kanidm: add provisioning
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m42s
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m42s
This commit is contained in:
@@ -20,6 +20,8 @@
|
||||
hostPlatform = "x86_64-linux";
|
||||
};
|
||||
|
||||
age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
|
||||
|
||||
networking = {
|
||||
hostId = "08bf6db3";
|
||||
firewall = {
|
||||
|
||||
@@ -6,14 +6,26 @@
|
||||
let
|
||||
baseDomain = "vimium.com";
|
||||
domain = "auth.${baseDomain}";
|
||||
|
||||
mkRandomSecret = {
|
||||
generator.script = "alnum";
|
||||
mode = "440";
|
||||
group = "kanidm";
|
||||
};
|
||||
in
|
||||
{
|
||||
age.secrets.kanidm-admin-password = mkRandomSecret;
|
||||
age.secrets.kanidm-idm-admin-password = mkRandomSecret;
|
||||
|
||||
age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
|
||||
|
||||
services.kanidm =
|
||||
let
|
||||
uri = "https://${domain}";
|
||||
in
|
||||
{
|
||||
package = pkgs.unstable.kanidm;
|
||||
package = pkgs.unstable.kanidmWithSecretProvisioning;
|
||||
enableClient = true;
|
||||
enableServer = true;
|
||||
clientSettings = {
|
||||
@@ -28,6 +40,69 @@ in
|
||||
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||
version = "2";
|
||||
};
|
||||
provision = {
|
||||
enable = true;
|
||||
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
|
||||
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
|
||||
|
||||
persons.jordan = {
|
||||
displayName = "Jordan Holt";
|
||||
legalName = "Jordan Holt";
|
||||
mailAddresses = [
|
||||
"jordan@vimium.com"
|
||||
];
|
||||
groups = [
|
||||
"gitea_admins"
|
||||
"gitea_users"
|
||||
"jellyfin_admins"
|
||||
"jellyfin_users"
|
||||
"open-webui_admins"
|
||||
"open-webui_users"
|
||||
];
|
||||
};
|
||||
|
||||
groups."gitea_admins" = { };
|
||||
groups."gitea_users" = { };
|
||||
systems.oauth2.gitea = {
|
||||
displayName = "Gitea";
|
||||
originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
|
||||
originLanding = "https://git.vimium.com/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
|
||||
scopeMaps."gitea_users" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
allowInsecureClientDisablePkce = true;
|
||||
preferShortUsername = true;
|
||||
claimMaps.groups = {
|
||||
joinType = "array";
|
||||
valuesByGroup."gitea_admins" = [ "admin" ];
|
||||
};
|
||||
};
|
||||
|
||||
groups."jellyfin_admins" = { };
|
||||
groups."jellyfin_users" = { };
|
||||
|
||||
groups."open-webui_admins" = { };
|
||||
groups."open-webui_users" = { };
|
||||
systems.oauth2.open-webui = {
|
||||
displayName = "Open WebUI";
|
||||
originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
|
||||
originLanding = "https://chat.ai.vimium.com/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
|
||||
scopeMaps."open-webui_users" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
allowInsecureClientDisablePkce = true;
|
||||
claimMaps.groups = {
|
||||
joinType = "array";
|
||||
valuesByGroup."open-webui_admins" = [ "admin" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# LDAP server binds to tailscale network interface
|
||||
|
||||
1
hosts/vps1/ssh_host_ed25519_key.pub
Normal file
1
hosts/vps1/ssh_host_ed25519_key.pub
Normal file
@@ -0,0 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc
|
||||
Reference in New Issue
Block a user