mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-10 23:00:39 +02:00
chore: update kanidm module
This commit is contained in:
parent
bec8f5f50f
commit
0ec4a8ebe8
10 changed files with 68 additions and 36 deletions
|
@ -124,9 +124,14 @@ in {
|
||||||
ENABLED_ISSUE_BY_LABEL = true;
|
ENABLED_ISSUE_BY_LABEL = true;
|
||||||
};
|
};
|
||||||
oauth2_client = {
|
oauth2_client = {
|
||||||
ACCOUNT_LINKING = "auto";
|
# Never use auto account linking with this, otherwise users cannot change
|
||||||
|
# their new user name and they could potentially overtake other users accounts
|
||||||
|
# by setting their email address to an existing account.
|
||||||
|
# With "login" linking the user must choose a non-existing username first or login
|
||||||
|
# with the existing account to link.
|
||||||
|
ACCOUNT_LINKING = "login";
|
||||||
|
USERNAME = "nickname";
|
||||||
ENABLE_AUTO_REGISTRATION = true;
|
ENABLE_AUTO_REGISTRATION = true;
|
||||||
OPENID_CONNECT_SCOPES = "email profile";
|
|
||||||
REGISTER_EMAIL_CONFIRM = false;
|
REGISTER_EMAIL_CONFIRM = false;
|
||||||
UPDATE_AVATAR = true;
|
UPDATE_AVATAR = true;
|
||||||
};
|
};
|
||||||
|
@ -161,10 +166,6 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# XXX: PKCE is currently not supported by gitea/forgejo,
|
|
||||||
# see https://github.com/go-gitea/gitea/issues/21376.
|
|
||||||
# Disable PKCE manually in kanidm for now.
|
|
||||||
# `kanidm system oauth2 warning-insecure-client-disable-pkce forgejo`
|
|
||||||
systemd.services.gitea = {
|
systemd.services.gitea = {
|
||||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
preStart = let
|
preStart = let
|
||||||
|
@ -180,18 +181,26 @@ in {
|
||||||
clientId
|
clientId
|
||||||
"--auto-discover-url"
|
"--auto-discover-url"
|
||||||
"https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"
|
"https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"
|
||||||
#"--required-claim-name" "groups"
|
"--scopes"
|
||||||
#"--group-claim-name" "groups"
|
"email"
|
||||||
#"--admin-group" "/forge_admins@${domain}"
|
"--scopes"
|
||||||
|
"profile"
|
||||||
|
"--scopes"
|
||||||
|
"groups"
|
||||||
|
"--group-claim-name"
|
||||||
|
"groups"
|
||||||
|
"--admin-group"
|
||||||
|
"admin"
|
||||||
"--skip-local-2fa"
|
"--skip-local-2fa"
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
lib.mkAfter ''
|
lib.mkAfter ''
|
||||||
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
|
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
|
||||||
|
SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})"
|
||||||
if [[ -z "$provider_id" ]]; then
|
if [[ -z "$provider_id" ]]; then
|
||||||
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth add-oauth ${args}
|
${exe} admin auth add-oauth ${args} --secret "$SECRET"
|
||||||
else
|
else
|
||||||
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args}
|
${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
@ -136,6 +136,7 @@ in {
|
||||||
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
|
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
|
||||||
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
|
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
|
||||||
scopeMaps."grafana.access" = ["openid" "email" "profile"];
|
scopeMaps."grafana.access" = ["openid" "email" "profile"];
|
||||||
|
# FIXME: use new group claims k thx
|
||||||
supplementaryScopeMaps = {
|
supplementaryScopeMaps = {
|
||||||
"grafana.admins" = ["admin"];
|
"grafana.admins" = ["admin"];
|
||||||
"grafana.editors" = ["editor"];
|
"grafana.editors" = ["editor"];
|
||||||
|
@ -151,8 +152,13 @@ in {
|
||||||
originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
|
originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
|
||||||
basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
|
basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
|
||||||
scopeMaps."forgejo.access" = ["openid" "email" "profile"];
|
scopeMaps."forgejo.access" = ["openid" "email" "profile"];
|
||||||
supplementaryScopeMaps = {
|
# XXX: PKCE is currently not supported by gitea/forgejo,
|
||||||
"forgejo.admins" = ["admin"];
