nix-config/config/services/kanidm.nix

{config, ...}: let
  kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}";
in {
  imports = [../../modules/kanidm.nix];
  wireguard.elisabeth = {
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
  };
  disabledModules = ["services/security/kanidm.nix"];
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/kanidm";
      user = "kanidm";
      group = "kanidm";
      mode = "0700";
    }
  ];
  age.secrets = {
    kanidm-cert = {
      rekeyFile = config.node.secretsDir + "/cert.age";
      group = "kanidm";
      mode = "440";
    };
    kanidm-key = {
      rekeyFile = config.node.secretsDir + "/key.age";
      group = "kanidm";
      mode = "440";
    };
    oauth2-nextcloud = {
      generator.script = "alnum";
      mode = "440";
      group = "kanidm";
    };
    oauth2-immich = {
      generator.script = "alnum";
      mode = "440";
      group = "kanidm";
    };
    oauth2-paperless = {
      generator.script = "alnum";
      mode = "440";
      group = "kanidm";
    };
    oauth2-proxy = {
      generator.script = "alnum";
      mode = "440";
      group = "kanidm";
    };
    oauth2-forgejo = {
      generator.script = "alnum";
      mode = "440";
      group = "kanidm";
    };
  };
  services.kanidm = {
    enableServer = true;
    serverSettings = {
      domain = kanidmdomain;
      origin = "https://${kanidmdomain}";
      tls_chain = config.age.secrets.kanidm-cert.path;
      tls_key = config.age.secrets.kanidm-key.path;
      bindaddress = "0.0.0.0:3000";
      trust_x_forward_for = true;
    };
    enableClient = true;
    clientSettings = {
      uri = config.services.kanidm.serverSettings.origin;
      verify_ca = true;
      verify_hostnames = true;
    };
    provision = {
      enable = true;

      inherit (config.secrets.secrets.local.kanidm) persons;

      groups."paperless.access" = {
        members = ["paperless.admins"];
      };
      # currently not usable
      groups."paperless.admins" = {
        members = ["administrator"];
      };
      systems.oauth2.paperless = {
        displayName = "paperless";
        originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-paperless.path;
        scopeMaps."paperless.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
      };

      groups."nextcloud.access" = {
        members = ["nextcloud.admins"];
      };
      # currently not usable
      groups."nextcloud.admins" = {
        members = ["administrator"];
      };
      systems.oauth2.nextcloud = {
        displayName = "nextcloud";
        originUrl = "https://nc.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
        allowInsecureClientDisablePkce = true;
        scopeMaps."nextcloud.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
      };

      groups."immich.access" = {
        members = ["immich.admins"];
      };
      # currently not usable
      groups."immich.admins" = {
        members = ["administrator"];
      };
      systems.oauth2.immich = {
        displayName = "Immich";
        originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-immich.path;
        allowInsecureClientDisablePkce = true;
        scopeMaps."immich.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
      };

      groups."rss.access" = {};
      groups."firefly.access" = {};
      groups."ollama.access" = {};
      groups."adguardhome.access" = {
      };
      systems.oauth2.oauth2-proxy = {
        displayName = "Oauth2-Proxy";
        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-proxy.path;
        scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
        scopeMaps."rss.access" = ["openid" "email" "profile"];
        scopeMaps."firefly.access" = ["openid" "email" "profile"];
        scopeMaps."ollama.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
        claimMaps.groups = {
          joinType = "array";
          valuesByGroup."adguardhome.access" = ["adguardhome_access"];
          valuesByGroup."rss.access" = ["ttrss_access"];
          valuesByGroup."firefly.access" = ["firefly_access"];
          valuesByGroup."ollama.access" = ["ollama_access"];
        };
      };

      groups."forgejo.access" = {
        members = ["forgejo.admins"];
      };
      groups."forgejo.admins" = {
        members = ["administrator"];
      };
      systems.oauth2.forgejo = {
        displayName = "Forgejo";
        originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-forgejo.path;
        scopeMaps."forgejo.access" = ["openid" "email" "profile"];
        allowInsecureClientDisablePkce = true;
        preferShortUsername = true;
        claimMaps.groups = {
          joinType = "array";
          valuesByGroup."forgejo.admins" = ["admin"];
        };
      };

