feat: use kanidm secret provisioning

2025-10-10 23:00:39 +02:00 · 2023-08-27 01:17:11 +02:00 · 2023-08-27 01:17:11 +02:00 · 7c48e51320
commit 7c48e51320
parent 522de920bb
9 changed files with 126 additions and 105 deletions
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@ -5,8 +5,9 @@
  pkgs,
  ...
 }: let
+  inherit (sentinelCfg.repo.secrets.local) personalDomain;
  sentinelCfg = nodes.sentinel.config;
-  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+  kanidmDomain = "auth.${personalDomain}";
  kanidmPort = 8300;
 in {
  meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@ -23,6 +24,27 @@ in {
    group = "kanidm";
  };

+  age.secrets.kanidm-oauth2-grafana = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-oauth2-forgejo = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-oauth2-web-sentinel = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
  nodes.sentinel = {
    networking.providedDomains.kanidm = kanidmDomain;

@ -49,7 +71,6 @@ in {

  services.kanidm = {
    enableServer = true;
-    # enablePAM = true;
    serverSettings = {
      domain = kanidmDomain;
      origin = "https://${kanidmDomain}";
@ -58,18 +79,65 @@ in {
      bindaddress = "0.0.0.0:${toString kanidmPort}";
      trust_x_forward_for = true;
    };
-  };

-  environment.systemPackages = [pkgs.kanidm];
-
-  services.kanidm = {
    enableClient = true;
    clientSettings = {
      uri = config.services.kanidm.serverSettings.origin;
      verify_ca = true;
      verify_hostnames = true;
    };
+
+    provision = {
+      inherit (config.secrets.global.kanidm) persons;
+
+      # Grafana
+      groups.grafana = {};
+      groups."grafana.admins" = {};
+      groups."grafana.editors" = {};
+      groups."grafana.server-admins" = {};
+      systems.oauth2.grafana = {
+        displayName = "Grafana";
+        originUrl = "https://${config.networking.providedDomains.grafana}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
+        scopeMaps.grafana = ["openid" "email" "profile"];
+        supplementaryScopeMaps = {
+          "grafana.admins" = ["admin"];
+          "grafana.editors" = ["editor"];
+          "grafana.server-admins" = ["server_admin"];
+        };
+      };
+
+      # Forgejo
+      groups.forgejo = {};
+      groups."forgejo.admins" = {};
+      systems.oauth2.forgejo = {
+        displayName = "Forgejo";
+        originUrl = "https://${config.networking.providedDomains.forgejo}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
+        scopeMaps.forgejo = ["openid" "email" "profile"];
+        supplementaryScopeMaps = {
+          "forgejo.admins" = ["admin"];
+          "forgejo.editors" = ["editor"];
+          "forgejo.server-admins" = ["server_admin"];
+        };
+      };
+
+      # Web Sentinel
+      groups.web-sentinel = {};
+      groups."web-sentinel.adguardhome" = {};
+      systems.oauth2.web-sentinel = {
+        displayName = "Web Sentinel";
+        originUrl = "https://oauth2.${personalDomain}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
+        scopeMaps.web-sentinel = ["openid" "email"];
+        supplementaryScopeMaps = {
+          "web-sentinel.adguardhome" = ["access_adguardhome"];
+          "web-sentinel.influxdb" = ["access_influxdb"];
+        };
+      };
+    };
  };

-  systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
+  environment.systemPackages = [pkgs.kanidm];
+  systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
 }