raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(self_host/sso): now using kanidm (w/ SecretsProvisionning)

Browse source
This commit is contained in:
Raphael 2025-12-16 15:13:59 +01:00
parent 8f654ef58e
commit 8f6640d2f1
No known key found for this signature in database
1 changed files with 19 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

39
services/self_host/sso.nix
View file

@ -8,6 +8,7 @@
let let
cfg = config.service.selfhost.sso; cfg = config.service.selfhost.sso;
kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-admin = config.age.secrets."kanidm-admin".path;
kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path;
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
@ -22,25 +23,7 @@ in
security.acme.certs."auth.enium.eu".group = "nginx"; security.acme.certs."auth.enium.eu".group = "nginx";
services = { services = {
kanidm = { kanidm = {
package = pkgs.kanidm_1_8; package = pkgs.kanidmWithSecretProvisioning_1_8;
provision = {
idmAdminPasswordFile = kanidm-admin;
persons = {
raphael = {
legalName = "Raphael Parodi";
displayName = "Raphael";
mailAddresses = [
"raphael@enium.eu"
];
groups = [
"users"
"idm_admins"
];
};
};
};
enableClient = true;
clientSettings.uri = "https://auth.enium.eu";
enableServer = true; enableServer = true;
serverSettings = { serverSettings = {
role = "WriteReplica"; role = "WriteReplica";
@ -50,6 +33,23 @@ in
tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem";
tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; tls_key = "/var/lib/acme/auth.enium.eu/key.pem";
}; };
enableClient = true;
clientSettings.uri = config.services.kanidm.serverSettings.origin;
provision = {
enable = true;
autoRemove = false;
adminPasswordFile = kanidm-admin;
idmAdminPasswordFile = kanidm-idmAdmin;
persons = {
raphael = {
displayName = "Raphael";
legalName = "Raphael Parodi";
mailAddresses = [
"raphael@enium.eu"
];
};
};
};
}; };
nginx.virtualHosts."auth.enium.eu" = { nginx.virtualHosts."auth.enium.eu" = {
enableACME = true; enableACME = true;
@ -57,7 +57,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "https://127.0.0.1:9000"; proxyPass = "https://127.0.0.1:9000";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_set_header Host $host; proxy_set_header Host $host;