torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

vault: add OpenBao OIDC integration with Kanidm
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m9s
Details

Browse Source 
Enable Kanidm users to authenticate to OpenBao via OIDC for Web UI access.
Members of the admins group get full read/write access to secrets.

Changes:
- Add OIDC auth backend in Terraform (oidc.tf)
- Add oidc-admin and oidc-default policies
- Add openbao OAuth2 client to Kanidm
- Enable legacy crypto (RS256) for OpenBao compatibility
- Allow imperative group membership management in Kanidm

Limitations:
- CLI login not supported (Kanidm requires HTTPS for confidential client redirects)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-09 19:42:26 +01:00
parent 2f5a2a4bf1
commit e85f15b73d
5 changed files with 131 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
terraform/vault/approle.tf
View File

@@ -106,6 +106,7 @@ locals {
"secret/data/hosts/kanidm01/*",
"secret/data/kanidm/*",
"secret/data/services/grafana/*",
"secret/data/services/openbao/*",
]
}

50
terraform/vault/oidc.tf Normal file
View File

@@ -0,0 +1,50 @@
# OIDC authentication backend for Kanidm integration
# Web UI only - CLI localhost redirects not supported with confidential clients
resource "vault_jwt_auth_backend" "oidc" {
path = "oidc"
type = "oidc"
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
oidc_client_id = "openbao"
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
default_role = "default"
tune {
listing_visibility = "unauth"
default_lease_ttl = "1h"
max_lease_ttl = "24h"
token_type = "default-service"
}
}
# Admin role - maps Kanidm admins group to admin policy
resource "vault_jwt_auth_backend_role" "admin" {
backend = vault_jwt_auth_backend.oidc.path
role_name = "admin"
token_policies = ["oidc-admin"]
user_claim = "preferred_username"
groups_claim = "groups"
bound_claims = { groups = "admins@home.2rjus.net" }
role_type = "oidc"
oidc_scopes = ["openid", "profile", "email", "groups"]
allowed_redirect_uris = [
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
]
}
# Default role - any authenticated user (limited access)
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.oidc.path
role_name = "default"
token_policies = ["oidc-default"]
user_claim = "preferred_username"
groups_claim = "groups"
role_type = "oidc"
oidc_scopes = ["openid", "profile", "email", "groups"]
allowed_redirect_uris = [
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
]
}

47
terraform/vault/policies.tf
View File

@@ -8,3 +8,50 @@ path "sys/metrics" {
}
EOT
}
# OIDC admin policy - full read/write to all secrets
resource "vault_policy" "oidc_admin" {
name = "oidc-admin"
policy = <<EOT
# Full access to KV secrets
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Read system health and metrics
path "sys/health" {
capabilities = ["read"]
}
path "sys/metrics" {
capabilities = ["read"]
}
# List auth methods and mounts
path "sys/auth" {
capabilities = ["read"]
}
path "sys/mounts" {
capabilities = ["read"]
}
EOT
}
# OIDC default policy - minimal access for authenticated users
resource "vault_policy" "oidc_default" {
name = "oidc-default"
policy = <<EOT
# Read own token info
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Read system health
path "sys/health" {
capabilities = ["read"]
}
EOT
}

6
terraform/vault/secrets.tf
View File

@@ -115,6 +115,12 @@ locals {
password_length = 64
}
# OpenBao OAuth2 client secret (for Kanidm OIDC)
"services/openbao/oauth2-client-secret" = {
auto_generate = true
password_length = 64
}
# NKey for nixos-exporter NATS cache sharing
"shared/nixos-exporter/nkey" = {
auto_generate = false