jordan/nix-config
1
1
Fork 0
Code Issues 10 Pull Requests Actions Projects 3 Wiki Activity

kanidm: add provisioning
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m42s
Details

Browse Source
This commit is contained in:
Jordan Holt
2025-09-01 23:06:36 +01:00
parent ef2661db53
commit d43519fc29
15 changed files with 149 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/common.nix
View File

@@ -16,7 +16,8 @@
age.rekey = { age.rekey = {
masterIdentities = [ ../secrets/yubikey-nix-primary.pub ]; masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
storageMode = "local"; storageMode = "local";
localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}"; generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.networking.hostName}";
localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.networking.hostName}";
}; };
nixpkgs = { nixpkgs = {

7
hosts/library/ai.nix
View File

@@ -1,13 +1,12 @@
{ {
inputs,
config, config,
pkgs, pkgs,
... ...
}: }:
{ {
age.secrets."files/services/open-webui/envfile" = { age.secrets.open-webui-envfile = {
file = "${inputs.secrets}/files/services/open-webui/envfile.age"; rekeyFile = ./secrets/open-webui-envfile.age;
}; };
services.open-webui = { services.open-webui = {
@@ -30,7 +29,7 @@
OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration"; OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback"; OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
}; };
environmentFile = config.age.secrets."files/services/open-webui/envfile".path; environmentFile = config.age.secrets.open-webui-envfile.path;
}; };
modules.services.borgmatic.directories = [ modules.services.borgmatic.directories = [

10
hosts/library/secrets/open-webui-envfile.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> piv-p256 a1N2XA AqHsJTdBE6LT9QJK7Dek6b3zA/PaqAmma7uRdKHdQQym
KMB+yq8M+eej5pg7MHFBqzYhQhVnrPpTevDVo1RZn5Q
-> m;#M[T-grease > G>`e0C&G OS
ichBG8145Jl9vthZfVHcznJmi+c81HHZfd7UGzdfP7TR1wp9ub6IXiqK9KRe7ga7
N3osvWzwiwCI5oN0NA
--- ILq3bk5+xuZ4CV7J/rQkYBMz5wG2dHzn+G+cvEqUSRw
j
æìXÖ+âÊrýá±jÏüÃZW ¢¡p¶Âñk‡%Ç—xdC5mͧ '[ˆæwÂxáé¸ã#ÃûËO<18>Ì7<C38C>bC'8ÑÖ3÷bñ{_Ç%_êês&„žªÑ¹rrÚÁ¦ž,
5L8yCØOÅ6oîÆÙk}ˆÏ_®Üižm¾u3|Šf 5°Õ5ãêA¾Vê>¢+âúªóE=¹»è«E²ÇaE¿-ÉÔ<>^•»Q¬j…ƒš•7¯6Pì»böàE8*4ß„

2
hosts/vps1/default.nix
View File

@@ -20,6 +20,8 @@
hostPlatform = "x86_64-linux"; hostPlatform = "x86_64-linux";
}; };
age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
networking = { networking = {
hostId = "08bf6db3"; hostId = "08bf6db3";
firewall = { firewall = {

77
hosts/vps1/kanidm.nix
View File

@@ -6,14 +6,26 @@
let let
baseDomain = "vimium.com"; baseDomain = "vimium.com";
domain = "auth.${baseDomain}"; domain = "auth.${baseDomain}";
mkRandomSecret = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
in in
{ {
age.secrets.kanidm-admin-password = mkRandomSecret;
age.secrets.kanidm-idm-admin-password = mkRandomSecret;
age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
services.kanidm = services.kanidm =
let let
uri = "https://${domain}"; uri = "https://${domain}";
in in
{ {
package = pkgs.unstable.kanidm; package = pkgs.unstable.kanidmWithSecretProvisioning;
enableClient = true; enableClient = true;
enableServer = true; enableServer = true;
clientSettings = { clientSettings = {
@@ -28,6 +40,69 @@ in
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem"; tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
version = "2"; version = "2";
}; };
provision = {
enable = true;
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
persons.jordan = {
displayName = "Jordan Holt";
legalName = "Jordan Holt";
mailAddresses = [
"jordan@vimium.com"
];
groups = [
"gitea_admins"
"gitea_users"
"jellyfin_admins"
"jellyfin_users"
"open-webui_admins"
"open-webui_users"
];
};
groups."gitea_admins" = { };
groups."gitea_users" = { };
systems.oauth2.gitea = {
displayName = "Gitea";
originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
originLanding = "https://git.vimium.com/";
basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
scopeMaps."gitea_users" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."gitea_admins" = [ "admin" ];
};
};
groups."jellyfin_admins" = { };
groups."jellyfin_users" = { };
groups."open-webui_admins" = { };
groups."open-webui_users" = { };
systems.oauth2.open-webui = {
displayName = "Open WebUI";
originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
originLanding = "https://chat.ai.vimium.com/";
basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
scopeMaps."open-webui_users" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."open-webui_admins" = [ "admin" ];
};
};
};
}; };
# LDAP server binds to tailscale network interface # LDAP server binds to tailscale network interface

1
hosts/vps1/ssh_host_ed25519_key.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc

7
secrets/generated/vps1/kanidm-admin-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> piv-p256 a1N2XA A54fi3eKkgTq6VOnMm2ze+aHVpJ0NNsqT+w7nvYoznbM
t/dRpZzqO/mX7iHLxbvzVxdmTECkRFPA5jmYfZwbMR0
-> O_h4MVE-grease {- v~ 05B3
Clwo0RqQmOGC24XDUIA+4MfDLlWnc3SjR8Kk0Wokqf6R5QFobU4
--- loq7Xutgff/pptwqLMmjVA1uZwtDE1z6wsORzSgY80w
"¯2ÑQœ`D„ $ÐNÑÃ<å<>Ä.•Ò=5ŸÊ8%g†±E¶òl[T˜Iùy