      groups."netbird.access" = {
      };
      systems.oauth2.netbird = {
        public = true;
        displayName = "Netbird";
        originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";
        preferShortUsername = true;
        enableLocalhostRedirects = true;
        enableLegacyCrypto = true;
        scopeMaps."netbird.access" = ["openid" "email" "profile"];
      };
    };
  };
  systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
}
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`{config, ...}: let`
			`kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}";`
			`in {`
chore: new README chore: new structure 2024-04-11 23:11:53 +02:00			`imports = [../../modules/kanidm.nix];`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`wireguard.elisabeth = {`
			`client.via = "elisabeth";`
			`firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];`
			`};`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`disabledModules = ["services/security/kanidm.nix"];`
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`environment.persistence."/persist".directories = [`
			`{`
			`directory = "/var/lib/kanidm";`
			`user = "kanidm";`
			`group = "kanidm";`
			`mode = "0700";`
			`}`
			`];`
			`age.secrets = {`
			`kanidm-cert = {`
			`rekeyFile = config.node.secretsDir + "/cert.age";`
			`group = "kanidm";`
			`mode = "440";`
			`};`
			`kanidm-key = {`
			`rekeyFile = config.node.secretsDir + "/key.age";`
			`group = "kanidm";`
			`mode = "440";`
			`};`
feat: added sso for nextcloud and immich 2024-03-12 20:45:30 +01:00			`oauth2-nextcloud = {`
			`generator.script = "alnum";`
			`mode = "440";`
			`group = "kanidm";`
			`};`
			`oauth2-immich = {`
			`generator.script = "alnum";`
			`mode = "440";`
			`group = "kanidm";`
			`};`
feat: paperless oauth 2024-03-12 22:49:54 +01:00			`oauth2-paperless = {`
			`generator.script = "alnum";`
			`mode = "440";`
			`group = "kanidm";`
			`};`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`oauth2-proxy = {`
			`generator.script = "alnum";`
			`mode = "440";`
			`group = "kanidm";`
			`};`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`oauth2-forgejo = {`
			`generator.script = "alnum";`
			`mode = "440";`
			`group = "kanidm";`
			`};`
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`};`
			`services.kanidm = {`
			`enableServer = true;`
			`serverSettings = {`
			`domain = kanidmdomain;`
			`origin = "https://${kanidmdomain}";`
			`tls_chain = config.age.secrets.kanidm-cert.path;`
			`tls_key = config.age.secrets.kanidm-key.path;`
			`bindaddress = "0.0.0.0:3000";`
			`trust_x_forward_for = true;`
			`};`
			`enableClient = true;`
			`clientSettings = {`
			`uri = config.services.kanidm.serverSettings.origin;`
			`verify_ca = true;`
			`verify_hostnames = true;`
			`};`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`provision = {`
			`enable = true;`

feat: added sso for nextcloud and immich 2024-03-12 20:45:30 +01:00			`inherit (config.secrets.secrets.local.kanidm) persons;`

feat: paperless oauth 2024-03-12 22:49:54 +01:00			`groups."paperless.access" = {`
			`members = ["paperless.admins"];`
			`};`
			`# currently not usable`
			`groups."paperless.admins" = {`
			`members = ["administrator"];`
			`};`
			`systems.oauth2.paperless = {`
			`displayName = "paperless";`
			`originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";`
			`basicSecretFile = config.age.secrets.oauth2-paperless.path;`
			`scopeMaps."paperless.access" = ["openid" "email" "profile"];`
			`preferShortUsername = true;`
			`};`

feat: added sso for nextcloud and immich 2024-03-12 20:45:30 +01:00			`groups."nextcloud.access" = {`
			`members = ["nextcloud.admins"];`
			`};`
			`# currently not usable`
			`groups."nextcloud.admins" = {`
			`members = ["administrator"];`
			`};`
			`systems.oauth2.nextcloud = {`
			`displayName = "nextcloud";`
			`originUrl = "https://nc.${config.secrets.secrets.global.domains.web}/";`
			`basicSecretFile = config.age.secrets.oauth2-nextcloud.path;`
			`allowInsecureClientDisablePkce = true;`
			`scopeMaps."nextcloud.access" = ["openid" "email" "profile"];`
feat: update immich 2024-03-12 21:59:03 +01:00			`preferShortUsername = true;`
feat: added sso for nextcloud and immich 2024-03-12 20:45:30 +01:00			`};`

