chore: update kanidm module

hosts/ward/guests/forgejo.nix

@@ -124,9 +124,14 @@ in {
         ENABLED_ISSUE_BY_LABEL = true;
       };
       oauth2_client = {
-        ACCOUNT_LINKING = "auto";
+        # Never use auto account linking with this, otherwise users cannot change
+        # their new user name and they could potentially overtake other users accounts
+        # by setting their email address to an existing account.
+        # With "login" linking the user must choose a non-existing username first or login
+        # with the existing account to link.
+        ACCOUNT_LINKING = "login";
+        USERNAME = "nickname";
         ENABLE_AUTO_REGISTRATION = true;
-        OPENID_CONNECT_SCOPES = "email profile";
         REGISTER_EMAIL_CONFIRM = false;
         UPDATE_AVATAR = true;
       };
@@ -161,10 +166,6 @@ in {
     };
   };
 
-  # XXX: PKCE is currently not supported by gitea/forgejo,
-  # see https://github.com/go-gitea/gitea/issues/21376.
-  # Disable PKCE manually in kanidm for now.
-  # `kanidm system oauth2 warning-insecure-client-disable-pkce forgejo`
   systemd.services.gitea = {
     serviceConfig.RestartSec = "600"; # Retry every 10 minutes
     preStart = let
@@ -180,18 +181,26 @@ in {
         clientId
         "--auto-discover-url"
         "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"
-        #"--required-claim-name" "groups"
-        #"--group-claim-name" "groups"
-        #"--admin-group" "/forge_admins@${domain}"
+        "--scopes"
+        "email"
+        "--scopes"
+        "profile"
+        "--scopes"
+        "groups"
+        "--group-claim-name"
+        "groups"
+        "--admin-group"
+        "admin"
         "--skip-local-2fa"
       ];
     in
       lib.mkAfter ''
         provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
+        SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})"
         if [[ -z "$provider_id" ]]; then
-          FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth add-oauth ${args}
+          ${exe} admin auth add-oauth ${args} --secret "$SECRET"
         else
-          FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args}
+          ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
         fi
       '';
   };

hosts/ward/guests/kanidm.nix

@@ -136,6 +136,7 @@ in {
         originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
         scopeMaps."grafana.access" = ["openid" "email" "profile"];
+        # FIXME: use new group claims k thx
         supplementaryScopeMaps = {
           "grafana.admins" = ["admin"];
           "grafana.editors" = ["editor"];
@@ -151,8 +152,13 @@ in {
         originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
         scopeMaps."forgejo.access" = ["openid" "email" "profile"];
-        supplementaryScopeMaps = {
-          "forgejo.admins" = ["admin"];
+        # XXX: PKCE is currently not supported by gitea/forgejo,
+        # see https://github.com/go-gitea/gitea/issues/21376.
+        allowInsecureClientDisablePkce = true;
+        preferShortUsername = true;
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup."forgejo.admins" = ["admin"];
         };
       };
 
@@ -165,9 +171,10 @@ in {
         originUrl = "https://oauth2.${personalDomain}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
         scopeMaps."web-sentinel.access" = ["openid" "email"];
-        supplementaryScopeMaps = {
-          "web-sentinel.adguardhome" = ["access_adguardhome"];
-          "web-sentinel.influxdb" = ["access_influxdb"];
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup."web-sentinel.adguardhome" = ["access_adguardhome"];
+          valuesByGroup."web-sentinel.influxdb" = ["access_influxdb"];
         };
       };
     };

modules/kanidm.nix

@@ -19,8 +19,10 @@
     flip
     foldl'
     getExe
+    hasInfix
     hasPrefix
     isStorePath
+    last
     mapAttrsToList
     mdDoc
     mkEnableOption
@@ -31,6 +33,7 @@
     mkPackageOption
     optional
     optionalString
+    splitString
     subtractLists
     types
     unique
@@ -112,6 +115,17 @@
     inherit (cfg.provision) groups persons systems;
   });
 
+  serverPort =
+    # ipv6:
+    if hasInfix "]:" cfg.serverSettings.bindaddress
+    then last (splitString "]:" cfg.serverSettings.bindaddress)
+    else
+      # ipv4:
+      if hasInfix "." cfg.serverSettings.bindaddress
+      then last (splitString ":" cfg.serverSettings.bindaddress)
+      # default is 8443
+      else "8443";
+
   # Only recover the admin account if a password should explicitly be provisioned
   # for the account. Otherwise it is not needed for provisioning.
   maybeRecoverAdmin = optionalString (cfg.provision.adminPasswordFile != null) ''
@@ -324,7 +338,8 @@ in {
 
       instanceUrl = mkOption {
         description = "The instance url to which the provisioning tool should connect.";
-        default = "https://localhost";
+        default = "https://localhost:${serverPort}";
+        defaultText = ''"https://localhost:<port from serverSettings.bindaddress>"'';
         type = types.str;
       };
 
