torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
02270a0e4a5b53a963b27f46bea4f4e9e11a2241
nixos-servers/services/kanidm/default.nix
Torjus Håkestad 030e8518c5
Some checks failed
Run nix flake check / flake-check (push) Failing after 4m3s
Details
grafana: add Grafana on monitoring02 with Kanidm OIDC 
Deploy Grafana test instance on monitoring02 with:
- Kanidm OIDC authentication (admins -> Admin role, others -> Viewer)
- PKCE enabled for secure OAuth2 flow (required by Kanidm)
- Declarative datasources for Prometheus and Loki on monitoring01
- Local Caddy for TLS termination via internal ACME CA
- DNS CNAME grafana-test.home.2rjus.net

Terraform changes add OAuth2 client secret and AppRole policies for
kanidm01 and monitoring02.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-08 20:23:26 +01:00

85 lines
2.5 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
{
services.kanidm = {
package = pkgs.kanidmWithSecretProvisioning_1_8;
enableServer = true;
serverSettings = {
domain = "home.2rjus.net";
origin = "https://auth.home.2rjus.net";
bindaddress = "0.0.0.0:443";
ldapbindaddress = "0.0.0.0:636";
tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
online_backup = {
path = "/var/lib/kanidm/backups";
schedule = "00 22 * * *";
versions = 7;
};
};
# Provision base groups only - users are managed via CLI
# See docs/user-management.md for details
provision = {
enable = true;
idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
groups = {
admins = { };
users = { };
ssh-users = { };
};
# Regular users (persons) are managed imperatively via kanidm CLI
# OAuth2/OIDC clients for service authentication
systems.oauth2.grafana = {
displayName = "Grafana";
originUrl = "https://grafana-test.home.2rjus.net/login/generic_oauth";
originLanding = "https://grafana-test.home.2rjus.net/";
basicSecretFile = config.vault.secrets.grafana-oauth2.outputDir;
preferShortUsername = true;
scopeMaps.users = [ "openid" "profile" "email" "groups" ];
};
};
};
# Grant kanidm access to ACME certificates
users.users.kanidm.extraGroups = [ "acme" ];
# ACME certificate from internal CA
# Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
security.acme.certs."auth.home.2rjus.net" = {
listenHTTP = ":80";
reloadServices = [ "kanidm" ];
extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
};
# Vault secret for idm_admin password (used for provisioning)
vault.secrets.kanidm-idm-admin = {
secretPath = "kanidm/idm-admin-password";
extractKey = "password";
services = [ "kanidm" ];
owner = "kanidm";
group = "kanidm";
};
# Vault secret for Grafana OAuth2 client secret
vault.secrets.grafana-oauth2 = {
secretPath = "services/grafana/oauth2-client-secret";
extractKey = "password";
services = [ "kanidm" ];
owner = "kanidm";
group = "kanidm";
};
# Note: Kanidm does not expose Prometheus metrics
# If metrics support is added in the future, uncomment:
# homelab.monitoring.scrapeTargets = [
# {
# job_name = "kanidm";
# port = 443;
# scheme = "https";
# }
# ];
}
Reference in New Issue View Git Blame Copy Permalink