jordan/nix-config
1
1
Fork 0
Code Issues 10 Pull Requests Actions Projects 3 Wiki Activity

kanidm: add provisioning
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m42s
Details

Browse Source
This commit is contained in:
Jordan Holt
2025-09-01 23:06:36 +01:00
parent ef2661db53
commit d43519fc29
15 changed files with 149 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/common.nix
View File

@@ -16,7 +16,8 @@
age.rekey = { age.rekey = {
masterIdentities = [ ../secrets/yubikey-nix-primary.pub ]; masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
storageMode = "local"; storageMode = "local";
localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}"; generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.networking.hostName}";
localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.networking.hostName}";
}; };
nixpkgs = { nixpkgs = {

7
hosts/library/ai.nix
View File

@@ -1,13 +1,12 @@
{ {
inputs,
config, config,
pkgs, pkgs,
... ...
}: }:
{ {
age.secrets."files/services/open-webui/envfile" = { age.secrets.open-webui-envfile = {
file = "${inputs.secrets}/files/services/open-webui/envfile.age"; rekeyFile = ./secrets/open-webui-envfile.age;
}; };
services.open-webui = { services.open-webui = {
@@ -30,7 +29,7 @@
OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration"; OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback"; OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
}; };
environmentFile = config.age.secrets."files/services/open-webui/envfile".path; environmentFile = config.age.secrets.open-webui-envfile.path;
}; };
modules.services.borgmatic.directories = [ modules.services.borgmatic.directories = [

10
hosts/library/secrets/open-webui-envfile.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> piv-p256 a1N2XA AqHsJTdBE6LT9QJK7Dek6b3zA/PaqAmma7uRdKHdQQym
KMB+yq8M+eej5pg7MHFBqzYhQhVnrPpTevDVo1RZn5Q
-> m;#M[T-grease > G>`e0C&G OS
ichBG8145Jl9vthZfVHcznJmi+c81HHZfd7UGzdfP7TR1wp9ub6IXiqK9KRe7ga7
N3osvWzwiwCI5oN0NA
--- ILq3bk5+xuZ4CV7J/rQkYBMz5wG2dHzn+G+cvEqUSRw
j
<EFBFBD><EFBFBD>X<EFBFBD>+<2B><>r<EFBFBD><1E><>j<EFBFBD><6A><EFBFBD>ZW <16><>p<EFBFBD><70><EFBFBD>k<EFBFBD>%ǗxdC5mͧ '[<5B><>w<EFBFBD>x<EFBFBD><EFBFBD>#<23><><EFBFBD>O<18><14>7<EFBFBD>bC'8<><38>3<EFBFBD>b<EFBFBD>{_<>%_<><5F>s&<26><><EFBFBD>ѹrr<72><07><><EFBFBD>,
5L8<EFBFBD>yC<EFBFBD>O<EFBFBD>6o<EFBFBD><EFBFBD><EFBFBD>k}<7D><17>_<EFBFBD><5F>i<EFBFBD>m<EFBFBD>u3|<7C>f 5<><35>5<EFBFBD><35>A<EFBFBD>V<EFBFBD>><3E>+<2B><><EFBFBD><EFBFBD>E=<3D><><11><>E<EFBFBD><45><EFBFBD>aE<61>-<2D>Ԑ^<5E><>Q<EFBFBD><51>j<EFBFBD><6A><EFBFBD><EFBFBD>7<EFBFBD>6P<36><50>b<EFBFBD><62>E8*4߄

2
hosts/vps1/default.nix
View File

@@ -20,6 +20,8 @@
hostPlatform = "x86_64-linux"; hostPlatform = "x86_64-linux";
}; };
age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
networking = { networking = {
hostId = "08bf6db3"; hostId = "08bf6db3";
firewall = { firewall = {