|
# see https://github.com/go-gitea/gitea/issues/21376.
|
||||||
|
allowInsecureClientDisablePkce = true;
|
||||||
|
preferShortUsername = true;
|
||||||
|
claimMaps.groups = {
|
||||||
|
joinType = "array";
|
||||||
|
valuesByGroup."forgejo.admins" = ["admin"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -165,9 +171,10 @@ in {
|
||||||
originUrl = "https://oauth2.${personalDomain}/";
|
originUrl = "https://oauth2.${personalDomain}/";
|
||||||
basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
|
basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
|
||||||
scopeMaps."web-sentinel.access" = ["openid" "email"];
|
scopeMaps."web-sentinel.access" = ["openid" "email"];
|
||||||
supplementaryScopeMaps = {
|
claimMaps.groups = {
|
||||||
"web-sentinel.adguardhome" = ["access_adguardhome"];
|
joinType = "array";
|
||||||
"web-sentinel.influxdb" = ["access_influxdb"];
|
valuesByGroup."web-sentinel.adguardhome" = ["access_adguardhome"];
|
||||||
|
valuesByGroup."web-sentinel.influxdb" = ["access_influxdb"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -19,8 +19,10 @@
|
||||||
flip
|
flip
|
||||||
foldl'
|
foldl'
|
||||||
getExe
|
getExe
|
||||||
|
hasInfix
|
||||||
hasPrefix
|
hasPrefix
|
||||||
isStorePath
|
isStorePath
|
||||||
|
last
|
||||||
mapAttrsToList
|
mapAttrsToList
|
||||||
mdDoc
|
mdDoc
|
||||||
mkEnableOption
|
mkEnableOption
|
||||||
|
@ -31,6 +33,7 @@
|
||||||
mkPackageOption
|
mkPackageOption
|
||||||
optional
|
optional
|
||||||
optionalString
|
optionalString
|
||||||
|
splitString
|
||||||
subtractLists
|
subtractLists
|
||||||
types
|
types
|
||||||
unique
|
unique
|
||||||
|
@ -112,6 +115,17 @@
|
||||||
inherit (cfg.provision) groups persons systems;
|
inherit (cfg.provision) groups persons systems;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
serverPort =
|
||||||
|
# ipv6:
|
||||||
|
if hasInfix "]:" cfg.serverSettings.bindaddress
|
||||||
|
then last (splitString "]:" cfg.serverSettings.bindaddress)
|
||||||
|
else
|
||||||
|
# ipv4:
|
||||||
|
if hasInfix "." cfg.serverSettings.bindaddress
|
||||||
|
then last (splitString ":" cfg.serverSettings.bindaddress)
|
||||||
|
# default is 8443
|
||||||
|
else "8443";
|
||||||
|
|
||||||
# Only recover the admin account if a password should explicitly be provisioned
|
# Only recover the admin account if a password should explicitly be provisioned
|
||||||
# for the account. Otherwise it is not needed for provisioning.
|
# for the account. Otherwise it is not needed for provisioning.
|
||||||
maybeRecoverAdmin = optionalString (cfg.provision.adminPasswordFile != null) ''
|
maybeRecoverAdmin = optionalString (cfg.provision.adminPasswordFile != null) ''
|
||||||
|
@ -324,7 +338,8 @@ in {
|
||||||
|
|
||||||
instanceUrl = mkOption {
|
instanceUrl = mkOption {
|
||||||
description = "The instance url to which the provisioning tool should connect.";
|
description = "The instance url to which the provisioning tool should connect.";
|
||||||
default = "https://localhost";
|
default = "https://localhost:${serverPort}";
|
||||||
|
defaultText = ''"https://localhost:<port from serverSettings.bindaddress>"'';
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -335,8 +350,8 @@ in {
|
||||||
dangerous when used with an external URL.
|
dangerous when used with an external URL.