8
secrets/generated/vps1/kanidm-idm-admin-password.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> piv-p256 a1N2XA Aul2Rho3PfWaREBYYJr5FpyV5+eQ18GY5DT1dB9QcAH8
wDHmswR1WRsqCrqRv6imy2oeo+FP3Z1kDpWvr/IzcUY
-> 4-grease x K>#G$!
WbQ2yy2Pkkn0BYBR+y0tPLCFTN6cKEYGEp4B+nagPf42XONM3Q4ewp5UJF25rAiJ
LsUecsY7dvX1n9HAz6uBwMm6Xt4
--- iPJfeOsee5HmeCB5NRHSPIywjhUrjdhsoEx9aTxbrZs
^ɽ$jFP ®ä@¦ÈÆ銿[|Òÿ«N´p2Æåà–|[ðÞI>>‡%f ©ç„Ö§´l¡W!Av`¬ß2‰¨Ù8³jVffÀJÎÛ

9
secrets/generated/vps1/kanidm-oauth2-gitea.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> piv-p256 a1N2XA A5Gj5hu1YQbUrm3IK35oDUHhnohr594lykadF+Smf+LB
grnVZatvY80rTTQR8bZphg/25aa1cKJYUGh+jYGqi7A
-> 0-grease 6#aWp kp fD7ks3KL -)qyQ
FH1L4t8VAxZIOeP6bPJV3qdaBXPXGkuroABtMs7D88WzHduNjBoETZH47zekRDVM
BAGAdcqSHuGyCp7EA4lgttN/vfA+8fAbcit/p98TTiGQbXZ4YYg
--- KB5apFUmA/vu8OLpReNzr2zeDyig5NZ8iBXdy5XDbXM
ƒ€æÔ<EFBFBD>rŧ)NäSð•8óXÒsÏÇçàGÌx<C38C>qÀ%®éν²<C2BD>ˆ¿ëéCoÚ
©S6óÀÜ<EFBFBD>³L\U˜ðÙz<ûHª\ÖaÉ;Q%Ú

8
secrets/generated/vps1/kanidm-oauth2-open-webui.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> piv-p256 a1N2XA Ah6buspw/yLQJuiyWr0t3Phy+U3HhRY2t0SofqISzHmJ
pVYmmBoqXD9l55DUIad9D/0h/vhXmeMauK+xaBpX0cM
-> M)*gn$-grease _b3%6l sH|2-zq P%h
CWIfvXf9R5QvRXzv8wv+vB8nXLk0eTxy/htCUSm2ujjw
--- 1t/2tU8qFo9C2yH3ZtsZIp8ZMNEjrecLh2HkDVnKTx4
Û\ePŽŽ,<2C>üÏtª¨V—xûý“è¤Ke´}üÆÍ\
âÛ÷`<Çÿb;y GÛë‰À

BIN
secrets/rekeyed/library/f46a5bd752fddd8414f6f7e26655fe0f-open-webui-envfile.age Normal file
View File

Binary file not shown.

BIN
secrets/rekeyed/vps1/3c5deb9c71bac734f22226832529aa8c-kanidm-oauth2-gitea.age Normal file
View File

Binary file not shown.

7
secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 lOyIlA OQXbnkBzK8DL7wJkbHWo/XUlLQHjBEVu1xMzmhB78Xc
vGcN1v+YxXidGs7Z3hvZypklIZVF1/J6DZpx8JId/hw
-> mfI^2]-grease ,
2C8Bs6nnhfatjdqc/Wc
--- tuwRBOHiF0e6lgo4bK4Ui+bjjuTf5uZJgDJnpqf1seU
½J´\gù;ü†èòV ½·qFNq[7ÏålŒ¯ðÅf¢˜°w æã<C3A6>¯•<C2AF>i|RDLóR#œÀ%u-A1š£–âþ=€A†ÿöºW„c

8
secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 lOyIlA XbDvpING9Qe/x3sNWrqn2vqEw2SvgP79ApCrJTTGuiM
cOaoXvYgPH7egMF1MT4gtaMHnoHWgeKeEjkwCoOQf74
-> y''zjcK-grease J y ,CxRN3
2kaqVO6qm24DPq5fhEN+AM+hPvW3VPHKlzuMy8SLeW/3um8bXNmFdxwzfkDoFSf3
viYrDFmlY7+RTFt6JADBs67eYlQblBgZwTo
--- NwBzcAYM5hOyvIsRVLYH8ez6gn8Z3yxmX8Tfz1hETz0
¡g­>ð@ÉýlÖægè[RÙ½„ó™€XvŽÊ9ßµ"<22>ë\ÒhÛºU…y¬ÁÚ4ÜžO¼½ =zˆÃxBé@DzIJÆåO•åÑü«M„ LH<

8
secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 lOyIlA VsJu05NEZogLfeKJ8f9PiUH9RZn2RKJ+/FYOTzUOIyY
Zd5ze/ijrlRs948f6fhCR+IN6uXpck6ejMlpyGugOfQ
-> z+o-grease +J< ey N"
uAedOA+JGje0EKhTuQJj+RDh98H6dqryAUe7nC2iF6t7wAT1NHFLWWfRqw3nNtMb
Cb0pH7hECmbW0vygVD67NusZOvleB2RHng
--- KcTuAfeh0NIBLRmtXZFlbsAAmH9Eu2KmswfZzWgaeZ8
íƒ9EœQÞªF¡`iÝÙ´oŠä~éõ/þV<*{°'A~”nÕ ôø'@œKý¿<øxǽ'AJMFN®ûÁ#»$CÜŠ=$ZH¼AØ