77
hosts/vps1/kanidm.nix
View File

@@ -6,14 +6,26 @@
let let
baseDomain = "vimium.com"; baseDomain = "vimium.com";
domain = "auth.${baseDomain}"; domain = "auth.${baseDomain}";
mkRandomSecret = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
in in
{ {
age.secrets.kanidm-admin-password = mkRandomSecret;
age.secrets.kanidm-idm-admin-password = mkRandomSecret;
age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
services.kanidm = services.kanidm =
let let
uri = "https://${domain}"; uri = "https://${domain}";
in in
{ {
package = pkgs.unstable.kanidm; package = pkgs.unstable.kanidmWithSecretProvisioning;
enableClient = true; enableClient = true;
enableServer = true; enableServer = true;
clientSettings = { clientSettings = {
@@ -28,6 +40,69 @@ in
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem"; tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
version = "2"; version = "2";
}; };
provision = {
enable = true;
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
persons.jordan = {
displayName = "Jordan Holt";
legalName = "Jordan Holt";
mailAddresses = [
"jordan@vimium.com"
];
groups = [
"gitea_admins"
"gitea_users"
"jellyfin_admins"
"jellyfin_users"
"open-webui_admins"
"open-webui_users"
];
};
groups."gitea_admins" = { };
groups."gitea_users" = { };
systems.oauth2.gitea = {
displayName = "Gitea";
originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
originLanding = "https://git.vimium.com/";
basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
scopeMaps."gitea_users" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."gitea_admins" = [ "admin" ];
};
};
groups."jellyfin_admins" = { };
groups."jellyfin_users" = { };
groups."open-webui_admins" = { };
groups."open-webui_users" = { };
systems.oauth2.open-webui = {
displayName = "Open WebUI";
originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
originLanding = "https://chat.ai.vimium.com/";
basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
scopeMaps."open-webui_users" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."open-webui_admins" = [ "admin" ];
};
};
};
}; };
# LDAP server binds to tailscale network interface # LDAP server binds to tailscale network interface

1
hosts/vps1/ssh_host_ed25519_key.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc

7
secrets/generated/vps1/kanidm-admin-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> piv-p256 a1N2XA A54fi3eKkgTq6VOnMm2ze+aHVpJ0NNsqT+w7nvYoznbM
t/dRpZzqO/mX7iHLxbvzVxdmTECkRFPA5jmYfZwbMR0
-> O_h4MVE-grease {- v~ 05B3
Clwo0RqQmOGC24XDUIA+4MfDLlWnc3SjR8Kk0Wokqf6R5QFobU4
--- loq7Xutgff/pptwqLMmjVA1uZwtDE1z6wsORzSgY80w
"<22>2<EFBFBD>Q<EFBFBD>`D<> $<24>N<EFBFBD><4E><<3C><><EFBFBD>.<2E><05>=5<><35>8<EFBFBD>%g<><67>E<EFBFBD><45>l[T<>I<>y

8
secrets/generated/vps1/kanidm-idm-admin-password.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> piv-p256 a1N2XA Aul2Rho3PfWaREBYYJr5FpyV5+eQ18GY5DT1dB9QcAH8
wDHmswR1WRsqCrqRv6imy2oeo+FP3Z1kDpWvr/IzcUY
-> 4-grease x K>#G$!
WbQ2yy2Pkkn0BYBR+y0tPLCFTN6cKEYGEp4B+nagPf42XONM3Q4ewp5UJF25rAiJ
LsUecsY7dvX1n9HAz6uBwMm6Xt4
--- iPJfeOsee5HmeCB5NRHSPIywjhUrjdhsoEx9aTxbrZs
^ɽ$jFP <09><>@<40><><EFBFBD>銿[|<7C><04><>N<>p2<11><><EFBFBD><EFBFBD>|[<5B><>I>><3E>%f<><66><EFBFBD><EFBFBD>֧<EFBFBD>l<EFBFBD>W<EFBFBD>!Av`<60><>2<EFBFBD><32><EFBFBD>8<>jVff<>J<1F><>

9
secrets/generated/vps1/kanidm-oauth2-gitea.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> piv-p256 a1N2XA A5Gj5hu1YQbUrm3IK35oDUHhnohr594lykadF+Smf+LB
grnVZatvY80rTTQR8bZphg/25aa1cKJYUGh+jYGqi7A
-> 0-grease 6#aWp kp fD7ks3KL -)qyQ
FH1L4t8VAxZIOeP6bPJV3qdaBXPXGkuroABtMs7D88WzHduNjBoETZH47zekRDVM
BAGAdcqSHuGyCp7EA4lgttN/vfA+8fAbcit/p98TTiGQbXZ4YYg
--- KB5apFUmA/vu8OLpReNzr2zeDyig5NZ8iBXdy5XDbXM
<EFBFBD><EFBFBD><EFBFBD>ԝrŧ)N<>S<EFBFBD><53>8<EFBFBD>X<12>s<><73><EFBFBD><EFBFBD>G<EFBFBD>x<EFBFBD>q<EFBFBD>%<25><><EFBFBD><1B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Co<43>
<EFBFBD>S6<EFBFBD><EFBFBD>ܐ<EFBFBD>L\U<><55><EFBFBD>z<<3C>H<EFBFBD>\<5C>a<EFBFBD>;Q%<25><17>

