patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: provision netbird kanidm

Browse source
This commit is contained in:
Patrick 2024-05-24 21:23:10 +02:00
parent 9bb51f4188
commit 8509fb833b
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
3 changed files with 53 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
config/services/kanidm.nix
View file

@ -88,9 +88,6 @@ in {
preferShortUsername = true;
};
groups."rss.access" = {};
groups."oauth2-proxy.access" = {};
groups."nextcloud.access" = {
members = ["nextcloud.admins"];
};
@ -122,16 +119,10 @@ in {
scopeMaps."immich.access" = ["openid" "email" "profile"];
preferShortUsername = true;
};
groups."netbird.access" = {
};
groups."forgejo.access" = {
members = ["forgejo.admins"];
groups."rss.access" = {};
groups."adguardhome.access" = {
};
groups."forgejo.admins" = {
members = ["administrator"];
};
systems.oauth2.oauth2-proxy = {
displayName = "Oauth2-Proxy";
originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
@ -146,7 +137,11 @@ in {
};
};
groups."adguardhome.access" = {
groups."forgejo.access" = {
members = ["forgejo.admins"];
};
groups."forgejo.admins" = {
members = ["administrator"];
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
@ -160,6 +155,18 @@ in {
valuesByGroup."forgejo.admins" = ["admin"];
};
};
groups."netbird.access" = {
};
systems.oauth2.netbird = {
public = true;
displayName = "Netbird";
originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";
preferShortUsername = true;
enableLocalhostRedirects = true;
enableLegacyCrypto = true;
scopeMaps."netbird.access" = ["openid" "email" "profile"];
};
};
};
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute

BIN
hosts/elisabeth/secrets/kanidm/secrets.nix.age
View file

Binary file not shown.

34
modules/kanidm.nix
View file

@ -450,6 +450,12 @@ in {
options = {
present = mkPresentOption "oauth2 resource server";
public = mkOption {
description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)";
type = types.bool;
default = false;
};
displayName = mkOption {
description = "Display name";
type = types.str;
@ -479,10 +485,23 @@ in {
default = null;
};
enableLocalhostRedirects = mkOption {
description = "Allow localhost redirects. Only for public clients.";
type = types.bool;
default = false;
};
enableLegacyCrypto = mkOption {
description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256.";
type = types.bool;
default = false;
};
allowInsecureClientDisablePkce = mkOption {
description = ''
Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it. You should request the client to enable PKCE!
Only for non-public clients.
'';
type = types.bool;
default = false;
@ -681,6 +700,21 @@ in {
assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup);
message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
}
# Public clients cannot define a basic secret
{
assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
}
# Public clients cannot disable PKCE
{
assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
}
# Non-public clients cannot enable localhost redirects
{
assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
}
]))
));