patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: added sso for nextcloud and immich

Browse source
This commit is contained in:
Patrick 2024-03-12 20:45:30 +01:00
parent 37889dbdd3
commit e5f7f605a1
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
6 changed files with 115 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
hosts/elisabeth/secrets/kanidm/generated/oauth2-immich.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> X25519 xJceUgViCBqvDEuL9rhcHdtPeSjRdeDg04Hhrz1iKz8
dSFiPPD6zaWiJkhMsL2aPkFVy8v/NyAn1Q2KJOL+25c
-> piv-p256 XTQkUA AvcXRHmQXBjYQx3EurG+EhXTc83xPJOsc9VgR7HpIRIE
hKYrBfytAlcjkOaUrMHxKi6RfiEc1DabusUUeCKkGkA
-> piv-p256 ZFgiIw AmWxQNwB1V7wEt6gaPxhovzGmBvxU/jbLz4bweNZ+pgN
K2kuUjLe/QHmLi0aUtLjbxFern+6YUafu0N1erumkZs
-> piv-p256 5vmPtQ AxZayXX4KajI1iucffnIiztqOS1SuX2AK9JR52oXqBaB
tYXfZBeN6e03T1zV4C/PKg6sZtkuBHwv/BhPq5zI2V4
-> piv-p256 ZFgiIw A44GoJ78Jtrfjobs1CoLQf7l6SnYlE1sIV43e921L+CY
vOoJR/lltKGsNEf3yB2+vKWyhGoU05nGY36KRCNb3Vc
-> {F#.$,-grease R`>Fy
dBQqcPven/7jp8I9dE8nbDbrOgShoGGa
--- JXdjA8ZB3CL40Ky5dbuB5rHDxzN8r1YIeb5KUAtMq54
M¨NwDM‡Æ!a{ÿÎP—§q¶"QÀ$h`­Ïù„ [_¡/4Q¿Ê<C2BF>s}$»è9äÝ;d'¿:û€<C3BB>zìpÚDóêq²«Œ&S?uþµR

15
hosts/elisabeth/secrets/kanidm/generated/oauth2-nextcloud.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> X25519 YQrSdWZMrnRKnWFjQ9b3U8xAQaLQ+OS0n7qK9te20ho
1V4//yGlc059mk13YWpn9TdVN7c3qOTmhAow8IIRBv8
-> piv-p256 XTQkUA A7Iu/7Nrk/msdry7zwgILroy8AVt41t8gdrrHAtJ0ENm
/FJbisOVGob31q2TEjn0P7666R32bM5OjqVmXG3mSww
-> piv-p256 ZFgiIw ArftCwCG5+9M4jzBEV5WBBbsuzOrpHnHfzonx0GLpMwe
pzWwPShRK7aSy9mEzD/OYBAVA4hXSfQQ7sOyGCaIlzw
-> piv-p256 5vmPtQ AlVL/YD3NkPQbCJHLcPia2htzQjNmW/xGfiFOxPIZmQ7
5z0dJAD59+51kob06aQ8Vx3FRvxjperN8JqTuGbdTF0
-> piv-p256 ZFgiIw AzI4tdEGRk6jGLWcZCTJb7tgyoT3ohhhC4WQbCfxLXh0
GBumQDimSzqtVJbzocPJhOS7VLC31A3CuzGDe7+ce38
-> 9K-grease >v VTM
yr9jagkNn/RaKawamEKN75+ZT/OMyohFFsvLOIc8XigSNAl9kXtBbg
--- OCf8Vg/NnAHvrHUtxLGbzeFDfy3KwIGkUiD2SRdpMtE
<EFBFBD>˜Vz?Au8=»j2X# ú6'톜Ѷ|žƒÉo;<3B>—¹œ<C2B9>È¥d™[>ó’@Qè”DC(3¨+>ØÐyïèãX„êcÛ<>e]Ÿb¼õ&

BIN
hosts/elisabeth/secrets/kanidm/secrets.nix.age Normal file
View file

Binary file not shown.

44
modules/services/immich.nix
View file

@ -1,6 +1,7 @@
# Auto-generated using compose2nix v0.1.6.
{
pkgs,
nodes,
lib,
config,
...
@ -70,6 +71,24 @@
};
url = "http://${ipImmichMachineLearning}:3003";
};
# XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
# kanidm system oauth2 warning-insecure-client-disable-pkce immich
# kanidm system oauth2 warning-enable-legacy-crypto immich
oauth = rec {
enabled = true;
autoLaunch = false;
autoRegister = true;
buttonText = "Login with Kanidm";
mobileOverrideEnabled = true;
mobileRedirectUri = "https://${immichDomain}/api/oauth/mobile-redirect";
clientId = "immich";
# clientSecret will be dynamically added in activation script
issuerUrl = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/${clientId}";
scope = "openid email profile";
storageLabelClaim = "preferred_username";
};
map = {
enabled = true;
darkStyle = "";
@ -134,6 +153,7 @@
"podman-compose-immich-root.target"
];
};
processedConfigFile = "/run/agenix/immich.config.json";
in {
age.secrets.resticpasswd = {
generator.script = "alnum";
@ -174,6 +194,24 @@ in {
];
};
};
# Mirror the original oauth2 secret
age.secrets.immich-oauth2-client-secret = {
inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-immich) rekeyFile;
mode = "440";
group = "root";
};
system.activationScripts.agenixRooterDerivedSecrets = {
# Run after agenix has generated secrets
deps = ["agenix"];
text = ''
immichClientSecret=$(< ${config.age.secrets.immich-oauth2-client-secret.path})
${pkgs.jq}/bin/jq --arg immichClientSecret "$immichClientSecret" '.oauth.clientSecret = $immichClientSecret' ${configFile} > ${processedConfigFile}
chmod 444 ${processedConfigFile}
'';
};
microvm = {
mem = 1024 * 8;
vcpu = 12;
@ -218,7 +256,7 @@ in {
image = "ghcr.io/immich-app/immich-machine-learning:${version}";
inherit environment;
volumes = [
"${configFile}:${environment.IMMICH_CONFIG_FILE}:ro"
"${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
"${model_folder}:/cache:rw"
];
log-driver = "journald";
@ -234,7 +272,7 @@ in {
image = "ghcr.io/immich-app/immich-server:${version}";
inherit environment;
volumes = [
"${configFile}:${environment.IMMICH_CONFIG_FILE}:ro"
"${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
"/etc/localtime:/etc/localtime:ro"
"${upload_folder}:/usr/src/app/upload:rw"
"${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"
@ -293,7 +331,7 @@ in {
image = "ghcr.io/immich-app/immich-server:${version}";
inherit environment;
volumes = [
"${configFile}:${environment.IMMICH_CONFIG_FILE}:ro"
"${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
"/etc/localtime:/etc/localtime:ro"
"${upload_folder}:/usr/src/app/upload:rw"
"${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"

51
modules/services/kanidm.nix
View file

@ -23,6 +23,16 @@ in {
group = "kanidm";
mode = "440";
};
oauth2-nextcloud = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-immich = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-forgejo = {
generator.script = "alnum";
mode = "440";
@ -48,23 +58,44 @@ in {
provision = {
enable = true;
persons = {
"patrick" = {
displayName = "Patrick";
mailAddresses = ["patrick@${config.secrets.secrets.global.domains.mail}"];
groups = ["forgejo.admins"];
inherit (config.secrets.secrets.local.kanidm) persons;
groups."nextcloud.access" = {
members = ["nextcloud.admins"];
};
"test" = {
displayName = "test";
mailAddresses = ["test@${config.secrets.secrets.global.domains.mail}"];
groups = ["forgejo.access"];
# currently not usable
groups."nextcloud.admins" = {
members = ["administrator"];
};
systems.oauth2.nextcloud = {
displayName = "nextcloud";
originUrl = "https://nc.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
allowInsecureClientDisablePkce = true;
scopeMaps."nextcloud.access" = ["openid" "email" "profile"];
};
groups."immich.access" = {
members = ["immich.admins"];
};
# currently not usable
groups."immich.admins" = {
members = ["administrator"];
};
systems.oauth2.immich = {
displayName = "Immich";
originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
basicSecretFile = config.age.secrets.oauth2-immich.path;
allowInsecureClientDisablePkce = true;
scopeMaps."immich.access" = ["openid" "email" "profile"];
};
groups."forgejo.access" = {
members = ["forgejo.admins"];
};
groups."forgejo.admins" = {};
groups."forgejo.admins" = {
members = ["administrator"];
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
originUrl = "https://git.${config.secrets.secrets.global.domains.web}/";

2
modules/services/nextcloud.nix
View file

@ -54,7 +54,7 @@ in {
config.adminpassFile = config.age.secrets.ncpasswd.path; # Kinda ok just remember to instanly change after first setup
config.adminuser = "admin";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit contacts calendar tasks notes maps phonetrack;
inherit contacts calendar tasks notes maps phonetrack user_oidc;
};
maxUploadSize = "4G";
extraAppsEnable = true;