From 8509fb833bb9e813044e8cabbd73bb9b2ab5b493 Mon Sep 17 00:00:00 2001 From: Patrick Date: Fri, 24 May 2024 21:23:10 +0200 Subject: [PATCH] chore: provision netbird kanidm --- config/services/kanidm.nix | 31 +++++++++------- .../elisabeth/secrets/kanidm/secrets.nix.age | Bin 1939 -> 1966 bytes modules/kanidm.nix | 34 ++++++++++++++++++ 3 files changed, 53 insertions(+), 12 deletions(-) diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix index c95621b..6f2fc4b 100644 --- a/config/services/kanidm.nix +++ b/config/services/kanidm.nix @@ -88,9 +88,6 @@ in { preferShortUsername = true; }; - groups."rss.access" = {}; - groups."oauth2-proxy.access" = {}; - groups."nextcloud.access" = { members = ["nextcloud.admins"]; }; @@ -122,16 +119,10 @@ in { scopeMaps."immich.access" = ["openid" "email" "profile"]; preferShortUsername = true; }; - groups."netbird.access" = { - }; - groups."forgejo.access" = { - members = ["forgejo.admins"]; + groups."rss.access" = {}; + groups."adguardhome.access" = { }; - groups."forgejo.admins" = { - members = ["administrator"]; - }; - systems.oauth2.oauth2-proxy = { displayName = "Oauth2-Proxy"; originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/"; @@ -146,7 +137,11 @@ in { }; }; - groups."adguardhome.access" = { + groups."forgejo.access" = { + members = ["forgejo.admins"]; + }; + groups."forgejo.admins" = { + members = ["administrator"]; }; systems.oauth2.forgejo = { displayName = "Forgejo"; @@ -160,6 +155,18 @@ in { valuesByGroup."forgejo.admins" = ["admin"]; }; }; + + groups."netbird.access" = { + }; + systems.oauth2.netbird = { + public = true; + displayName = "Netbird"; + originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/"; + preferShortUsername = true; + enableLocalhostRedirects = true; + enableLegacyCrypto = true; + scopeMaps."netbird.access" = ["openid" "email" "profile"]; + }; }; }; systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age index c807785c33704cff330ecd1f457776a416634787..6542a28c17eac54cbbc9b62e34f6f601c9137a2c 100644 GIT binary patch delta 1939 zcmZwD`#Tei0>E+fgmy@8=`N;RlGg4wZ}m2t&1`nF`&;I=+5JAVDMOt~IH?qgE>hn2 z?dtLp^`@62bVOdUl8S}5nj9xekvix6c%J9{1)t~pJ>hfRrx0ipMC##mWRz8$qSLW3 zDs*%Tj{r9&Suk|Dm}x*LXpwxX#f%mTqyhlltR!)*IFbrwLa?Lb5@Xm(fj%jnEJx5x zC|Mdrf=Z&oc~NK_EfxUU3DnBcKw20Q1?01t3Jwm4Q=_9{S`C|JBw~qDG?!