chore: update fixes, add kanidm <-> firezone integration

hosts/sentinel/default.nix

@@ -13,6 +13,7 @@
     ./blog.nix
     ./fs.nix
     ./net.nix
+    ./firezone.nix
     ./oauth2.nix
     ./plausible.nix
     ./postgresql.nix

hosts/sentinel/firezone.nix

@@ -2,6 +2,7 @@
   config,
   globals,
   lib,
+  nodes,
   ...
 }:
 let
@@ -25,10 +26,11 @@ let
   };
 in
 {
-  age.secrets.firezone-smtp-password = {
-    generator.script = "alnum";
-    mode = "440";
-    group = "firezone";
+  age.secrets.firezone-smtp-password.generator.script = "alnum";
+
+  # Mirror the original oauth2 secret
+  age.secrets.firezone-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-firezone) rekeyFile;
   };
 
   environment.persistence."/persist".directories = [
@@ -53,7 +55,7 @@ in
       inherit (config.repo.secrets.local.firezone.mail) from host username;
       port = 465;
       implicitTls = true;
-      passwordFile = config.age.secrets.firezone-smtp-password.file;
+      passwordFile = config.age.secrets.firezone-smtp-password.path;
     };
 
     provision = {
@@ -68,6 +70,22 @@ in
           email = "admin@${globals.domains.me}";
         };
 
+        auth.oidc =
+          let
+            client_id = "firezone";
+          in
+          {
+            name = "Kanidm";
+            adapter = "openid_connect";
+            adapter_config = {
+              scope = "openid email profile";
+              response_type = "code";
+              inherit client_id;
+              discovery_document_uri = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+              clientSecretFile = config.age.secrets.firezone-oauth2-client-secret.path;
+            };
+          };
+
         # FIXME: dont hardcode, filter global service domains by internal state
         # FIXME: new entry here? make new adguardhome entry too.
         resources =
@@ -110,10 +128,11 @@ in
           { }
           // allow "everyone" "home.vlan-services.v4"
           // allow "everyone" "home.vlan-services.v6"
-          // lib.genAttrs homeDomains (domain: allow "everyone" domain);
+          // lib.mergeAttrsList (map (domain: allow "everyone" domain) homeDomains);
       };
     };
 
+    domain.settings.ERLANG_DISTRIBUTION_PORT = 9003;
     api.externalUrl = "https://${firezoneDomain}/api/";
     web.externalUrl = "https://${firezoneDomain}/";
   };

hosts/sire/guests/grafana.nix

@@ -72,20 +72,6 @@ in
         tokenFile =
           nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
       };
-
-    age.secrets."grafana-influxdb-token-home-${config.node.name}" = {
-      inherit (config.age.secrets.grafana-influxdb-token-home) rekeyFile;
-      mode = "440";
-      group = "influxdb2";
-    };
-
-    services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" =
-      {
-        readBuckets = [ "home_assistant" ];
-        writeBuckets = [ "home_assistant" ];
-        tokenFile =
-          nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
-      };
   };
 
   globals.services.grafana.domain = grafanaDomain;

hosts/ward/guests/kanidm.nix

@@ -38,6 +38,7 @@ in
   age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
   age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
   age.secrets.kanidm-oauth2-immich = mkRandomSecret;
+  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
   age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
   age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;
 
@@ -138,11 +139,14 @@ in
       # Firezone
       groups."firezone.access" = { };
       systems.oauth2.firezone = {
-        public = true;
         displayName = "Firezone VPN";
-        # FIXME: change
-        originUrl = "https://dummy.example.org/";
-        originLanding = "https://dummy.example.org/";
+        # NOTE: state: both uuids are runtime values
+        originUrl = [
+          "https://${globals.services.firezone.domain}/50e16678-6e95-49e2-b59e-d70d0e658843/sign_in/providers/fc8afaa3-ce60-4073-9cae-81dec9453a2d/handle_callback"
+          "https://${globals.services.firezone.domain}/50e16678-6e95-49e2-b59e-d70d0e658843/settings/identity_providers/openid_connect/fc8afaa3-ce60-4073-9cae-81dec9453a2d/handle_callback"
+        ];
+        originLanding = "https://${globals.services.firezone.domain}/";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-firezone.path;
         preferShortUsername = true;
         scopeMaps."firezone.access" = [
           "openid"