raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(service/self_host): adding the vault to sso connection

Browse source
This commit is contained in:
Raphael 2026-03-08 18:01:07 +01:00
parent bda0054462
commit 846ccf3475
No known key found for this signature in database
1 changed files with 38 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

40
services/self_host/sso.nix
View file

@ -9,7 +9,7 @@ let
cfg = config.service.selfhost.sso; cfg = config.service.selfhost.sso;
kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-admin = config.age.secrets."kanidm-admin".path;
kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path;
kanidmLogo = pkgs.fetchurl { forgejoLogo = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg"; url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg";
name = "kanidm.svg"; name = "kanidm.svg";
sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig="; sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig=";
@ -24,6 +24,11 @@ let
name = "nextcloud.svg"; name = "nextcloud.svg";
sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo="; sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo=";
}; };
vaultLogo = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/dani-garcia/vaultwarden/ba5519167634ebe1e1f0fc10d610d10d1f405101/resources/vaultwarden-icon.svg";
name = "vault.svg";
sha256 = "sha256-xY/pFVS9puG+Ub0M9WrISrY/eY1Rc+QeceGqHeUVx+8=";
};
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
@ -69,6 +74,7 @@ in
"grafana_superadmins" "grafana_superadmins"
"forgejo_admins" "forgejo_admins"
"nextcloud_user" "nextcloud_user"
"vault_admins"
]; ];
}; };
}; };
@ -91,6 +97,12 @@ in
forgejo_users = { forgejo_users = {
present = true; present = true;
}; };
vault_admins = {
present = true;
};
vault_users = {
present = true;
};
nextcloud_user = { nextcloud_user = {
present = true; present = true;
}; };
@ -99,7 +111,7 @@ in
forgejo = { forgejo = {
present = true; present = true;
displayName = "Forjego"; displayName = "Forjego";
imageFile = kanidmLogo; imageFile = forgejoLogo;
originUrl = "https://git.enium.eu"; originUrl = "https://git.enium.eu";
originLanding = "https://git.enium.eu/user/oauth2/Enium/callback"; originLanding = "https://git.enium.eu/user/oauth2/Enium/callback";
basicSecretFile = config.age.secrets.forgejo-oidc-secret.path; basicSecretFile = config.age.secrets.forgejo-oidc-secret.path;
@ -231,6 +243,30 @@ in
}; };
}; };
}; };
vault = {
present = true;
displayName = "Vault";
imageFile = vaultLogo;
originUrl = "https://vault.enium.eu";
originLanding = "https://vault.enium.eu/identity/connect/oidc-signin";
basicSecretFile = config.age.secrets.vault-oidc-secret.path;
public = false;
enableLocalhostRedirects = false;
allowInsecureClientDisablePkce = false;
preferShortUsername = true;
scopeMaps = {
vault_admins = [
"openid"
"profile"
"email"
];
vault_users = [
"openid"
"profile"
"email"
];
};
};
}; };
}; };
}; };