|
||||||
'';
|
'';
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = cfg.provision.instanceUrl == "https://localhost";
|
default = hasPrefix "https://localhost:" cfg.provision.instanceUrl;
|
||||||
defaultText = ''services.kanidm.provision.instanceUrl == "https://localhost"'';
|
defaultText = ''hasPrefix "https://localhost:" cfg.provision.instanceUrl'';
|
||||||
};
|
};
|
||||||
|
|
||||||
adminPasswordFile = mkOption {
|
adminPasswordFile = mkOption {
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
"${provisionSrc}/patches/${old.version}-recover-account.patch"
|
"${provisionSrc}/patches/${old.version}-recover-account.patch"
|
||||||
];
|
];
|
||||||
passthru.enableSecretProvisioning = true;
|
passthru.enableSecretProvisioning = true;
|
||||||
|
doCheck = false;
|
||||||
});
|
});
|
||||||
kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
|
kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
|
||||||
kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};
|
kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> X25519 6f8QhIEaEPpo4rE7z2+xfSvVuBuNFA88irUfI9zcIE4
|
-> X25519 GPGUXxxB5Cj2S0lIefvZQxCPx+RyLhTekC1DQKhq+AE
|
||||||
GqmGfpdlp+g5AMhXqX9lgDC/N8R7219sAaBi0I9d9Ag
|
XopnX7IBSSqsBaAzffjUI+kuQIwil4HhqnV/FqWYZAU
|
||||||
-> piv-p256 xqSe8Q Ay3ut51NNIlEQMX0khPsv125nhDXOXHmFSgSnTjbVe7n
|
-> piv-p256 xqSe8Q AnXbklxYTgrlCOwXorB5KRXT9UGiCsvUMNtkrvUUvdpJ
|
||||||
6IcjGzTGPgvNZ2Q2HQPa9W7WCPNdIAADA1wRMS8GZC4
|
UEcHDRHS5fpBUJzoeelgtCnqTh/PS5O0jWh8eSRukoE
|
||||||
-> 82t/-grease `y"L Hi< _{M
|
-> iuO-grease xi(!7 {t&2I
|
||||||
SiPWwQNeRqL92N2g63dJ3w3+OZsSge3YoF4IKmw10dXnmThUrwZWmv0s1LlZWFlF
|
bAd8XDG3V+NpXswCjj15/7h+klBqyiNy9gWgNkQPyrN8078Bh5YAHO+6Gl56MN8V
|
||||||
zZpcto0M
|
nJxvrw
|
||||||
--- RZDYu8mV+RbfUwjpVdPpGso9zU1T/Nr/HjJImcK6kiY
|
--- 5jTQCFK/KQKkOfAGUi4AmKy0iwgM69lx6q9+18poSzM
|
||||||
0Ń×&ę{Aĺčc„õ»ţL�,;^ó•ĂU°ŐQpóU&î×}ńüżG‚µ†ÖRkĺ[ˇ»üŇ–ŁŠI…ż=8¤čşĎŬ©ćĂË‘!¦¦
|
»?„y?PUŰÖ,Éđ=sáëČ|CuQlaľe’'[-úÁJ+Ĺž©8‹î§O6cţ,tűîŤfwă¤|\»›=§+śścÇÁCü‰áܧú
|
Binary file not shown.
|
@ -0,0 +1,8 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 QciEZQ QyX7/FtiWgoLvyffHXvVuSKDQi95Kyc3fn0fI2G+7Sw
|
||||||
|
Bi2yLN8V+1tUBHeLAvGeaYXZ3+wInoyrEn9nMOdOU50
|
||||||
|
-> ;-grease Zu Ht`s/,N% xA6=yx#Y 8!&Ju@
|
||||||
|
VBbgI0sdvLsXV81KaSBTf47C7EvRPSOShvtJlbDcjJm9Z08Egb0dhxieCyCkklve
|
||||||
|
KoOrjuy5IpGRhF4
|
||||||
|
--- YuF5oqqskiKa/0uVqHaaOcyAYoQUJsI7YdhCSiE7WUk
|
||||||
|
”bgŮş&ŕÁţË*#R˘¤XжAe˙$qĐÚoŻĹö�uĂO"Š ¤”ÍČ=JÔ_VŇF§Oč˛*śUť<Qę9ČžŢ{şP·¶@
|
|
@ -1,8 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 QciEZQ BdaphQM25KBdkYRt1jz2xqRRTkx0w9B5mEa/wLnrjhw
|
|
||||||
stL5lO8Pn5mZ1e+RV0MM3Z/PKELNsudJXpzOPcw4ZMo
|
|
||||||
-> #'H$k-grease F
|
|
||||||
bjZu5g/zqKw7tfcOcr6A1rjCeZ9Xv5lzcDfyRffobE9hadKMmWXpI9SIvWpMGotj
|
|
||||||
SEjIpghD5Ws
|
|
||||||
--- 9Zk53p5YyRxFy4eGNciZvQDNdWUxQZRG5usva0j/HhU
|
|
||||||
Ör�ni`öhÍeÌïëìòò®C¤ƒ!mƒºqÈ`F%•ñ÷˜ìž¬¿/ERwdsøÛëD ¯ˆ¶+eÎÞZÑÚ5áF£æZ#‡Ÿ Jk :ˆ
|
|
Binary file not shown.
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue