";

          tls_chain = certs."${serverDomain}".cert;

          tls_key = certs."${serverDomain}".key;

        };

      };



      security.pki.certificateFiles = [ certs.ca.cert ];



      networking.hosts."::1" = [ serverDomain ];

      networking.firewall.allowedTCPPorts = [ 80 443 ];

      networking.firewall.allowedTCPPorts = [ 443 ];



      users.users.kanidm.shell = pkgs.bashInteractive;
@@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }: 
        start_all()

        server.wait_for_unit("kanidm.service")

        server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")

        server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")

        server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")

        client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")

        rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")

        assert rv == 0