`B<87)$ z7LkQOS+HUmoljRQlC(Ol5}t?xFi6^PgHg+)mW801PRg-a3Y zQ3f{C#L)Z?CM2fH$Yvl;DHUU7R0u*AuES_7Y?y_LQZn^$tJ+Ei8%#_Xfrm^=lR;HX z22Ko+NTSJ#bPbjljj+J*F=P`RLZd6#I+Z~fhh%g40=q?tWjpQSd zh?qzSN0%Hf!1MTWxip%=Msn!Z6pl<0hiB0t90b&&W&kj9vJ#&}kA&z23}$+gRjh^) z5OMz*O2U~WG6`F$NoOZZ%``T|@P9+VGBbp!hT~)~ix5QwTayhWn}iypf)XuOR9dPM zp;B@!Mw}5MAsGN*o|c`)RK+BcV(IiWIFXH$F(5P*R>G99p_F8!iG_edF*s$S824X{ z77_wV)r%7iVj%WMm0=%{s3pUIW?h;-(h5w7izg8_!;JtT7Ks+{QBn#%6#xQ(fJmFc ztV9TeP)s72n`Rc0+1-=D`swcqBCzuPS*PD`pTS-3UB9vD_k}wthn=yt(Qxsz^Zk$6umFNM zmPXFs%b$N{FI?OwB45RVZrd)b1|z-(b&3X}1(*R;=T^IdqQORhAx>QyN^UY)=QRQLOYgtm%BIkbx7v88_=`yQgmMbTDT zrO+y;RPc1eRnv}THIHGwIae-bWNtfm1s5tkbE`sLT5NN7wHE!Cc!ZYihXm!8VAVT6=rd*fvw$li**6In^&}^2~l3N$B`q%_zN09bzRPgi}!L5w!OWc=7UcMY?_Ix+R zC6Il;d^$2WQqS#M2-;E`Ir?y4NJ<;x)QZU{#4SC4T^0wgPTAZOwl95-h`xGwpsnhDebd56ODbT-+YacK99Ud0lJ;fd z+ij{#(uvy8i`)U5!S{Aae@OvlXfMUBsSTe1&F(5X0&MFbxs0BJ487<&8op_6aACpn z=9kyGWqE;&>2O{7vazw)e2@IB#bY54`gk(8x9WWPj^`5rPiV$UPW$9I(@@?3fp0Azf|AuK7^#*=$omW5I$IsVohNFkSor9kZ&f>QQlEwe>i-`Ya>Cy1) zsSJM6>B={)f7~3p=lNmRs7t?Mp~2s^@|%&Ik@1_zw^TVDc?FEjCiGr@3lD49 zy7Ov~f8}SK^kHjI>4Vz+GwMZc9wYbu!D{nqy5QzMyQyEUpLbS;w%?lWSr_^y^(ocs zQs~@~Q_jIlw&s|_djc4Zv@`#-Y{(I=0%M12-1vjEA#Lly-|!lHaE_y*MW{ue^S$OjbQv8V9*{e9Jpc`KgwV9$)6PD~awrH%@xbXw5t<_hHd9 zcfM%Y0{dLjOs&qF6v&NDd9sNElb=@Jyqu8W>bhs18-c7oKG1&EOgpKgaZ^K|=(-l+ zH;gBadTPM?)rtv`&04hc=(?>xAnoIu(ZL}|&br&~e%8&o4L(bd^&XFOwQz-JH&brA Tv-bw>R<-C$MBbWR8(IGbK=5e# delta 1912 zcmV-;2Z#8s50ej&Ab(L)F=lmQPj*pva9LVTZ&`S6M`AcZPA^bXF?4uuOK?hMD{MtL zMnqIna|%{OG)XvVbyqNJW;aWCMRYevHA`(qNL5LAWiN4VX)9teW<@VKT1ZDqSqd#a zAaH4REpRe5HXvA3QEOE}AVG39MmaBUSvXKyZ$oEBHgi>HX@6ErP;)dnWo>S7VNO|V zSy_5Yb3rRsP-hBtQA$x&cu7Gucy?|~SWz}`cT{s)aB56WVR~jyM0s~tXi{idT2@p; zX-Nt#J|J*ub}eu+H8vnxMrUbBcOXGCQ*(1qa#2h%bYWy|b5t@|Olem}b3`~uLsE84 zX;)Nsd1Fdwb}?vTXH!`Ua8yt6>&cy4e~aYA!CPXQHwc0_7aZAeHsV`D{dR(E(YM@mFudNWKgG);76Ryj6xP)I~~Ia6{_ zaY0B5HdAd?HdbgsQBrg-dUb1SR%CQ#Gip#-Xf;tvF;p>4G)*>YXfaJ^c55&SEj}P{ zX?87eGBq|JT1IDSNp~PYGD%QZbYpi-S#VDwdf&!D+RZZ1LbW0$izyIjX>ziq}(} zFOE>nD}u1FFp{2oX`Z+Ujz%@0M>5pY?t1uqkcsTgn^L|G-lPy@=D&_V3eE$2$dZ_U zGyeeHpxLYhhB4170JV^@FSgWTGxh|s@G0ojt9D&~l*CDY{pKhn!b*I%jqm0T8;#5v z+dwO$9Rbv9*h|!7T!CluD3C&VDvB3V>A6c@pP35p=H8Q8r?HSeUBoJXTNJB}Z`g&| zJ@q=ti&s(e$N6sDIq~=6bO|gLUHaA3A{0Ez9vL*qGHaORSRyEi!s)+~iF4NIk&o?& zPlef3cBa$|-oAI(f7))o?}twevl!AR*2!