torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

vault: use public OIDC client for CLI localhost redirect support
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m5s
Details

Browse Source
This commit is contained in:
Torjus Håkestad
2026-02-09 19:26:41 +01:00
parent d7f6603620
commit 35a5a91fcf
4 changed files with 5 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
services/kanidm/default.nix
View File

@@ -43,13 +43,12 @@
systems.oauth2.openbao = { systems.oauth2.openbao = {
displayName = "OpenBao Secrets"; displayName = "OpenBao Secrets";
# Public client for CLI support (uses PKCE instead of client secret)
public = true;
enableLocalhostRedirects = true;
# Both CLI (localhost) and Web UI callback URLs # Both CLI (localhost) and Web UI callback URLs
originUrl = [ originUrl = "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback";
"http://localhost:8250/oidc/callback"
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback"
];
originLanding = "https://vault.home.2rjus.net:8200/"; originLanding = "https://vault.home.2rjus.net:8200/";
basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
preferShortUsername = true; preferShortUsername = true;
# Allow groups scope for role binding # Allow groups scope for role binding
scopeMaps.admins = [ "openid" "profile" "email" "groups" ]; scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
@@ -87,14 +86,6 @@
group = "kanidm"; group = "kanidm";
}; };
# Vault secret for OpenBao OAuth2 client secret
vault.secrets.openbao-oauth2 = {
secretPath = "services/openbao/oauth2-client-secret";
extractKey = "password";
services = [ "kanidm" ];
owner = "kanidm";
group = "kanidm";
};
# Note: Kanidm does not expose Prometheus metrics # Note: Kanidm does not expose Prometheus metrics
# If metrics support is added in the future, uncomment: # If metrics support is added in the future, uncomment:

1
terraform/vault/approle.tf
View File

@@ -106,7 +106,6 @@ locals {
"secret/data/hosts/kanidm01/*", "secret/data/hosts/kanidm01/*",
"secret/data/kanidm/*", "secret/data/kanidm/*",
"secret/data/services/grafana/*", "secret/data/services/grafana/*",
"secret/data/services/openbao/*",
] ]
} }

2
terraform/vault/oidc.tf
View File

@@ -1,10 +1,10 @@
# OIDC authentication backend for Kanidm integration # OIDC authentication backend for Kanidm integration
# Using a public client (no secret) to support CLI localhost redirects
resource "vault_jwt_auth_backend" "oidc" { resource "vault_jwt_auth_backend" "oidc" {
path = "oidc" path = "oidc"
type = "oidc" type = "oidc"
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao" oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
oidc_client_id = "openbao" oidc_client_id = "openbao"
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
default_role = "default" default_role = "default"
tune { tune {

5
terraform/vault/secrets.tf
View File

@@ -115,11 +115,6 @@ locals {
password_length = 64 password_length = 64
} }
# OpenBao OAuth2 client secret (for Kanidm OIDC)
"services/openbao/oauth2-client-secret" = {
auto_generate = true
password_length = 64
}
# NKey for nixos-exporter NATS cache sharing # NKey for nixos-exporter NATS cache sharing
"shared/nixos-exporter/nkey" = { "shared/nixos-exporter/nkey" = {