feat: use kanidm secret provisioning

2025-10-10 14:50:40 +02:00 · 2023-08-27 01:17:11 +02:00 · 2023-08-27 01:17:11 +02:00 · 7c48e51320
commit 7c48e51320
parent 522de920bb
9 changed files with 126 additions and 105 deletions
--- a/README.md
+++ b/README.md
@ -125,95 +125,3 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout selfcert.key -out selfcert.crt -subj \
  "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"
 ```
-
-
-
-
-
-
-```nix
-{
-  services.kanidm.provision = {
-    persons.myuser = {
-      legalname = "Full Name";
-      mail = "mail@example.com";
-      groups = ["grafana-access" "grafana-server-admins"];
-    };
-
-    groups.grafana-access = {};
-    groups.grafana-server-admins = {};
-    groups.grafana-admins = {};
-    groups.grafana-editors = {};
-
-    systems.oauth2.grafana = {
-      displayName = "Grafana";
-      originUrl = "https://grafana.${personalDomain}";
-      basicSecretFile = pkgs.writeText "bs" "verygoodsecret";
-      scopeMaps = {
-        grafana-access = ["openid" "email" "profile"];
-      };
-      supplementaryScopeMaps = {
-        grafana-server-admins = ["server_admin"];
-        grafana-admins = ["admin"];
-        grafana-editors = ["editor"];
-      };
-    };
-  };
-}
-```
-
-
-
-
-```bash
-# Recover admin account
-kanidmd recover-account admin
-> FrEELN4tfyVbUAfhGeuUyZyaKk8cbpFufuDwyCPhY3xhb3X2
-# Login with recovered root account
-kanidm login --name admin
-# Generate new credentials for idm_admin account
-kanidm service-account credential generate -D admin idm_admin
-> Yk0W24SQGzkLp97DNxxExCcryDLvA7Q2dR0A7ZuaVQevLR6B
-# Generate new oauth2 app for grafana
-kanidm group create grafana-access
-kanidm group create grafana-server-admins
-kanidm group create grafana-admins
-kanidm group create grafana-editors
-kanidm system oauth2 create grafana "Grafana" https://grafana.${personalDomain}
-kanidm system oauth2 update-scope-map grafana grafana-access openid email profile
-kanidm system oauth2 update-sup-scope-map grafana grafana-server-admins server_admin
-kanidm system oauth2 update-sup-scope-map grafana grafana-admins admin
-kanidm system oauth2 update-sup-scope-map grafana grafana-editors editor
-kanidm system oauth2 show-basic-secret grafana
-# Generate new oauth2 app for proxied webapps
-kanidm group create web-sentinel-access
-kanidm group create web-sentinel-adguardhome-access
-kanidm group create web-sentinel-influxdb-access
-kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain}
-kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid email
-kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
-kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
-kanidm system oauth2 show-basic-secret web-sentinel
-# Generate new oauth2 app for forgejo
-kanidm group create forgejo-access
-kanidm group create forgejo-admins
-kanidm system oauth2 create forgejo "Forgejo" https://git.${personalDomain}
-kanidm system oauth2 update-scope-map forgejo forgejo-access openid email profile
-kanidm system oauth2 update-sup-scope-map forgejo forgejo-server-admins server_admin
-kanidm system oauth2 update-sup-scope-map forgejo forgejo-admins admin
-kanidm system oauth2 update-sup-scope-map forgejo forgejo-editors editor
-kanidm system oauth2 show-basic-secret forgejo
-# Add new user
-kanidm login --name idm_admin
-kanidm person create myuser "My User"
-kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com"
-kanidm group add-members grafana-access myuser
-kanidm group add-members grafana-server-admins myuser
-kanidm group add-members web-sentinel-access myuser
-kanidm group add-members web-sentinel-adguardhome-access myuser
-kanidm group add-members web-sentinel-influxdb-access myuser
-```
-
-
-
-