{zE%e!BmZ0WX&=b1@y&+qqP;r>o4z+{B zXg&{v(5mQYwH(01@}4QrBvjL;Vgln7A1b4N(o1J)5wB*ym1Jfc=xX1dL|t1 z1}+)7tn3c33LO1~9_aJyNXwZHY;yP)L+jMkjtMJeg{#XRF8ql{uuLoB8f~oX`8oKbDs`9OqxDr&Eho}Q_JAX`k9G*;*zn6< zqGDnGzz}IuUd<@l-T79Zw-G0QN55wm)TcmLR+)LHDHDJ0&wUUlB4FtCp|m}V6|-W> zYvO4k&|EMy<@ZGa1$yjVY<_gsPTg65>&OB`B^hhnrE>krfKIeC&}xMp*0fkc$=fpl zAFa}Mn-Ftat9SnOD;ME$oFB(fJoXJtP8I+vr2&%BAGX&UrWkTR%C{bPKX<#_Q_J`MWG|Tymtj@)DqbAwET- zn#(0Y2EZFER4yhylE=#y)T7xsK(sQcenm5JVZ~k{Qzc5_N#1KSic>n(YW(qn{|y?S zhXUo_wbB1ukjPd+vrwT!ERu_gQ($51k$Jl@qp(xxUSP`bqVtkDeJBi2hi)uL#sJp| z6<3_A#kFKeeSA$*{VBi$YSrR@z62O7bb-p}Z0fTU_emV+ELb04IC77u|r3}PW5 z8Xj=3VfmJ$I6ef$Z`uyX7b{!QGkimZ)4?LsGoOf0^_J?xC=xT7a>bQIz&(kbNA(P3WHKSFN za+G8P<&BkrLMJAU=IIcB)QZ6i^}z>D^>;~1qSOLyfY{fAJ_T!+-!wmAKO`bKW1b#& zlWNr+{oh8RS-qgZr;guN@K7WY$7#$D%Dx)Fw6o|tJs%G5Pl71KxMw}#o;b$C>NF0o zBGoJ0eK;P!mw$9T-dC?`Cm8md0hi4LCZm%QFgSXniLEz}0K>~W#kREYe=6jLJUmYY y^ZmvE_b<#*Y6UP6h8AG-*;jZhYgbf>GH0y#C2H7|0n~gpKJI{Cgt;vWT_=@unM_dt diff --git a/modules/kanidm.nix b/modules/kanidm.nix index 1d1e767..16d92f9 100644 --- a/modules/kanidm.nix +++ b/modules/kanidm.nix @@ -450,6 +450,12 @@ in { options = { present = mkPresentOption "oauth2 resource server"; + public = mkOption { + description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)"; + type = types.bool; + default = false; + }; + displayName = mkOption { description = "Display name"; type = types.str; @@ -479,10 +485,23 @@ in { default = null; }; + enableLocalhostRedirects = mkOption { + description = "Allow localhost redirects. Only for public clients."; + type = types.bool; + default = false; + }; + + enableLegacyCrypto = mkOption { + description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256."; + type = types.bool; + default = false; + }; + allowInsecureClientDisablePkce = mkOption { description = '' Disable PKCE on this oauth2 resource server to work around insecure clients that may not support it. You should request the client to enable PKCE! + Only for non-public clients. ''; type = types.bool; default = false; @@ -681,6 +700,21 @@ in { assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup); message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group"; } + # Public clients cannot define a basic secret + { + assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret"; + } + # Public clients cannot disable PKCE + { + assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE"; + } + # Non-public clients cannot enable localhost redirects + { + assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects; + message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects"; + } ])) ));