patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: provision netbird kanidm

Browse source
This commit is contained in:
Patrick 2024-05-24 21:23:10 +02:00
parent 9bb51f4188
commit 8509fb833b
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
3 changed files with 53 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
config/services/kanidm.nix
View file

@ -88,9 +88,6 @@ in {
preferShortUsername = true; preferShortUsername = true;
}; };
groups."rss.access" = {};
groups."oauth2-proxy.access" = {};
groups."nextcloud.access" = { groups."nextcloud.access" = {
members = ["nextcloud.admins"]; members = ["nextcloud.admins"];
}; };
@ -122,16 +119,10 @@ in {
scopeMaps."immich.access" = ["openid" "email" "profile"]; scopeMaps."immich.access" = ["openid" "email" "profile"];
preferShortUsername = true; preferShortUsername = true;
}; };
groups."netbird.access" = {
};
groups."forgejo.access" = { groups."rss.access" = {};
members = ["forgejo.admins"]; groups."adguardhome.access" = {
}; };
groups."forgejo.admins" = {
members = ["administrator"];
};
systems.oauth2.oauth2-proxy = { systems.oauth2.oauth2-proxy = {
displayName = "Oauth2-Proxy"; displayName = "Oauth2-Proxy";
originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/"; originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
@ -146,7 +137,11 @@ in {
}; };
}; };
groups."adguardhome.access" = { groups."forgejo.access" = {
members = ["forgejo.admins"];
};
groups."forgejo.admins" = {
members = ["administrator"];
}; };
systems.oauth2.forgejo = { systems.oauth2.forgejo = {
displayName = "Forgejo"; displayName = "Forgejo";
@ -160,6 +155,18 @@ in {
valuesByGroup."forgejo.admins" = ["admin"]; valuesByGroup."forgejo.admins" = ["admin"];
}; };
}; };
groups."netbird.access" = {
};
systems.oauth2.netbird = {
public = true;
displayName = "Netbird";
originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";
preferShortUsername = true;
enableLocalhostRedirects = true;
enableLegacyCrypto = true;
scopeMaps."netbird.access" = ["openid" "email" "profile"];
};
}; };
}; };
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute

BIN
hosts/elisabeth/secrets/kanidm/secrets.nix.age
View file

Binary file not shown.

34
modules/kanidm.nix
View file

@ -450,6 +450,12 @@ in {
options = { options = {
present = mkPresentOption "oauth2 resource server"; present = mkPresentOption "oauth2 resource server";
public = mkOption {
description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)";
type = types.bool;
default = false;
};
displayName = mkOption { displayName = mkOption {
description = "Display name"; description = "Display name";
type = types.str; type = types.str;
@ -479,10 +485,23 @@ in {
default = null; default = null;
}; };
enableLocalhostRedirects = mkOption {
description = "Allow localhost redirects. Only for public clients.";
type = types.bool;
default = false;
};
enableLegacyCrypto = mkOption {
description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256.";
type = types.bool;
default = false;
};
allowInsecureClientDisablePkce = mkOption { allowInsecureClientDisablePkce = mkOption {
description = '' description = ''
Disable PKCE on this oauth2 resource server to work around insecure clients Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it. You should request the client to enable PKCE! that may not support it. You should request the client to enable PKCE!
Only for non-public clients.
''; '';
type = types.bool; type = types.bool;
default = false; default = false;
@ -681,6 +700,21 @@ in {
assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup); assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup);
message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group"; message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
} }
# Public clients cannot define a basic secret
{
assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
}
# Public clients cannot disable PKCE
{
assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
}
# Non-public clients cannot enable localhost redirects
{
assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
}
])) ]))
)); ));