nix-config/config/services/kanidm.nix

237 lines
7 KiB
Nix
Raw Normal View History

2024-09-01 15:54:10 +02:00
{ config, pkgs, ... }:
2024-07-26 22:12:48 +02:00
let
2024-03-05 00:34:50 +01:00
kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}";
2024-07-26 22:12:48 +02:00
in
{
2024-03-14 23:08:42 +01:00
wireguard.elisabeth = {
client.via = "elisabeth";
2024-07-26 22:12:48 +02:00
firewallRuleForNode.elisabeth.allowedTCPPorts = [ 3000 ];
2024-03-14 23:08:42 +01:00
};
2024-03-05 00:34:50 +01:00
environment.persistence."/persist".directories = [
{
directory = "/var/lib/kanidm";
user = "kanidm";
group = "kanidm";
mode = "0700";
}
];
age.secrets = {
kanidm-cert = {
rekeyFile = config.node.secretsDir + "/cert.age";
group = "kanidm";
mode = "440";
};
kanidm-key = {
rekeyFile = config.node.secretsDir + "/key.age";
group = "kanidm";
mode = "440";
};
oauth2-nextcloud = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-immich = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
2024-03-12 22:49:54 +01:00
oauth2-paperless = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
2024-03-19 00:46:35 +01:00
oauth2-proxy = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-forgejo = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
2024-03-05 00:34:50 +01:00
};
services.kanidm = {
2024-09-01 15:54:10 +02:00
package = pkgs.kanidm.withSecretProvisioning;
2024-03-05 00:34:50 +01:00
enableServer = true;
serverSettings = {
domain = kanidmdomain;
origin = "https://${kanidmdomain}";
tls_chain = config.age.secrets.kanidm-cert.path;
tls_key = config.age.secrets.kanidm-key.path;
bindaddress = "0.0.0.0:3000";
trust_x_forward_for = true;
};
enableClient = true;
clientSettings = {
uri = config.services.kanidm.serverSettings.origin;
verify_ca = true;
verify_hostnames = true;
};
provision = {
enable = true;
inherit (config.secrets.secrets.local.kanidm) persons;
2024-03-12 22:49:54 +01:00
groups."paperless.access" = {
2024-07-26 22:12:48 +02:00
members = [ "paperless.admins" ];
2024-03-12 22:49:54 +01:00
};
# currently not usable
groups."paperless.admins" = {
2024-07-26 22:12:48 +02:00
members = [ "administrator" ];
2024-03-12 22:49:54 +01:00
};
systems.oauth2.paperless = {
displayName = "paperless";
2024-11-11 17:24:26 +01:00
originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/accounts/oidc/kanidm/login/callback/";
2024-09-01 15:54:10 +02:00
originLanding = "https://ppl.${config.secrets.secrets.global.domains.web}/";
2024-03-12 22:49:54 +01:00
basicSecretFile = config.age.secrets.oauth2-paperless.path;
2024-07-26 22:12:48 +02:00
scopeMaps."paperless.access" = [
"openid"
"email"
"profile"
];
2024-03-12 22:49:54 +01:00
preferShortUsername = true;
};
groups."nextcloud.access" = {
2024-07-26 22:12:48 +02:00
members = [ "nextcloud.admins" ];
};
# currently not usable
groups."nextcloud.admins" = {
2024-07-26 22:12:48 +02:00
members = [ "administrator" ];
};
systems.oauth2.nextcloud = {
displayName = "nextcloud";
originUrl = "https://nc.${config.secrets.secrets.global.domains.web}/";
2024-09-01 15:54:10 +02:00
originLanding = "https://nc.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
allowInsecureClientDisablePkce = true;
2024-07-26 22:12:48 +02:00
scopeMaps."nextcloud.access" = [
"openid"
"email"
"profile"
];
2024-03-12 21:59:03 +01:00
preferShortUsername = true;
};
groups."immich.access" = {
2024-07-26 22:12:48 +02:00
members = [ "immich.admins" ];
};
# currently not usable
groups."immich.admins" = {
2024-07-26 22:12:48 +02:00
members = [ "administrator" ];
