mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

chore: update kanidm module

Browse source
This commit is contained in:
oddlama 2024-03-12 16:42:36 +01:00
parent bec8f5f50f
commit 0ec4a8ebe8
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
10 changed files with 68 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

31
hosts/ward/guests/forgejo.nix
View file

@ -124,9 +124,14 @@ in {
ENABLED_ISSUE_BY_LABEL = true;
};
oauth2_client = {
ACCOUNT_LINKING = "auto";
# Never use auto account linking with this, otherwise users cannot change
# their new user name and they could potentially overtake other users accounts
# by setting their email address to an existing account.
# With "login" linking the user must choose a non-existing username first or login
# with the existing account to link.
ACCOUNT_LINKING = "login";
USERNAME = "nickname";
ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email profile";
REGISTER_EMAIL_CONFIRM = false;
UPDATE_AVATAR = true;
};
@ -161,10 +166,6 @@ in {
};
};
# XXX: PKCE is currently not supported by gitea/forgejo,
# see https://github.com/go-gitea/gitea/issues/21376.
# Disable PKCE manually in kanidm for now.
# `kanidm system oauth2 warning-insecure-client-disable-pkce forgejo`
systemd.services.gitea = {
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
preStart = let
@ -180,18 +181,26 @@ in {
clientId
"--auto-discover-url"
"https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"
#"--required-claim-name" "groups"
#"--group-claim-name" "groups"
#"--admin-group" "/forge_admins@${domain}"
"--scopes"
"email"
"--scopes"
"profile"
"--scopes"
"groups"
"--group-claim-name"
"groups"
"--admin-group"
"admin"
"--skip-local-2fa"
];
in
lib.mkAfter ''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})"
if [[ -z "$provider_id" ]]; then
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth add-oauth ${args}
${exe} admin auth add-oauth ${args} --secret "$SECRET"
else
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args}
${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
fi
'';
};

17
hosts/ward/guests/kanidm.nix
View file

@ -136,6 +136,7 @@ in {
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
scopeMaps."grafana.access" = ["openid" "email" "profile"];
# FIXME: use new group claims k thx
supplementaryScopeMaps = {
"grafana.admins" = ["admin"];
"grafana.editors" = ["editor"];
@ -151,8 +152,13 @@ in {
originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
scopeMaps."forgejo.access" = ["openid" "email" "profile"];
supplementaryScopeMaps = {
"forgejo.admins" = ["admin"];
# XXX: PKCE is currently not supported by gitea/forgejo,
# see https://github.com/go-gitea/gitea/issues/21376.
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."forgejo.admins" = ["admin"];
};
};
@ -165,9 +171,10 @@ in {
originUrl = "https://oauth2.${personalDomain}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
scopeMaps."web-sentinel.access" = ["openid" "email"];
supplementaryScopeMaps = {
"web-sentinel.adguardhome" = ["access_adguardhome"];
"web-sentinel.influxdb" = ["access_influxdb"];
claimMaps.groups = {
joinType = "array";
valuesByGroup."web-sentinel.adguardhome" = ["access_adguardhome"];
valuesByGroup."web-sentinel.influxdb" = ["access_influxdb"];
};
};
};