feat: added sso for nextcloud and immich

hosts/elisabeth/secrets/kanidm/generated/oauth2-immich.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 xJceUgViCBqvDEuL9rhcHdtPeSjRdeDg04Hhrz1iKz8
+dSFiPPD6zaWiJkhMsL2aPkFVy8v/NyAn1Q2KJOL+25c
+-> piv-p256 XTQkUA AvcXRHmQXBjYQx3EurG+EhXTc83xPJOsc9VgR7HpIRIE
+hKYrBfytAlcjkOaUrMHxKi6RfiEc1DabusUUeCKkGkA
+-> piv-p256 ZFgiIw AmWxQNwB1V7wEt6gaPxhovzGmBvxU/jbLz4bweNZ+pgN
+K2kuUjLe/QHmLi0aUtLjbxFern+6YUafu0N1erumkZs
+-> piv-p256 5vmPtQ AxZayXX4KajI1iucffnIiztqOS1SuX2AK9JR52oXqBaB
+tYXfZBeN6e03T1zV4C/PKg6sZtkuBHwv/BhPq5zI2V4
+-> piv-p256 ZFgiIw A44GoJ78Jtrfjobs1CoLQf7l6SnYlE1sIV43e921L+CY
+vOoJR/lltKGsNEf3yB2+vKWyhGoU05nGY36KRCNb3Vc
+-> {F#.$,-grease R`>Fy
+dBQqcPven/7jp8I9dE8nbDbrOgShoGGa
+--- JXdjA8ZB3CL40Ky5dbuB5rHDxzN8r1YIeb5KUAtMq54
+M¨NwDM‡Æ!a{ÿÎP—§q¶"QÀ$h`­Ïù„[_¡/4Q¿Ê<C2BF>s}‚$»è9äÝ;d'¿:û€<C3BB>zìpÚDóêq²«Œ›&S?uþµR

hosts/elisabeth/secrets/kanidm/generated/oauth2-nextcloud.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 YQrSdWZMrnRKnWFjQ9b3U8xAQaLQ+OS0n7qK9te20ho
+1V4//yGlc059mk13YWpn9TdVN7c3qOTmhAow8IIRBv8
+-> piv-p256 XTQkUA A7Iu/7Nrk/msdry7zwgILroy8AVt41t8gdrrHAtJ0ENm
+/FJbisOVGob31q2TEjn0P7666R32bM5OjqVmXG3mSww
+-> piv-p256 ZFgiIw ArftCwCG5+9M4jzBEV5WBBbsuzOrpHnHfzonx0GLpMwe
+pzWwPShRK7aSy9mEzD/OYBAVA4hXSfQQ7sOyGCaIlzw
+-> piv-p256 5vmPtQ AlVL/YD3NkPQbCJHLcPia2htzQjNmW/xGfiFOxPIZmQ7
+5z0dJAD59+51kob06aQ8Vx3FRvxjperN8JqTuGbdTF0
+-> piv-p256 ZFgiIw AzI4tdEGRk6jGLWcZCTJb7tgyoT3ohhhC4WQbCfxLXh0
+GBumQDimSzqtVJbzocPJhOS7VLC31A3CuzGDe7+ce38
+-> 9K-grease >v VTM
+yr9jagkNn/RaKawamEKN75+ZT/OMyohFFsvLOIc8XigSNAl9kXtBbg
+--- OCf8Vg/NnAHvrHUtxLGbzeFDfy3KwIGkUiD2SRdpMtE
+<EFBFBD>…˜Vz?Au8=»j2X# ú6'톜Ѷ|žƒÉo;<3B>—¹œ<C2B9>È¥d™[>ó’@Qè”DC(3¨+>ØÐyïèãX„êcÛ<>e]Ÿ‚b¼õ&

