feat: use kanidm secret provisioning

2025-10-11 07:10:39 +02:00 · 2023-08-27 01:17:11 +02:00 · 2023-08-27 01:17:11 +02:00 · 7c48e51320
commit 7c48e51320
parent 522de920bb
9 changed files with 126 additions and 105 deletions
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@ -2,6 +2,7 @@
  lib,
  config,
  pkgs,
+  nodes,
  ...
 }: {
  meta.oauth2_proxy = {
@ -11,8 +12,27 @@
    # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
  };

-  age.secrets.oauth2-proxy-secret = {
-    rekeyFile = ./secrets/oauth2-proxy-secret.age;
+  age.secrets.oauth2-cookie-secret = {
+    rekeyFile = ./secrets/oauth2-cookie-secret.age;
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+
+  # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
+  # so it can be used as an EnvironmentFile
+  age.secrets.oauth2-client-secret = {
+    generator.dependencies = [
+      nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-web-sentinel
+    ];
+    generator.script = {
+      lib,
+      decrypt,
+      deps,
+      ...
+    }: ''
+      echo -n "OAUTH2_PROXY_CLIENT_SECRET="
+      ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
+    '';
    mode = "440";
    group = "oauth2_proxy";
  };
@ -26,7 +46,7 @@
    redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
    validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
    clientID = clientId;
-    keyFile = config.age.secrets.oauth2-proxy-secret.path;
+    keyFile = config.age.secrets.oauth2-cookie-secret.path;
    email.domains = ["*"];

    extraConfig = {
--- a/hosts/sentinel/secrets/oauth2-cookie-secret.age
+++ b/hosts/sentinel/secrets/oauth2-cookie-secret.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 KdpmgjrRS0ELGwUakn4bKF56nftZLenn3NB7PYgiNQE
+52zchN0TRUP3/fdSTQ83aDi+0DZ07zxRRANNBe9i0IY
+-> piv-p256 xqSe8Q An0xez98f0vVvi2E+pwwGzKOsI4HzQE7cJN59T8yl3n0
+vvX2Yqergv0XqNOV37Qs4YUbCEGQbIF5O9NxkRpy11Q
+-> S_J0JSh-grease ]
+5Wf2tYlp7iszD54QfYkV95WGpcQ3HEeGACA3Y97NTr7uzUck4OPuKJwEwgK6pman
+AjB3lmIusWODZvwnuAL3fG/X4JEOJ2T21eBp5/Qfg/TsvHGH
+--- qjh6E4UM8Yd5zl8gOaQQJLk2AH+vDh7dCEv0ig0rO2k
+P‡]7ã\ú¨¶¿p—˜�(:'3E˜]ºšéÄRw8/²Z&Jz2I¼#“†Koç‚�¦w	™‚qyW‹-«ìÚ/iÐØ)+
Â+fÓÇSFž(Y_ý�4 ¼ŸßÍÒº?ÂjØ2l®0#
--- a/hosts/sentinel/secrets/oauth2-proxy-secret.age
+++ b/hosts/sentinel/secrets/oauth2-proxy-secret.age
--- a/hosts/ward/microvms/forgejo.nix
+++ b/hosts/ward/microvms/forgejo.nix
@ -20,6 +20,13 @@ in {
    inherit (config.services.gitea) group;
  };

+  # Mirror the original oauth2 secret
+  age.secrets.forgejo-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-forgejo) rekeyFile;
+    mode = "440";
+    inherit (config.services.gitea) group;
+  };
+
  nodes.sentinel = {
    networking.providedDomains.forgejo = forgejoDomain;

--- a/hosts/ward/microvms/grafana.nix
+++ b/hosts/ward/microvms/grafana.nix
@ -28,6 +28,13 @@ in {
    group = "grafana";
  };

+  # Mirror the original oauth2 secret
+  age.secrets.grafana-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-grafana) rekeyFile;
+    mode = "440";
+    group = "grafana";
+  };
+
  nodes.ward-influxdb = {
    # Mirror the original secret on the influx host
    age.secrets."grafana-influxdb-token-${config.node.name}" = {
@ -100,8 +107,7 @@ in {
        allow_sign_up = true;
        #auto_login = true;
        client_id = "grafana";
-        #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
-        client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
+        client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
        scopes = "openid email profile";
        login_attribute_path = "prefered_username";
        auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@ -5,8 +5,9 @@
  pkgs,
  ...
 }: let
+  inherit (sentinelCfg.repo.secrets.local) personalDomain;
  sentinelCfg = nodes.sentinel.config;
-  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+  kanidmDomain = "auth.${personalDomain}";
  kanidmPort = 8300;
 in {
  meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@ -23,6 +24,27 @@ in {
    group = "kanidm";
  };

+  age.secrets.kanidm-oauth2-grafana = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-oauth2-forgejo = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-oauth2-web-sentinel = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
  nodes.sentinel = {
    networking.providedDomains.kanidm = kanidmDomain;

@ -49,7 +71,6 @@ in {

  services.kanidm = {
    enableServer = true;
-    # enablePAM = true;
    serverSettings = {
      domain = kanidmDomain;
      origin = "https://${kanidmDomain}";
@ -58,18 +79,65 @@ in {
      bindaddress = "0.0.0.0:${toString kanidmPort}";
      trust_x_forward_for = true;
    };
-  };

-  environment.systemPackages = [pkgs.kanidm];
-
-  services.kanidm = {
    enableClient = true;
    clientSettings = {
      uri = config.services.kanidm.serverSettings.origin;
      verify_ca = true;
      verify_hostnames = true;
    };
+
+    provision = {
+      inherit (config.secrets.global.kanidm) persons;
+
+      # Grafana
+      groups.grafana = {};
+      groups."grafana.admins" = {};
+      groups."grafana.editors" = {};
+      groups."grafana.server-admins" = {};
+      systems.oauth2.grafana = {
+        displayName = "Grafana";
+        originUrl = "https://${config.networking.providedDomains.grafana}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
+        scopeMaps.grafana = ["openid" "email" "profile"];
+        supplementaryScopeMaps = {
+          "grafana.admins" = ["admin"];
+          "grafana.editors" = ["editor"];
+          "grafana.server-admins" = ["server_admin"];
+        };
+      };
+
+      # Forgejo
+      groups.forgejo = {};
+      groups."forgejo.admins" = {};
+      systems.oauth2.forgejo = {
+        displayName = "Forgejo";
+        originUrl = "https://${config.networking.providedDomains.forgejo}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
+        scopeMaps.forgejo = ["openid" "email" "profile"];
+        supplementaryScopeMaps = {
+          "forgejo.admins" = ["admin"];
+          "forgejo.editors" = ["editor"];
+          "forgejo.server-admins" = ["server_admin"];
+        };
+      };
+
+      # Web Sentinel
+      groups.web-sentinel = {};
+      groups."web-sentinel.adguardhome" = {};
+      systems.oauth2.web-sentinel = {
+        displayName = "Web Sentinel";
+        originUrl = "https://oauth2.${personalDomain}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
+        scopeMaps.web-sentinel = ["openid" "email"];
+        supplementaryScopeMaps = {
+          "web-sentinel.adguardhome" = ["access_adguardhome"];
+          "web-sentinel.influxdb" = ["access_influxdb"];
+        };
+      };
+    };
  };

-  systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
+  environment.systemPackages = [pkgs.kanidm];
+  systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
 }