8
secrets/generated/vps1/kanidm-oauth2-open-webui.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> piv-p256 a1N2XA Ah6buspw/yLQJuiyWr0t3Phy+U3HhRY2t0SofqISzHmJ
pVYmmBoqXD9l55DUIad9D/0h/vhXmeMauK+xaBpX0cM
-> M)*gn$-grease _b3%6l sH|2-zq P%h
CWIfvXf9R5QvRXzv8wv+vB8nXLk0eTxy/htCUSm2ujjw
--- 1t/2tU8qFo9C2yH3ZtsZIp8ZMNEjrecLh2HkDVnKTx4
<EFBFBD>\eP<65><50>,<2C><><EFBFBD>t<EFBFBD><74>V<EFBFBD>x<EFBFBD><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD>A<>Ke<4B>}<7D><><EFBFBD>\]<5D>
<EFBFBD><EFBFBD><EFBFBD>`<<3C><>b;y G<><47><EFBFBD><EFBFBD>

BIN
secrets/rekeyed/library/f46a5bd752fddd8414f6f7e26655fe0f-open-webui-envfile.age Normal file
View File

Binary file not shown.

BIN
secrets/rekeyed/vps1/3c5deb9c71bac734f22226832529aa8c-kanidm-oauth2-gitea.age Normal file
View File

Binary file not shown.

7
secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 lOyIlA OQXbnkBzK8DL7wJkbHWo/XUlLQHjBEVu1xMzmhB78Xc
vGcN1v+YxXidGs7Z3hvZypklIZVF1/J6DZpx8JId/hw
-> mfI^2]-grease ,
2C8Bs6nnhfatjdqc/Wc
--- tuwRBOHiF0e6lgo4bK4Ui+bjjuTf5uZJgDJnpqf1seU
<EFBFBD>J<EFBFBD>\g<>;<1B><><EFBFBD><EFBFBD>V <0B><>qFNq[7<><37>l<EFBFBD><6C><EFBFBD><EFBFBD>f<EFBFBD><66><EFBFBD>w <09><EFBFBD><E39DAF>i|RDL<44>R#<23><>%u-A1<41><31>–<><10>=<3D>A<EFBFBD><41><EFBFBD><EFBFBD>W<>c

8
secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 lOyIlA XbDvpING9Qe/x3sNWrqn2vqEw2SvgP79ApCrJTTGuiM
cOaoXvYgPH7egMF1MT4gtaMHnoHWgeKeEjkwCoOQf74
-> y''zjcK-grease J y ,CxRN3
2kaqVO6qm24DPq5fhEN+AM+hPvW3VPHKlzuMy8SLeW/3um8bXNmFdxwzfkDoFSf3
viYrDFmlY7+RTFt6JADBs67eYlQblBgZwTo
--- NwBzcAYM5hOyvIsRVLYH8ez6gn8Z3yxmX8Tfz1hETz0
<EFBFBD>g<EFBFBD>><3E>@<40><><EFBFBD>l<EFBFBD><6C>g<EFBFBD>[<5B><52><D9BD><EFBFBD><EFBFBD>Xv<58><76>9ߵ"<22><>\<5C>hۺU<DBBA>y<EFBFBD><79><EFBFBD><EFBFBD>4ܞO<DC9E><4F> =z<><7A>xB<78>@DzIJ<49><1F><>O<EFBFBD><4F><EFBFBD><EFBFBD><EFBFBD>M<EFBFBD><4D>LH<

8
secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 lOyIlA VsJu05NEZogLfeKJ8f9PiUH9RZn2RKJ+/FYOTzUOIyY
Zd5ze/ijrlRs948f6fhCR+IN6uXpck6ejMlpyGugOfQ
-> z+o-grease +J< ey N"
uAedOA+JGje0EKhTuQJj+RDh98H6dqryAUe7nC2iF6t7wAT1NHFLWWfRqw3nNtMb
Cb0pH7hECmbW0vygVD67NusZOvleB2RHng
--- KcTuAfeh0NIBLRmtXZFlbsAAmH9Eu2KmswfZzWgaeZ8
<EFBFBD><EFBFBD>9E<EFBFBD>QުF<EFBFBD>`i<><69><1B>o<EFBFBD><6F>~<7E><08>/<2F>V<*{<7B>'A~<7E>n0<><17> <0B><>'@<40>K<EFBFBD><4B><<3C>xǽ'AJMFN<46><4E><18>#<23>$C܊=$ZH<5A>A<06>