kanidm: add provisioning

2025-09-01 23:06:36 +01:00
parent ef2661db53
commit d43519fc29
15 changed files with 149 additions and 6 deletions
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -16,7 +16,8 @@
  age.rekey = {
    masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
    storageMode = "local";
-    localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
+    generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.networking.hostName}";
+    localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.networking.hostName}";
  };

  nixpkgs = {
--- a/hosts/library/ai.nix
+++ b/hosts/library/ai.nix
@@ -1,13 +1,12 @@
 {
-  inputs,
  config,
  pkgs,
  ...
 }:

 {
-  age.secrets."files/services/open-webui/envfile" = {
-    file = "${inputs.secrets}/files/services/open-webui/envfile.age";
+  age.secrets.open-webui-envfile = {
+    rekeyFile = ./secrets/open-webui-envfile.age;
  };

  services.open-webui = {
@@ -30,7 +29,7 @@
        OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
        OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
      };
-    environmentFile = config.age.secrets."files/services/open-webui/envfile".path;
+    environmentFile = config.age.secrets.open-webui-envfile.path;
  };

  modules.services.borgmatic.directories = [
--- a/hosts/library/secrets/open-webui-envfile.age
+++ b/hosts/library/secrets/open-webui-envfile.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA AqHsJTdBE6LT9QJK7Dek6b3zA/PaqAmma7uRdKHdQQym
+KMB+yq8M+eej5pg7MHFBqzYhQhVnrPpTevDVo1RZn5Q
+-> m;#M[T-grease > G>`e0C&G OS
+ichBG8145Jl9vthZfVHcznJmi+c81HHZfd7UGzdfP7TR1wp9ub6IXiqK9KRe7ga7
+N3osvWzwiwCI5oN0NA
+--- ILq3bk5+xuZ4CV7J/rQkYBMz5wG2dHzn+G+cvEqUSRw
+j
+<EFBFBD><EFBFBD>X<EFBFBD>+<2B><>r<EFBFBD><1E><>j<EFBFBD><6A><EFBFBD>ZW<16><>p<EFBFBD><70><EFBFBD>k<EFBFBD>%ǗxdC5mͧ '[<5B><>w<EFBFBD>x<EFBFBD>雸<EFBFBD>#<23><><EFBFBD>O<18><14>7<EFBFBD>bC'8<><38>3<EFBFBD>b<EFBFBD>{_<>%_<><5F>s&<26><><EFBFBD>ѹrr<72><07><><EFBFBD>,
+5L8<EFBFBD>yC<EFBFBD>O<EFBFBD>6o<EFBFBD><EFBFBD><EFBFBD>k}<7D><17>_<EFBFBD><5F>i<EFBFBD>m<EFBFBD>u3|<7C>f	5<><35>5<EFBFBD><35>A<EFBFBD>V<EFBFBD>><3E>+<2B><><EFBFBD><EFBFBD>E=<3D><><11><>E<EFBFBD><45><EFBFBD>aE<61>-<2D>Ԑ^<5E><>Q<EFBFBD><51>j<EFBFBD><6A><EFBFBD><EFBFBD>7<EFBFBD>6P<36><50>b<EFBFBD><62>E8*4߄
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -20,6 +20,8 @@
    hostPlatform = "x86_64-linux";
  };

+  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
+
  networking = {
    hostId = "08bf6db3";
    firewall = {
--- a/hosts/vps1/kanidm.nix
+++ b/hosts/vps1/kanidm.nix
@@ -6,14 +6,26 @@
 let
  baseDomain = "vimium.com";
  domain = "auth.${baseDomain}";
+
+  mkRandomSecret = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "kanidm";
+  };
 in
 {
+  age.secrets.kanidm-admin-password = mkRandomSecret;
+  age.secrets.kanidm-idm-admin-password = mkRandomSecret;
+
+  age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
+  age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
+
  services.kanidm =
    let
      uri = "https://${domain}";
    in
    {
-      package = pkgs.unstable.kanidm;
+      package = pkgs.unstable.kanidmWithSecretProvisioning;
      enableClient = true;
      enableServer = true;
      clientSettings = {
@@ -28,6 +40,69 @@ in
        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
        version = "2";
      };
+      provision = {
+        enable = true;
+        adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
+        idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
+
+        persons.jordan = {
+          displayName = "Jordan Holt";
+          legalName = "Jordan Holt";
+          mailAddresses = [
+            "jordan@vimium.com"
+          ];
+          groups = [
+            "gitea_admins"
+            "gitea_users"
+            "jellyfin_admins"
+            "jellyfin_users"
+            "open-webui_admins"
+            "open-webui_users"
+          ];
+        };
+
+        groups."gitea_admins" = { };
+        groups."gitea_users" = { };
+        systems.oauth2.gitea = {
+          displayName = "Gitea";
+          originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
+          originLanding = "https://git.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
+          scopeMaps."gitea_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+          allowInsecureClientDisablePkce = true;
+          preferShortUsername = true;
+          claimMaps.groups = {
+            joinType = "array";
+            valuesByGroup."gitea_admins" = [ "admin" ];
+          };
+        };
+
+        groups."jellyfin_admins" = { };
+        groups."jellyfin_users" = { };
+
+        groups."open-webui_admins" = { };
+        groups."open-webui_users" = { };
+        systems.oauth2.open-webui = {
+          displayName = "Open WebUI";
+          originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
+          originLanding = "https://chat.ai.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
+          scopeMaps."open-webui_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+          allowInsecureClientDisablePkce = true;
+          claimMaps.groups = {
+            joinType = "array";
+            valuesByGroup."open-webui_admins" = [ "admin" ];
+          };
+        };
+      };
    };

  # LDAP server binds to tailscale network interface
--- a/hosts/vps1/ssh_host_ed25519_key.pub
+++ b/hosts/vps1/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc`