about summary refs log tree commit diff
path: root/nixos/modules/services/security/kanidm.nix
diff options
context:
space:
mode:
authorh7x4 <h7x4@nani.wtf>2024-01-08 18:07:42 +0100
committerh7x4 <h7x4@nani.wtf>2024-01-12 10:19:14 +0100
commitd167743c728545a4b63ac669e79eaefe3b0df623 (patch)
treefc7027b48e329e0fcb34ad1760cd2f1829660c5d /nixos/modules/services/security/kanidm.nix
parent521b5b3e6775023b371102e30773d41830577492 (diff)
nixos/kanidm: declare `online_backup` options
Diffstat (limited to 'nixos/modules/services/security/kanidm.nix')
-rw-r--r--nixos/modules/services/security/kanidm.nix32


1 files changed, 32 insertions, 0 deletions
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
index c8d8f69729e9b..3402b38f18dd0 100644
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@@ -132,6 +132,28 @@ in
             default = "WriteReplica";
             type = lib.types.enum [ "WriteReplica" "WriteReplicaNoUI" "ReadOnlyReplica" ];
           };
+          online_backup = {
+            path = lib.mkOption {
+              description = lib.mdDoc "Path to the output directory for backups.";
+              type = lib.types.path;
+              default = "/var/lib/kanidm/backups";
+            };
+            schedule = lib.mkOption {
+              description = lib.mdDoc "The schedule for backups in cron format.";
+              type = lib.types.str;
+              default = "00 22 * * *";
+            };
+            versions = lib.mkOption {
+              description = lib.mdDoc ''
+                Number of backups to keep.
+
+                The default is set to `0`, in order to disable backups by default.
+              '';
+              type = lib.types.ints.unsigned;
+              default = 0;
+              example = 7;
+            };
+          };
         };
       };
       default = { };
@@ -226,6 +248,14 @@ in
 
     environment.systemPackages = lib.mkIf cfg.enableClient [ cfg.package ];
 
+    systemd.tmpfiles.settings."10-kanidm" = {
+      ${cfg.serverSettings.online_backup.path}.d = {
+        mode = "0700";
+        user = "kanidm";
+        group = "kanidm";
+      };
+    };
+
     systemd.services.kanidm = lib.mkIf cfg.enableServer {
       description = "kanidm identity management daemon";
       wantedBy = [ "multi-user.target" ];
@@ -246,6 +276,8 @@ in
           BindPaths = [
             # To create the socket
             "/run/kanidmd:/run/kanidmd"
+            # To store backups
+            cfg.serverSettings.online_backup.path
           ];
 
           AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-01 06:49:11 +0000