nixos/kanidm: add option to automatically generate self-signed cert

nixos/modules/services/security/kanidm.nix

@@ -236,6 +236,8 @@ in
       extraDescription = "If not set will receive a specific version based on stateVersion. Set to `pkgs.kanidm` to always receive the latest version, with the understanding that this could introduce breaking changes.";
     };
 
+    generateSelfSigned = mkEnableOption "the generation of a self-signed certificate for kanidm. Useful if kanidm is behind a reverse proxy.";
+
     serverSettings = mkOption {
       type = types.submodule {
         freeformType = settingsFormat.type;
@@ -645,7 +647,12 @@ in
 
         # Accumulate entities by name. Track corresponding entity types for later duplicate check.
         entitiesByName = foldl' (
-          acc: { type, name }: acc // { ${name} = (acc.${name} or [ ]) ++ [ type ]; }
+          acc:
+          { type, name }:
+          acc
+          // {
+            ${name} = (acc.${name} or [ ]) ++ [ type ];
+          }
         ) { } entities;
 
         assertGroupsKnown =
@@ -824,6 +831,11 @@ in
       in
       lib.mkDefault pkg;
 
+    services.kanidm.serverSettings = mkIf cfg.generateSelfSigned {
+      tls_chain = lib.mkDefault "/var/lib/kanidm/self-signed/chain.pem";
+      tls_key = lib.mkDefault "/var/lib/kanidm/self-signed/key.pem";
+    };
+
     environment.systemPackages = mkIf cfg.enableClient [ cfg.package ];
 
     systemd.tmpfiles.settings."10-kanidm" = {
@@ -879,6 +891,41 @@ in
       environment.RUST_LOG = "info";
     };
 
+    systemd.services.kanidm-generate-self-signed = mkIf cfg.generateSelfSigned {
+      description = "small script to generate a self-signed certificate for kanidm";
+      requiredBy = [ "kanidm.service" ];
+      before = [ "kanidm.service" ];
+      enableStrictShellChecks = true;
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script =
+        let
+          certtool = "${pkgs.gnutls.bin}/bin/certtool";
+          template_file = pkgs.writeText "kanidm-selfsigned-certtool-template" ''
+            cn = "${cfg.serverSettings.domain}"
+            expiration_days = -1
+            signing_key
+            encryption_key
+            tls_www_server
+          '';
+          inherit (cfg.serverSettings) tls_chain tls_key;
+          esc = lib.escapeShellArg;
+        in
+        ''
+          if [[ ! -f ${esc tls_chain} ]]; then
+            directories=("$(dirname ${esc tls_chain})" "$(dirname ${esc tls_key})")
+            mkdir -p "''${directories[@]}"
+            ${certtool} --generate-privkey --outfile=${esc tls_key} --key-type=rsa --sec-param=high
+            ${certtool} --generate-self-signed --load-privkey=${esc tls_key} --outfile=${esc tls_chain} --template=${template_file}
+            chmod 0500 "''${directories[@]}"
+            chmod 0400 ${esc tls_key} ${esc tls_chain}
+            chown kanidm:kanidm ${esc tls_key} ${esc tls_chain} "''${directories[@]}"
+          fi
+        '';
+    };
+
     systemd.services.kanidm-unixd = mkIf cfg.enablePam {
       description = "Kanidm PAM daemon";
       wantedBy = [ "multi-user.target" ];
@@ -973,7 +1020,9 @@ in
 
     # These paths are hardcoded
     environment.etc = mkMerge [
-      (mkIf cfg.enableServer { "kanidm/server.toml".source = serverConfigFile; })
+      (mkIf cfg.enableServer {
+        "kanidm/server.toml".source = serverConfigFile;
+      })
       (mkIf options.services.kanidm.clientSettings.isDefined {
         "kanidm/config".source = clientConfigFile;
       })

nixos/tests/all-tests.nix

@@ -504,6 +504,7 @@ in {
   kafka = handleTest ./kafka.nix {};
   kanboard = handleTest ./web-apps/kanboard.nix {};
   kanidm = handleTest ./kanidm.nix {};
+  kanidm-generate-selfsigned = handleTest ./kanidm-generate-selfsigned.nix {};
   kanidm-provisioning = handleTest ./kanidm-provisioning.nix {};
   karma = handleTest ./karma.nix {};
   kavita = handleTest ./kavita.nix {};

nixos/tests/kanidm-generate-selfsigned.nix

@@ -0,0 +1,46 @@
+import ./make-test-python.nix (
+  { pkgs, ... }:
+  let
+    serverDomain = "kanidm.test";
+  in
+  {
+    name = "kanidm";
+    meta.maintainers = with pkgs.lib.maintainers; [
+      Flakebi
+      oddlama
+    ];
+
+    nodes.server =
+      { pkgs, ... }:
+      {
+        services.kanidm = {
+          enableServer = true;
+          generateSelfSigned = true;
+          serverSettings = {
+            origin = "https://${serverDomain}";
+            domain = serverDomain;
+            bindaddress = "[::]:443";
+            ldapbindaddress = "[::1]:636";
+          };
+        };
+
+        networking.hosts."::1" = [ serverDomain ];
+        networking.firewall.allowedTCPPorts = [ 443 ];
+
+        users.users.kanidm.shell = pkgs.bashInteractive;
+
+        environment.systemPackages = with pkgs; [
+          kanidm
+          openldap
+          ripgrep
+        ];
+      };
+
+    testScript = ''
+      server.start()
+      server.wait_for_unit("kanidm.service")
+      with subtest("Test HTTP interface"):
+          server.wait_until_succeeds("curl -kLsf https://${serverDomain} | grep Kanidm")
+    '';
+  }
+)

pkgs/by-name/ka/kanidm/generic.nix

@@ -137,7 +137,7 @@ rustPlatform.buildRustPackage rec {
 
   passthru = {
     tests = {
-      inherit (nixosTests) kanidm kanidm-provisioning;
+      inherit (nixosTests) kanidm kanidm-provisioning kanidm-generate-selfsigned;
     };
 
     updateScript = lib.optionals (!enableSecretProvisioning) (nix-update-script {