			`groups."immich.access" = {`
			`members = ["immich.admins"];`
			`};`
			`# currently not usable`
			`groups."immich.admins" = {`
			`members = ["administrator"];`
			`};`
			`systems.oauth2.immich = {`
			`displayName = "Immich";`
			`originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";`
			`basicSecretFile = config.age.secrets.oauth2-immich.path;`
			`allowInsecureClientDisablePkce = true;`
			`scopeMaps."immich.access" = ["openid" "email" "profile"];`
feat: update immich 2024-03-12 21:59:03 +01:00			`preferShortUsername = true;`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`};`

chore: provision netbird kanidm 2024-05-24 21:23:10 +02:00			`groups."rss.access" = {};`
feat: firefly remote user auth 2024-05-24 22:03:14 +02:00			`groups."firefly.access" = {};`
feat: open-webui host 2024-06-09 20:58:27 +02:00			`groups."ollama.access" = {};`
chore: provision netbird kanidm 2024-05-24 21:23:10 +02:00			`groups."adguardhome.access" = {`
feat: added sso for nextcloud and immich 2024-03-12 20:45:30 +01:00			`};`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`systems.oauth2.oauth2-proxy = {`
			`displayName = "Oauth2-Proxy";`
			`originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";`
			`basicSecretFile = config.age.secrets.oauth2-proxy.path;`
			`scopeMaps."adguardhome.access" = ["openid" "email" "profile"];`
feat: actual module 2024-03-30 20:34:44 +01:00			`scopeMaps."rss.access" = ["openid" "email" "profile"];`
feat: firefly remote user auth 2024-05-24 22:03:14 +02:00			`scopeMaps."firefly.access" = ["openid" "email" "profile"];`
feat: open-webui host 2024-06-09 20:58:27 +02:00			`scopeMaps."ollama.access" = ["openid" "email" "profile"];`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`preferShortUsername = true;`
			`claimMaps.groups = {`
			`joinType = "array";`
			`valuesByGroup."adguardhome.access" = ["adguardhome_access"];`
feat: actual module 2024-03-30 20:34:44 +01:00			`valuesByGroup."rss.access" = ["ttrss_access"];`
feat: firefly remote user auth 2024-05-24 22:03:14 +02:00			`valuesByGroup."firefly.access" = ["firefly_access"];`
feat: open-webui host 2024-06-09 20:58:27 +02:00			`valuesByGroup."ollama.access" = ["ollama_access"];`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`};`
			`};`

chore: provision netbird kanidm 2024-05-24 21:23:10 +02:00			`groups."forgejo.access" = {`
			`members = ["forgejo.admins"];`
			`};`
			`groups."forgejo.admins" = {`
			`members = ["administrator"];`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`};`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`systems.oauth2.forgejo = {`
			`displayName = "Forgejo";`
feat: switch git domain 2024-04-13 19:17:41 +02:00			`originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/";`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`basicSecretFile = config.age.secrets.oauth2-forgejo.path;`
			`scopeMaps."forgejo.access" = ["openid" "email" "profile"];`
			`allowInsecureClientDisablePkce = true;`
			`preferShortUsername = true;`
			`claimMaps.groups = {`
			`joinType = "array";`
			`valuesByGroup."forgejo.admins" = ["admin"];`
			`};`
			`};`
chore: provision netbird kanidm 2024-05-24 21:23:10 +02:00
			`groups."netbird.access" = {`
			`};`
			`systems.oauth2.netbird = {`
			`public = true;`
			`displayName = "Netbird";`
			`originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";`
			`preferShortUsername = true;`
			`enableLocalhostRedirects = true;`
			`enableLegacyCrypto = true;`
			`scopeMaps."netbird.access" = ["openid" "email" "profile"];`
			`};`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`};`
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`};`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute`
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`}`