167 lines
4.9 KiB
Nix
167 lines
4.9 KiB
Nix
{config, ...}: let
|
|
kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}";
|
|
in {
|
|
imports = [../kanidm.nix];
|
|
wireguard.elisabeth = {
|
|
client.via = "elisabeth";
|
|
firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
|
|
};
|
|
disabledModules = ["services/security/kanidm.nix"];
|
|
environment.persistence."/persist".directories = [
|
|
{
|
|
directory = "/var/lib/kanidm";
|
|
user = "kanidm";
|
|
group = "kanidm";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
age.secrets = {
|
|
kanidm-cert = {
|
|
rekeyFile = config.node.secretsDir + "/cert.age";
|
|
group = "kanidm";
|
|
mode = "440";
|
|
};
|
|
kanidm-key = {
|
|
rekeyFile = config.node.secretsDir + "/key.age";
|
|
group = "kanidm";
|
|
mode = "440";
|
|
};
|
|
oauth2-nextcloud = {
|
|
generator.script = "alnum";
|
|
mode = "440";
|
|
group = "kanidm";
|
|
};
|
|
oauth2-immich = {
|
|
generator.script = "alnum";
|
|
mode = "440";
|
|
group = "kanidm";
|
|
};
|
|
oauth2-paperless = {
|
|
generator.script = "alnum";
|
|
mode = "440";
|
|
group = "kanidm";
|
|
};
|
|
oauth2-proxy = {
|
|
generator.script = "alnum";
|
|
mode = "440";
|
|
group = "kanidm";
|
|
};
|
|
oauth2-forgejo = {
|
|
generator.script = "alnum";
|
|
mode = "440";
|
|
group = "kanidm";
|
|
};
|
|
};
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = kanidmdomain;
|
|
origin = "https://${kanidmdomain}";
|
|
tls_chain = config.age.secrets.kanidm-cert.path;
|
|
tls_key = config.age.secrets.kanidm-key.path;
|
|
bindaddress = "0.0.0.0:3000";
|
|
trust_x_forward_for = true;
|
|
};
|
|
enableClient = true;
|
|
clientSettings = {
|
|
uri = config.services.kanidm.serverSettings.origin;
|
|
verify_ca = true;
|
|
verify_hostnames = true;
|
|
};
|
|
provision = {
|
|
enable = true;
|
|
|
|
inherit (config.secrets.secrets.local.kanidm) persons;
|
|
|
|
groups."paperless.access" = {
|
|
members = ["paperless.admins"];
|
|
};
|
|
# currently not usable
|
|
groups."paperless.admins" = {
|
|
members = ["administrator"];
|
|
};
|
|
systems.oauth2.paperless = {
|
|
displayName = "paperless";
|
|
originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";
|
|
basicSecretFile = config.age.secrets.oauth2-paperless.path;
|
|
scopeMaps."paperless.access" = ["openid" "email" "profile"];
|
|
preferShortUsername = true;
|
|
};
|
|
|
|
groups."rss.access" = {};
|
|
groups."oauth2-proxy.access" = {};
|
|
|
|
groups."nextcloud.access" = {
|
|
members = ["nextcloud.admins"];
|
|
};
|
|
# currently not usable
|
|
groups."nextcloud.admins" = {
|
|
members = ["administrator"];
|
|
};
|
|
systems.oauth2.nextcloud = {
|
|
displayName = "nextcloud";
|
|
originUrl = "https://nc.${config.secrets.secrets.global.domains.web}/";
|
|
basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
|
|
allowInsecureClientDisablePkce = true;
|
|
scopeMaps."nextcloud.access" = ["openid" "email" "profile"];
|
|
preferShortUsername = true;
|
|
};
|
|
|
|
groups."immich.access" = {
|
|
members = ["immich.admins"];
|
|
};
|
|
# currently not usable
|
|
groups."immich.admins" = {
|
|
members = ["administrator"];
|
|
};
|
|
systems.oauth2.immich = {
|
|
displayName = "Immich";
|
|
originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
|
|
basicSecretFile = config.age.secrets.oauth2-immich.path;
|
|
allowInsecureClientDisablePkce = true;
|
|
scopeMaps."immich.access" = ["openid" "email" "profile"];
|
|
preferShortUsername = true;
|
|
};
|
|
groups."netbird.access" = {
|
|
};
|
|
|
|
groups."forgejo.access" = {
|
|
members = ["forgejo.admins"];
|
|
};
|
|
groups."forgejo.admins" = {
|
|
members = ["administrator"];
|
|
};
|
|
|
|
systems.oauth2.oauth2-proxy = {
|
|
displayName = "Oauth2-Proxy";
|
|
originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
|
|
basicSecretFile = config.age.secrets.oauth2-proxy.path;
|
|
scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
|
|
scopeMaps."rss.access" = ["openid" "email" "profile"];
|
|
preferShortUsername = true;
|
|
claimMaps.groups = {
|
|
joinType = "array";
|
|
valuesByGroup."adguardhome.access" = ["adguardhome_access"];
|
|
valuesByGroup."rss.access" = ["ttrss_access"];
|
|
};
|
|
};
|
|
|
|
groups."adguardhome.access" = {
|
|
};
|
|
systems.oauth2.forgejo = {
|
|
displayName = "Forgejo";
|
|
originUrl = "https://git.${config.secrets.secrets.global.domains.web}/";
|
|
basicSecretFile = config.age.secrets.oauth2-forgejo.path;
|
|
scopeMaps."forgejo.access" = ["openid" "email" "profile"];
|
|
allowInsecureClientDisablePkce = true;
|
|
preferShortUsername = true;
|
|
claimMaps.groups = {
|
|
joinType = "array";
|
|
valuesByGroup."forgejo.admins" = ["admin"];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
|
|
}
|