forked from mirrors_public/oddlama_nix-config
chore: some kanidm provisioning prototyping
This commit is contained in:
oddlama
parent
36e9f22602
commit
659ed7c854
2 changed files with 79 additions and 2 deletions
17
README.md
17
README.md
|
|
@ -131,6 +131,23 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
```nix
|
||||||
|
{
|
||||||
|
services.kanidm.provision = {
|
||||||
|
persons.myuser = {
|
||||||
|
legalname = "Full Name";
|
||||||
|
mail = "mail@example.com";
|
||||||
|
groups = ["grafana-access" "grafana-server-admins"];
|
||||||
|
};
|
||||||
|
|
||||||
|
groups.grafana-access = {};
|
||||||
|
groups.grafana-server-admins = {};
|
||||||
|
|
||||||
|
systems.oauth2.grafana = {
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,9 +18,69 @@
|
||||||
;
|
;
|
||||||
in {
|
in {
|
||||||
options.services.kanidm.provision = {
|
options.services.kanidm.provision = {
|
||||||
enable = mkEnableOption "provisioning of systems, groups and users";
|
enable = mkEnableOption "provisioning of systems (oauth2), groups and users";
|
||||||
|
|
||||||
systems = {
|
persons = mkOption {
|
||||||
|
description = "Provisioning of kanidm persons";
|
||||||
|
default = {};
|
||||||
|
type = types.attrsOf (types.submodule (personSubmod: {
|
||||||
|
options = {
|
||||||
|
present = mkOption {
|
||||||
|
description = "Whether to ensure that this person is present or absent.";
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
groups = mkOption {
|
||||||
|
description = "Provisioning of kanidm groups";
|
||||||
|
default = {};
|
||||||
|
type = types.attrsOf (types.submodule (groupSubmod: {
|
||||||
|
options = {
|
||||||
|
present = mkOption {
|
||||||
|
description = "Whether to ensure that this group is present or absent.";
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
systems.oauth2 = mkOption {
|
||||||
|
description = "Provisioning of oauth2 systems";
|
||||||
|
default = {};
|
||||||
|
type = types.attrsOf (types.submodule (oauth2Submod: {
|
||||||
|
options = {
|
||||||
|
present = mkOption {
|
||||||
|
description = "Whether to ensure that this oauth2 system is present or absent.";
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
url =
|
||||||
|
mkOption {
|
||||||
|
};
|
||||||
|
|
||||||
|
basicSecretFile = mkOption {
|
||||||
|
description = "The basic secret to use for this service. If null, the random secret generated by kanidm will not be touched. Do NOT use a path from the nix store here!";
|
||||||
|
type = types.nullOr types.path;
|
||||||
|
example = "/run/secrets/some-oauth2-basic-secret";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
|
||||||
|
scopeMap = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
|
supScopeMaps = mkOption {
|
||||||
|
type = types.attrsOf types.str;
|
||||||
|
default = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue