251 lines
7.6 KiB
Nix
251 lines
7.6 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.service.selfhost.sso;
|
|
kanidm-admin = config.age.secrets."kanidm-admin".path;
|
|
kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path;
|
|
imagesDir = "/user/share/kanidm/assets";
|
|
kanidmLogo = pkgs.fetchurl {
|
|
url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg";
|
|
name = "kanidm.svg";
|
|
sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig=";
|
|
};
|
|
grafanaLogo = pkgs.fetchurl {
|
|
url = "https://upload.wikimedia.org/wikipedia/commons/a/a1/Grafana_logo.svg";
|
|
name = "grafana.svg";
|
|
sha256 = "sha256-UjE6ArLCa52o3XGUmpqPoakbEOeFi+zfsnATi1FtWmQ=";
|
|
};
|
|
nextcloudLogo = pkgs.fetchurl {
|
|
url = "https://upload.wikimedia.org/wikipedia/commons/6/60/Nextcloud_Logo.svg";
|
|
name = "nextcloud.svg";
|
|
sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo=";
|
|
};
|
|
in
|
|
{
|
|
config = lib.mkIf cfg {
|
|
users = {
|
|
groups.kanidm = {};
|
|
users.kanidm = {
|
|
isSystemUser = true;
|
|
group = "kanidm";
|
|
extraGroups = [ "nginx" ];
|
|
};
|
|
};
|
|
security.acme.certs."auth.enium.eu".group = "nginx";
|
|
services = {
|
|
kanidm = {
|
|
package = pkgs.kanidmWithSecretProvisioning_1_8;
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = "enium.eu";
|
|
origin = "https://auth.enium.eu";
|
|
bindaddress = "127.0.0.1:9000";
|
|
tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem";
|
|
tls_key = "/var/lib/acme/auth.enium.eu/key.pem";
|
|
};
|
|
enableClient = true;
|
|
clientSettings.uri = config.services.kanidm.serverSettings.origin;
|
|
provision = {
|
|
enable = true;
|
|
autoRemove = false;
|
|
adminPasswordFile = kanidm-admin;
|
|
idmAdminPasswordFile = kanidm-idmAdmin;
|
|
persons = {
|
|
raphael = {
|
|
displayName = "Raphael";
|
|
legalName = "Raphael Parodi";
|
|
mailAddresses = [
|
|
"raphael@enium.eu"
|
|
];
|
|
groups = [
|
|
"grafana_superadmins"
|
|
"forgejo_admins"
|
|
"nextcloud_user"
|
|
];
|
|
};
|
|
};
|
|
groups = {
|
|
grafana_superadmins = {
|
|
present = true;
|
|
};
|
|
grafana_admins = {
|
|
present = true;
|
|
};
|
|
grafana_editors = {
|
|
present = true;
|
|
};
|
|
grafana_users = {
|
|
present = true;
|
|
};
|
|
forgejo_admins = {
|
|
present = true;
|
|
};
|
|
forgejo_users = {
|
|
present = true;
|
|
};
|
|
nextcloud_user = {
|
|
present = true;
|
|
};
|
|
};
|
|
systems.oauth2 = {
|
|
forgejo = {
|
|
present = true;
|
|
displayName = "Forjego";
|
|
originUrl = "https://git.enium.eu";
|
|
imageFile = kanidmLogo;
|
|
originLanding = "https://git.enium.eu/user/oauth2/Enium/callback";
|
|
basicSecretFile = config.age.secrets.forgejo-oidc-secret.path;
|
|
public = false;
|
|
enableLocalhostRedirects = false;
|
|
allowInsecureClientDisablePkce = true;
|
|
preferShortUsername = true;
|
|
scopeMaps = {
|
|
forgejo_admins = [
|
|
"email"
|
|
"openid"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
forgejo_users = [
|
|
"email"
|
|
"openid"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
};
|
|
claimMaps = {
|
|
groups = {
|
|
joinType = "array";
|
|
valuesByGroup = {
|
|
forgejo_admins = [
|
|
"forgejo_admins"
|
|
];
|
|
forgejo_users = [
|
|
"forgejo_users"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
grafana = {
|
|
present = true;
|
|
displayName = "Grafana";
|
|
imageFile = grafanaLogo;
|
|
originUrl = "https://monitor.enium.eu";
|
|
originLanding = "https://monitor.enium.eu/login/generic_oauth";
|
|
basicSecretFile = config.age.secrets.grafana-oidc-secret.path;
|
|
public = false;
|
|
enableLocalhostRedirects = false;
|
|
allowInsecureClientDisablePkce = false;
|
|
preferShortUsername = true;
|
|
scopeMaps = {
|
|
grafana_superadmins = [
|
|
"email"
|
|
"openid"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
grafana_admins = [
|
|
"email"
|
|
"openid"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
grafana_editors = [
|
|
"email"
|
|
"openid"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
grafana_users = [
|
|
"email"
|
|
"openid"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
};
|
|
claimMaps = {
|
|
groups = {
|
|
joinType = "array";
|
|
valuesByGroup = {
|
|
grafana_superadmins = [
|
|
"grafana_superadmins"
|
|
];
|
|
grafana_admins = [
|
|
"grafana_admins"
|
|
];
|
|
grafana_editors = [
|
|
"grafana_editors"
|
|
];
|
|
grafana_users = [
|
|
"grafana_users"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
nextcloud = {
|
|
present = true;
|
|
displayName = "Nextcloud";
|
|
imageFile = nextcloudLogo;
|
|
originUrl = "https://nextcloud.enium.eu";
|
|
originLanding = "https://nextcloud.enium.eu/login";
|
|
basicSecretFile = config.age.secrets.nextcloud-oidc-secret.path;
|
|
public = false;
|
|
enableLocalhostRedirects = false;
|
|
allowInsecureClientDisablePkce = false;
|
|
preferShortUsername = true;
|
|
scopeMaps = {
|
|
nextcloud_user = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
claimMaps = {
|
|
email = {
|
|
joinType = "array";
|
|
valuesByGroup = {
|
|
nextcloud_user = ["mail"];
|
|
};
|
|
};
|
|
preferred_username = {
|
|
joinType = "array";
|
|
valuesByGroup = {
|
|
nextcloud_user = ["name"];
|
|
};
|
|
};
|
|
name = {
|
|
joinType = "array";
|
|
valuesByGroup = {
|
|
nextcloud_user = ["displayname"];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
nginx.virtualHosts."auth.enium.eu" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "https://127.0.0.1:9000";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
proxy_ssl_verify off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|