@@ -335,8 +350,8 @@ in {
           dangerous when used with an external URL.
         '';
         type = types.bool;
-        default = cfg.provision.instanceUrl == "https://localhost";
-        defaultText = ''services.kanidm.provision.instanceUrl == "https://localhost"'';
+        default = hasPrefix "https://localhost:" cfg.provision.instanceUrl;
+        defaultText = ''hasPrefix "https://localhost:" cfg.provision.instanceUrl'';
       };
 
       adminPasswordFile = mkOption {

pkgs/default.nix

@@ -19,6 +19,7 @@
           "${provisionSrc}/patches/${old.version}-recover-account.patch"
         ];
       passthru.enableSecretProvisioning = true;
+      doCheck = false;
     });
     kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
     kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};

secrets/generated/ward-kanidm/kanidm-admin-password.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> X25519 6f8QhIEaEPpo4rE7z2+xfSvVuBuNFA88irUfI9zcIE4
-GqmGfpdlp+g5AMhXqX9lgDC/N8R7219sAaBi0I9d9Ag
--> piv-p256 xqSe8Q Ay3ut51NNIlEQMX0khPsv125nhDXOXHmFSgSnTjbVe7n
-6IcjGzTGPgvNZ2Q2HQPa9W7WCPNdIAADA1wRMS8GZC4
--> 82t/-grease `y"L Hi< _{M
-SiPWwQNeRqL92N2g63dJ3w3+OZsSge3YoF4IKmw10dXnmThUrwZWmv0s1LlZWFlF
-zZpcto0M
---- RZDYu8mV+RbfUwjpVdPpGso9zU1T/Nr/HjJImcK6kiY
-0Ń×&ę{Aĺčc„õ»ţL�,;^ó•ĂU°ŐQpóU&î×}ńüżG‚µ†ÖRkĺ[ˇ»üŇ–ŁŠI…ż=8¤čşĎŬ©ćĂË‘!¦¦
+-> X25519 GPGUXxxB5Cj2S0lIefvZQxCPx+RyLhTekC1DQKhq+AE
+XopnX7IBSSqsBaAzffjUI+kuQIwil4HhqnV/FqWYZAU
+-> piv-p256 xqSe8Q AnXbklxYTgrlCOwXorB5KRXT9UGiCsvUMNtkrvUUvdpJ
+UEcHDRHS5fpBUJzoeelgtCnqTh/PS5O0jWh8eSRukoE
+-> iuO-grease xi(!7 {t&2I
+bAd8XDG3V+NpXswCjj15/7h+klBqyiNy9gWgNkQPyrN8078Bh5YAHO+6Gl56MN8V
+nJxvrw
+--- 5jTQCFK/KQKkOfAGUi4AmKy0iwgM69lx6q9+18poSzM
+»?„y?PUŰÖ,Éđ=sáëČ|CuQlaľe’'[-úÁJ+Ĺž©8‹î§O6cţ,tűîŤfwă¤|\»›=§+śścÇÁCü‰áܧú

secrets/rekeyed/ward-kanidm/1e8a4b2e02bdfebbf38a6c68df160840-kanidm-idm-admin-password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 QciEZQ QyX7/FtiWgoLvyffHXvVuSKDQi95Kyc3fn0fI2G+7Sw
+Bi2yLN8V+1tUBHeLAvGeaYXZ3+wInoyrEn9nMOdOU50
+-> ;-grease Zu Ht`s/,N% xA6=yx#Y 8!&Ju@
+VBbgI0sdvLsXV81KaSBTf47C7EvRPSOShvtJlbDcjJm9Z08Egb0dhxieCyCkklve
+KoOrjuy5IpGRhF4
+--- YuF5oqqskiKa/0uVqHaaOcyAYoQUJsI7YdhCSiE7WUk
+”bgŮş&ŕÁţË*#R˘¤XжAe˙$qĐÚoŻĹö�uĂO"Š	¤”ÍČ=JÔ_VŇF§Oč˛*śUť<Qę9ČžŢ{şP·¶@

secrets/rekeyed/ward-kanidm/68153eee0e2a6f1a6f370a461fe91ce4-kanidm-admin-password.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 QciEZQ BdaphQM25KBdkYRt1jz2xqRRTkx0w9B5mEa/wLnrjhw
-stL5lO8Pn5mZ1e+RV0MM3Z/PKELNsudJXpzOPcw4ZMo
--> #'H$k-grease F
-bjZu5g/zqKw7tfcOcr6A1rjCeZ9Xv5lzcDfyRffobE9hadKMmWXpI9SIvWpMGotj
-SEjIpghD5Ws
---- 9Zk53p5YyRxFy4eGNciZvQDNdWUxQZRG5usva0j/HhU
-Ör�ni`öhÍeÌïëìòò®C¤ƒ!mƒºqÈ`F%•ñ÷˜ìž¬¿/ERwdsøÛëD ¯ˆ¶+eÎÞZÑÚ5áF£æZ#‡Ÿ Jk	:ˆ