};
systems.oauth2.immich = {
displayName = "Immich";
2024-11-11 17:24:26 +01:00
originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/auth/login";
2024-09-01 15:54:10 +02:00
originLanding = "https://immich.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-immich.path;
allowInsecureClientDisablePkce = true;
enableLegacyCrypto = true;
2024-07-26 22:12:48 +02:00
scopeMaps."immich.access" = [
"openid"
"email"
"profile"
];
2024-03-12 21:59:03 +01:00
preferShortUsername = true;
};
2024-07-26 22:12:48 +02:00
groups."rss.access" = { };
groups."firefly.access" = { };
groups."ollama.access" = { };
groups."adguardhome.access" = { };
groups."octoprint.access" = { };
2024-08-23 00:30:11 +02:00
groups."invidious.access" = { };
2024-07-12 13:27:08 +02:00
2024-03-19 00:46:35 +01:00
systems.oauth2.oauth2-proxy = {
displayName = "Oauth2-Proxy";
2024-11-11 17:24:26 +01:00
originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/oauth2/callback";
2024-09-01 15:54:10 +02:00
originLanding = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
2024-03-19 00:46:35 +01:00
basicSecretFile = config.age.secrets.oauth2-proxy.path;
2024-07-26 22:12:48 +02:00
scopeMaps."adguardhome.access" = [
"openid"
"email"
"profile"
];
scopeMaps."rss.access" = [
"openid"
"email"
"profile"
];
scopeMaps."firefly.access" = [
"openid"
"email"
"profile"
];
scopeMaps."ollama.access" = [
"openid"
"email"
"profile"
];
scopeMaps."octoprint.access" = [
"openid"
"email"
"profile"
];
2024-08-23 00:30:11 +02:00
scopeMaps."invidious.access" = [
"openid"
"email"
"profile"
];
2024-03-19 00:46:35 +01:00
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
2024-07-26 22:12:48 +02:00
valuesByGroup."adguardhome.access" = [ "adguardhome_access" ];
valuesByGroup."rss.access" = [ "ttrss_access" ];
valuesByGroup."firefly.access" = [ "firefly_access" ];
valuesByGroup."ollama.access" = [ "ollama_access" ];
valuesByGroup."octoprint.access" = [ "octoprint_access" ];
2024-08-23 00:30:11 +02:00
valuesByGroup."invidious.access" = [ "invidious_access" ];
2024-03-19 00:46:35 +01:00
};
};
2024-05-24 21:23:10 +02:00
groups."forgejo.access" = {
2024-07-26 22:12:48 +02:00
members = [ "forgejo.admins" ];
2024-05-24 21:23:10 +02:00
};
groups."forgejo.admins" = {
2024-07-26 22:12:48 +02:00
members = [ "administrator" ];
2024-03-19 00:46:35 +01:00
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
2024-11-11 17:24:26 +01:00
originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/user/oauth2/kanidm/callback";
2024-09-01 15:54:10 +02:00
originLanding = "https://forge.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-forgejo.path;
2024-07-26 22:12:48 +02:00
scopeMaps."forgejo.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
2024-07-26 22:12:48 +02:00
valuesByGroup."forgejo.admins" = [ "admin" ];
};
};
2024-05-24 21:23:10 +02:00
2024-07-26 22:12:48 +02:00
groups."netbird.access" = { };
2024-05-24 21:23:10 +02:00
systems.oauth2.netbird = {
public = true;
displayName = "Netbird";
originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";
2024-09-01 15:54:10 +02:00
originLanding = "https://netbird.${config.secrets.secrets.global.domains.web}/";
2024-05-24 21:23:10 +02:00
preferShortUsername = true;
enableLocalhostRedirects = true;
enableLegacyCrypto = true;
2024-07-26 22:12:48 +02:00
scopeMaps."netbird.access" = [
"openid"
"email"
"profile"
];
2024-05-24 21:23:10 +02:00
};
};
2024-03-05 00:34:50 +01:00
};
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
2024-03-05 00:34:50 +01:00
}