feat: use kanidm secret provisioning

2025-10-11 07:10:39 +02:00 · 2023-08-27 01:17:11 +02:00 · 2023-08-27 01:17:11 +02:00 · 7c48e51320
commit 7c48e51320
parent 522de920bb
9 changed files with 126 additions and 105 deletions
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@ -2,6 +2,7 @@
  lib,
  config,
  pkgs,
+  nodes,
  ...
 }: {
  meta.oauth2_proxy = {
@ -11,8 +12,27 @@
    # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
  };

-  age.secrets.oauth2-proxy-secret = {
-    rekeyFile = ./secrets/oauth2-proxy-secret.age;
+  age.secrets.oauth2-cookie-secret = {
+    rekeyFile = ./secrets/oauth2-cookie-secret.age;
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+
+  # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
+  # so it can be used as an EnvironmentFile
+  age.secrets.oauth2-client-secret = {
+    generator.dependencies = [
+      nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-web-sentinel
+    ];
+    generator.script = {
+      lib,
+      decrypt,
+      deps,
+      ...
+    }: ''
+      echo -n "OAUTH2_PROXY_CLIENT_SECRET="
+      ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
+    '';
    mode = "440";
    group = "oauth2_proxy";
  };
@ -26,7 +46,7 @@
    redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
    validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
    clientID = clientId;
-    keyFile = config.age.secrets.oauth2-proxy-secret.path;
+    keyFile = config.age.secrets.oauth2-cookie-secret.path;
    email.domains = ["*"];

    extraConfig = {