chore: some kanidm provisioning prototyping

2025-10-10 14:50:40 +02:00 · 2023-08-19 19:49:35 +02:00 · 2023-08-19 19:49:35 +02:00 · 659ed7c854
commit 659ed7c854
parent 36e9f22602
2 changed files with 79 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -131,6 +131,23 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \



+```nix
+{
+  services.kanidm.provision = {
+    persons.myuser = {
+      legalname = "Full Name";
+      mail = "mail@example.com";
+      groups = ["grafana-access" "grafana-server-admins"];
+    };
+
+    groups.grafana-access = {};
+    groups.grafana-server-admins = {};
+
+    systems.oauth2.grafana = {
+    };
+  };
+}
+```



--- a/modules/meta/kanidm.nix
+++ b/modules/meta/kanidm.nix
@ -18,9 +18,69 @@
    ;
 in {
  options.services.kanidm.provision = {
-    enable = mkEnableOption "provisioning of systems, groups and users";
+    enable = mkEnableOption "provisioning of systems (oauth2), groups and users";

-    systems = {
+    persons = mkOption {
+      description = "Provisioning of kanidm persons";
+      default = {};
+      type = types.attrsOf (types.submodule (personSubmod: {
+        options = {
+          present = mkOption {
+            description = "Whether to ensure that this person is present or absent.";
+            type = types.bool;
+            default = true;
+          };
+        };
+      }));
+    };
+
+    groups = mkOption {
+      description = "Provisioning of kanidm groups";
+      default = {};
+      type = types.attrsOf (types.submodule (groupSubmod: {
+        options = {
+          present = mkOption {
+            description = "Whether to ensure that this group is present or absent.";
+            type = types.bool;
+            default = true;
+          };
+        };
+      }));
+    };
+
+    systems.oauth2 = mkOption {
+      description = "Provisioning of oauth2 systems";
+      default = {};
+      type = types.attrsOf (types.submodule (oauth2Submod: {
+        options = {
+          present = mkOption {
+            description = "Whether to ensure that this oauth2 system is present or absent.";
+            type = types.bool;
+            default = true;
+          };
+
+          url =
+            mkOption {
+            };
+
+          basicSecretFile = mkOption {
+            description = "The basic secret to use for this service. If null, the random secret generated by kanidm will not be touched. Do NOT use a path from the nix store here!";
+            type = types.nullOr types.path;
+            example = "/run/secrets/some-oauth2-basic-secret";
+            default = null;
+          };
+
+          scopeMap = mkOption {
+            type = types.listOf types.str;
+            default = [];
+          };
+
+          supScopeMaps = mkOption {
+            type = types.attrsOf types.str;
+            default = {};
+          };
+        };
+      }));
    };
  };