modules/services/immich.nix

@@ -1,6 +1,7 @@
 # Auto-generated using compose2nix v0.1.6.
 {
   pkgs,
+  nodes,
   lib,
   config,
   ...
@@ -70,6 +71,24 @@
         };
         url = "http://${ipImmichMachineLearning}:3003";
       };
+      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
+      # kanidm system oauth2 warning-insecure-client-disable-pkce immich
+      # kanidm system oauth2 warning-enable-legacy-crypto immich
+      oauth = rec {
+        enabled = true;
+        autoLaunch = false;
+        autoRegister = true;
+        buttonText = "Login with Kanidm";
+
+        mobileOverrideEnabled = true;
+        mobileRedirectUri = "https://${immichDomain}/api/oauth/mobile-redirect";
+
+        clientId = "immich";
+        # clientSecret will be dynamically added in activation script
+        issuerUrl = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/${clientId}";
+        scope = "openid email profile";
+        storageLabelClaim = "preferred_username";
+      };
       map = {
         enabled = true;
         darkStyle = "";
@@ -134,6 +153,7 @@
       "podman-compose-immich-root.target"
     ];
   };
+  processedConfigFile = "/run/agenix/immich.config.json";
 in {
   age.secrets.resticpasswd = {
     generator.script = "alnum";
@@ -174,6 +194,24 @@ in {
       ];
     };
   };
+
+  # Mirror the original oauth2 secret
+  age.secrets.immich-oauth2-client-secret = {
+    inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-immich) rekeyFile;
+    mode = "440";
+    group = "root";
+  };
+
+  system.activationScripts.agenixRooterDerivedSecrets = {
+    # Run after agenix has generated secrets
+    deps = ["agenix"];
+    text = ''
+      immichClientSecret=$(< ${config.age.secrets.immich-oauth2-client-secret.path})
+      ${pkgs.jq}/bin/jq --arg immichClientSecret "$immichClientSecret" '.oauth.clientSecret = $immichClientSecret' ${configFile} > ${processedConfigFile}
+      chmod 444 ${processedConfigFile}
+    '';
+  };
+
   microvm = {
     mem = 1024 * 8;
     vcpu = 12;
@@ -218,7 +256,7 @@ in {
     image = "ghcr.io/immich-app/immich-machine-learning:${version}";
     inherit environment;
     volumes = [
-      "${configFile}:${environment.IMMICH_CONFIG_FILE}:ro"
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
       "${model_folder}:/cache:rw"
     ];
     log-driver = "journald";
@@ -234,7 +272,7 @@ in {
     image = "ghcr.io/immich-app/immich-server:${version}";
     inherit environment;
     volumes = [
-      "${configFile}:${environment.IMMICH_CONFIG_FILE}:ro"
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
       "/etc/localtime:/etc/localtime:ro"
       "${upload_folder}:/usr/src/app/upload:rw"
       "${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"
@@ -293,7 +331,7 @@ in {
     image = "ghcr.io/immich-app/immich-server:${version}";
     inherit environment;
     volumes = [
-      "${configFile}:${environment.IMMICH_CONFIG_FILE}:ro"
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
       "/etc/localtime:/etc/localtime:ro"
       "${upload_folder}:/usr/src/app/upload:rw"
       "${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"

modules/services/kanidm.nix

@@ -23,6 +23,16 @@ in {
       group = "kanidm";
       mode = "440";
     };
+    oauth2-nextcloud = {
+      generator.script = "alnum";
+      mode = "440";
+      group = "kanidm";
+    };
+    oauth2-immich = {
+      generator.script = "alnum";
+      mode = "440";
+      group = "kanidm";
+    };
     oauth2-forgejo = {
       generator.script = "alnum";
       mode = "440";
@@ -48,23 +58,44 @@ in {
     provision = {
       enable = true;
 
-      persons = {
+      inherit (config.secrets.secrets.local.kanidm) persons;
-        "patrick" = {
+
-          displayName = "Patrick";
+      groups."nextcloud.access" = {
-          mailAddresses = ["patrick@${config.secrets.secrets.global.domains.mail}"];
+        members = ["nextcloud.admins"];
-          groups = ["forgejo.admins"];
       };
-        "test" = {
+      # currently not usable
-          displayName = "test";
+      groups."nextcloud.admins" = {
-          mailAddresses = ["test@${config.secrets.secrets.global.domains.mail}"];
+        members = ["administrator"];
-          groups = ["forgejo.access"];
       };
+      systems.oauth2.nextcloud = {
+        displayName = "nextcloud";
+        originUrl = "https://nc.${config.secrets.secrets.global.domains.web}/";
+        basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
+        allowInsecureClientDisablePkce = true;
+        scopeMaps."nextcloud.access" = ["openid" "email" "profile"];
+      };
+
+      groups."immich.access" = {
+        members = ["immich.admins"];
+      };
+      # currently not usable
+      groups."immich.admins" = {
+        members = ["administrator"];
+      };
+      systems.oauth2.immich = {
+        displayName = "Immich";
+        originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
+        basicSecretFile = config.age.secrets.oauth2-immich.path;
+        allowInsecureClientDisablePkce = true;
+        scopeMaps."immich.access" = ["openid" "email" "profile"];
       };
 
       groups."forgejo.access" = {
         members = ["forgejo.admins"];
       };
-      groups."forgejo.admins" = {};
+      groups."forgejo.admins" = {
+        members = ["administrator"];
+      };
       systems.oauth2.forgejo = {
         displayName = "Forgejo";
         originUrl = "https://git.${config.secrets.secrets.global.domains.web}/";

modules/services/nextcloud.nix

@@ -54,7 +54,7 @@ in {
     config.adminpassFile = config.age.secrets.ncpasswd.path; # Kinda ok just remember to instanly change after first setup
     config.adminuser = "admin";
     extraApps = with config.services.nextcloud.package.packages.apps; {
-      inherit contacts calendar tasks notes maps phonetrack;
+      inherit contacts calendar tasks notes maps phonetrack user_oidc;
     };
     maxUploadSize = "4G";
     extraAppsEnable = true;