Canaille
Canaille is a zero-knowledge opinionated identity server.
Demo
Implement missing demoOptions
services.canaille
-
Whether to enable Canaille.
- Type:
boolean- Default:
false
-
File containing the JWT private key. Make sure it has appropriate permissions.
You can generate one using
openssl genrsa -out private.pem 4096 openssl rsa -in private.pem -pubout -outform PEM -out public.pem- Type:
null or absolute path- Default:
null
-
File containing the LDAP bind password.
- Type:
null or absolute path- Default:
null
-
The canaille package to use.
- Type:
package- Default:
pkgs.canaille
-
File containing the Flask secret key. Its content is going to be provided to Canaille as
SECRET_KEY. Make sure it has appropriate permissions. For example, copy the output of this to the specified file:python3 -c 'import secrets; print(secrets.token_hex())'- Type:
absolute path
-
Settings for Canaille. See the documentation for details.
- Type:
TOML value- Default:
{ }
-
Access Control Lists.
See also the documentation.
- Type:
null or (TOML value)- Default:
null
-
SMTP configuration. By default, sending emails is not enabled.
Set to an empty attrs to send emails from localhost without authentication.
See also the documentation.
- Type:
null or (TOML value)- Default:
null
-
Read-only
SMTP Password. Can't be set and has to be provided using
services.canaille.smtpPasswordFile.- Type:
null or string- Default:
null
-
Configuration for the LDAP backend. This storage backend is not yet supported by the module, so use at your own risk!
- Type:
null or (TOML value)- Default:
null
-
Read-only
The LDAP bind password. Can't be set and has to be provided using
services.canaille.ldapBindPasswordFile.- Type:
null or string- Default:
null
-
OpenID Connect settings. See the documentation.
- Type:
null or (TOML value)- Default:
null
-
Read-only
JWT private key. Can't be set and has to be provided using
services.canaille.jwtPrivateKeyFile.- Type:
null or string- Default:
null
-
The SQL server URI. Will configure a local PostgreSQL db if left to default. Please note that the NixOS module only really supports PostgreSQL for now. Change at your own risk!
- Type:
string- Default:
"postgresql://localhost/canaille?host=/run/postgresql"
-
The url scheme by which canaille will be served.
- Type:
one of "http", "https"- Default:
"https"
-
Read-only
Flask Secret Key. Can't be set and must be provided through
services.canaille.settings.secretKeyFile.- Type:
null or string- Default:
null
-
The domain name on which canaille will be served.
- Type:
string
-
File containing the SMTP password. Make sure it has appropriate permissions.
- Type:
null or absolute path- Default:
null
services.canaille.enable
services.canaille.jwtPrivateKeyFile
services.canaille.ldapBindPasswordFile
services.canaille.package
services.canaille.secretKeyFile
services.canaille.settings
services.canaille.settings.CANAILLE.ACL
services.canaille.settings.CANAILLE.SMTP
services.canaille.settings.CANAILLE.SMTP.PASSWORD
services.canaille.settings.CANAILLE_LDAP
services.canaille.settings.CANAILLE_LDAP.BIND_PW
services.canaille.settings.CANAILLE_OIDC
services.canaille.settings.CANAILLE_OIDC.JWT.PRIVATE_KEY
services.canaille.settings.CANAILLE_SQL.DATABASE_URI
services.canaille.settings.PREFERRED_URL_SCHEME
services.canaille.settings.SECRET_KEY
services.canaille.settings.SERVER_NAME
services.canaille.smtpPasswordFile
Examples
basic
{ ... }: { services.canaille.enable = true; services.canaille.settings.SERVER_NAME = "auth.mydomain.example"; security.acme.acceptTerms = true; security.acme.defaults.email = "you@example.com"; services.canaille.secretKeyFile = "/etc/nixos/canaille-secret.key"; }
This project is funded by NLnet through these subgrants: