patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
nix-config/config/services/kanidm.nix

252 lines
7.2 KiB
Nix
Raw Blame History

{
globals,
config,
pkgs,
...
}:
{
wireguard.services = {
client.via = "nucnix";
firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ 3000 ];
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/kanidm";
user = "kanidm";
group = "kanidm";
mode = "0700";
}
];
age.secrets = {
kanidm-cert = {
rekeyFile = config.node.secretsDir + "/cert.age";
group = "kanidm";
mode = "440";
};
kanidm-key = {
rekeyFile = config.node.secretsDir + "/key.age";
group = "kanidm";
mode = "440";
};
oauth2-nextcloud = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-immich = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-paperless = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-proxy = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
oauth2-forgejo = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
};
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
inherit (globals.services.kanidm) domain;
origin = "https://${globals.services.kanidm.domain}";
tls_chain = config.age.secrets.kanidm-cert.path;
tls_key = config.age.secrets.kanidm-key.path;
bindaddress = "0.0.0.0:3000";
trust_x_forward_for = true;
};
enableClient = true;
clientSettings = {
uri = config.services.kanidm.serverSettings.origin;
verify_ca = true;
verify_hostnames = true;
};
provision = {
enable = true;
inherit (config.secrets.secrets.local.kanidm) persons;
groups."paperless.access" = {
members = [ "paperless.admins" ];
};
# currently not usable
groups."paperless.admins" = {
members = [ "administrator" ];
};
systems.oauth2.paperless = {
displayName = "paperless";
originUrl = "https://${globals.services.paperless.domain}/accounts/oidc/kanidm/login/callback/";
originLanding = "https://${globals.services.paperless.domain}/";
basicSecretFile = config.age.secrets.oauth2-paperless.path;
scopeMaps."paperless.access" = [
"openid"
"email"
"profile"
];
preferShortUsername = true;
};
groups."nextcloud.access" = {
members = [ "nextcloud.admins" ];
};
# currently not usable
groups."nextcloud.admins" = {
members = [ "administrator" ];
};
systems.oauth2.nextcloud = {
displayName = "nextcloud";
originUrl = "https://${globals.services.nextcloud.domain}/";
originLanding = "https://${globals.services.nextcloud.domain}/";
basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
allowInsecureClientDisablePkce = true;
scopeMaps."nextcloud.access" = [
"openid"
"email"
"profile"
];
preferShortUsername = true;
};
groups."immich.access" = {
members = [ "immich.admins" ];
};
# currently not usable
groups."immich.admins" = {
members = [ "administrator" ];
};
systems.oauth2.immich = {
displayName = "Immich";
originUrl = [
"https://${globals.services.immich.domain}/auth/login"
"https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
];
originLanding = "https://${globals.services.immich.domain}/";
basicSecretFile = config.age.secrets.oauth2-immich.path;
allowInsecureClientDisablePkce = true;
enableLegacyCrypto = true;
scopeMaps."immich.access" = [
"openid"
"email"
"profile"
];
preferShortUsername = true;
};
groups."rss.access" = { };
groups."firefly.access" = { };
groups."ollama.access" = { };
groups."adguardhome.access" = { };
groups."octoprint.access" = { };
groups."invidious.access" = { };
groups."esphome.access" = { };
systems.oauth2.oauth2-proxy = {
displayName = "Oauth2-Proxy";
originUrl = "https://${globals.services.oauth2-proxy.domain}/oauth2/callback";
originLanding = "https://${globals.services.oauth2-proxy.domain}/";
basicSecretFile = config.age.secrets.oauth2-proxy.path;
scopeMaps."adguardhome.access" = [
"openid"
"email"
"profile"
];
scopeMaps."rss.access" = [
"openid"
"email"
"profile"
];
scopeMaps."firefly.access" = [
"openid"
"email"
"profile"
];
scopeMaps."ollama.access" = [
"openid"
"email"
"profile"
];
scopeMaps."octoprint.access" = [
"openid"
"email"
"profile"
];
scopeMaps."invidious.access" = [
"openid"
"email"
"profile"
];
scopeMaps."esphome.access" = [
"openid"
"email"
"profile"
];
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."adguardhome.access" = [ "adguardhome_access" ];
valuesByGroup."rss.access" = [ "ttrss_access" ];
valuesByGroup."firefly.access" = [ "firefly_access" ];
valuesByGroup."ollama.access" = [ "ollama_access" ];
valuesByGroup."octoprint.access" = [ "octoprint_access" ];
valuesByGroup."invidious.access" = [ "invidious_access" ];
valuesByGroup."esphome.access" = [ "esphome_access" ];
};
};
groups."forgejo.access" = {
members = [ "forgejo.admins" ];
};
groups."forgejo.admins" = {
members = [ "administrator" ];
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
originUrl = "https://${globals.services.forgejo.domain}/user/oauth2/kanidm/callback";
originLanding = "https://${globals.services.forgejo.domain}/";
basicSecretFile = config.age.secrets.oauth2-forgejo.path;
scopeMaps."forgejo.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."forgejo.admins" = [ "admin" ];
};
};
groups."netbird.access" = { };
systems.oauth2.netbird = {
public = true;
displayName = "Netbird";
originUrl = [
"https://${globals.services.netbird.domain}/peers"
"https://${globals.services.netbird.domain}/add-peers"
];
originLanding = "https://${globals.services.netbird.domain}/";
preferShortUsername = true;
enableLocalhostRedirects = true;
enableLegacyCrypto = true;
scopeMaps."netbird.access" = [
"openid"
"email"
"profile"
];
};
};
};
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
}
Reference in a new issue View git blame Copy permalink