Torjus Håkestad
35a5a91fcf
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m5s
100 lines
3.2 KiB
Nix
100 lines
3.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
{
|
|
services.kanidm = {
|
|
package = pkgs.kanidmWithSecretProvisioning_1_8;
|
|
enableServer = true;
|
|
serverSettings = {
|
|
domain = "home.2rjus.net";
|
|
origin = "https://auth.home.2rjus.net";
|
|
bindaddress = "0.0.0.0:443";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
|
|
tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
|
|
online_backup = {
|
|
path = "/var/lib/kanidm/backups";
|
|
schedule = "00 22 * * *";
|
|
versions = 7;
|
|
};
|
|
};
|
|
|
|
# Provision base groups only - users are managed via CLI
|
|
# See docs/user-management.md for details
|
|
provision = {
|
|
enable = true;
|
|
idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
|
|
|
|
groups = {
|
|
admins = { };
|
|
users = { };
|
|
ssh-users = { };
|
|
};
|
|
|
|
# Regular users (persons) are managed imperatively via kanidm CLI
|
|
|
|
# OAuth2/OIDC clients for service authentication
|
|
systems.oauth2.grafana = {
|
|
displayName = "Grafana";
|
|
originUrl = "https://grafana-test.home.2rjus.net/login/generic_oauth";
|
|
originLanding = "https://grafana-test.home.2rjus.net/";
|
|
basicSecretFile = config.vault.secrets.grafana-oauth2.outputDir;
|
|
preferShortUsername = true;
|
|
scopeMaps.users = [ "openid" "profile" "email" "groups" ];
|
|
};
|
|
|
|
systems.oauth2.openbao = {
|
|
displayName = "OpenBao Secrets";
|
|
# Public client for CLI support (uses PKCE instead of client secret)
|
|
public = true;
|
|
enableLocalhostRedirects = true;
|
|
# Both CLI (localhost) and Web UI callback URLs
|
|
originUrl = "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback";
|
|
originLanding = "https://vault.home.2rjus.net:8200/";
|
|
preferShortUsername = true;
|
|
# Allow groups scope for role binding
|
|
scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
|
|
scopeMaps.users = [ "openid" "profile" "email" "groups" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
# Grant kanidm access to ACME certificates
|
|
users.users.kanidm.extraGroups = [ "acme" ];
|
|
|
|
# ACME certificate from internal CA
|
|
# Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
|
|
security.acme.certs."auth.home.2rjus.net" = {
|
|
listenHTTP = ":80";
|
|
reloadServices = [ "kanidm" ];
|
|
extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
|
|
};
|
|
|
|
# Vault secret for idm_admin password (used for provisioning)
|
|
vault.secrets.kanidm-idm-admin = {
|
|
secretPath = "kanidm/idm-admin-password";
|
|
extractKey = "password";
|
|
services = [ "kanidm" ];
|
|
owner = "kanidm";
|
|
group = "kanidm";
|
|
};
|
|
|
|
# Vault secret for Grafana OAuth2 client secret
|
|
vault.secrets.grafana-oauth2 = {
|
|
secretPath = "services/grafana/oauth2-client-secret";
|
|
extractKey = "password";
|
|
services = [ "kanidm" ];
|
|
owner = "kanidm";
|
|
group = "kanidm";
|
|
};
|
|
|
|
|
|
# Note: Kanidm does not expose Prometheus metrics
|
|
# If metrics support is added in the future, uncomment:
|
|
# homelab.monitoring.scrapeTargets = [
|
|
# {
|
|
# job_name = "kanidm";
|
|
# port = 443;
|
|
# scheme = "https";
|
|
# }
|
|
# ];
|
|
}
|