From 50589e5179ebb4ffb6fe7541d41c679f6cb41457 Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Sun, 3 Nov 2024 18:09:33 +0000
Subject: [PATCH] Use public TLS cert for kanidm

---
 servers/ansible/playbook.yaml       | 2 ++
 servers/containers/kanidm.container | 3 ++-
 servers/kanidm/data/server.toml     | 4 ++--
 servers/kanidm/entrypoint.sh        | 8 ++++----
 4 files changed, 10 insertions(+), 7 deletions(-)
 mode change 100644 => 100755 servers/kanidm/entrypoint.sh

diff --git a/servers/ansible/playbook.yaml b/servers/ansible/playbook.yaml
index 91115fce..6981eaa8 100644
--- a/servers/ansible/playbook.yaml
+++ b/servers/ansible/playbook.yaml
@@ -30,6 +30,8 @@
       ansible.posix.synchronize:
         src: ../kanidm/
         dest: /etc/kanidm
+    - name: Make kanidm entrypoint executable
+      file: dest=/etc/kanidm/entrypoint.sh mode=a+x
     - name: Creates kanidm data directory
       file:
         path: /var/opt/kanidm_data
diff --git a/servers/containers/kanidm.container b/servers/containers/kanidm.container
index 4eeaf3fa..abdd1076 100644
--- a/servers/containers/kanidm.container
+++ b/servers/containers/kanidm.container
@@ -15,7 +15,8 @@ Image=docker.io/kanidm/server:latest
 ReadOnly=true
 # Volume=/run/podman/podman.sock:/var/run/docker.sock:z
 Volume=/var/opt/kanidm_data:/data:Z
-Volume=kanidm-certs.volume:/data/certs:z
+# Volume=kanidm-certs.volume:/data/certs:z
+Volume=traefik-certs.volume:/data/certs:ro
 Volume=/etc/kanidm/entrypoint.sh:/entrypoint.sh:ro,z
 Volume=/etc/kanidm/data/server.toml:/data/server.toml:ro,z
 
diff --git a/servers/kanidm/data/server.toml b/servers/kanidm/data/server.toml
index 08b5aa09..3095f1a8 100644
--- a/servers/kanidm/data/server.toml
+++ b/servers/kanidm/data/server.toml
@@ -45,8 +45,8 @@ db_path = "/data/kanidm.db"
 # db_arc_size = 2048
 #
 #   TLS chain and key in pem format. Both must be present
-tls_chain = "/data/certs/chain.pem"
-tls_key = "/data/certs/key.pem"
+tls_chain = "/data/certs/idm.ellis.link/cert.pem"
+tls_key = "/data/certs/idm.ellis.link/key.pem"
 #
 #   The log level of the server. May be one of info, debug, trace
 #
diff --git a/servers/kanidm/entrypoint.sh b/servers/kanidm/entrypoint.sh
old mode 100644
new mode 100755
index 19b5067d..c7cba9b4
--- a/servers/kanidm/entrypoint.sh
+++ b/servers/kanidm/entrypoint.sh
@@ -2,9 +2,9 @@
 
 set -e
 
-if [ ! -f /data/certs/cert.pem ]; then
-    echo "Generating certs"
-    /sbin/kanidmd cert-generate -c /data/server.toml
-fi
+# if [ ! -f /data/certs/cert.pem ]; then
+#     echo "Generating certs"
+#     /sbin/kanidmd cert-generate -c /data/server.toml
+# fi
 
 /sbin/kanidmd server -c /data/server.toml
\ No newline at end of file