torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
d7f660362021af78e54b1f45152adab7911da181
nixos-servers/services/kanidm/default.nix
Torjus Håkestad d7f6603620
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Details
vault: add OpenBao OIDC integration with Kanidm
2026-02-09 19:20:13 +01:00

109 lines
3.4 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
{
services.kanidm = {
package = pkgs.kanidmWithSecretProvisioning_1_8;
enableServer = true;
serverSettings = {
domain = "home.2rjus.net";
origin = "https://auth.home.2rjus.net";
bindaddress = "0.0.0.0:443";
ldapbindaddress = "0.0.0.0:636";
tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
online_backup = {
path = "/var/lib/kanidm/backups";
schedule = "00 22 * * *";
versions = 7;
};
};
# Provision base groups only - users are managed via CLI
# See docs/user-management.md for details
provision = {
enable = true;
idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
groups = {
admins = { };
users = { };
ssh-users = { };
};
# Regular users (persons) are managed imperatively via kanidm CLI
# OAuth2/OIDC clients for service authentication
systems.oauth2.grafana = {
displayName = "Grafana";
originUrl = "https://grafana-test.home.2rjus.net/login/generic_oauth";
originLanding = "https://grafana-test.home.2rjus.net/";
basicSecretFile = config.vault.secrets.grafana-oauth2.outputDir;
preferShortUsername = true;
scopeMaps.users = [ "openid" "profile" "email" "groups" ];
};
systems.oauth2.openbao = {
displayName = "OpenBao Secrets";
# Both CLI (localhost) and Web UI callback URLs
originUrl = [
"http://localhost:8250/oidc/callback"
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback"
];
originLanding = "https://vault.home.2rjus.net:8200/";
basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
preferShortUsername = true;
# Allow groups scope for role binding
scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
scopeMaps.users = [ "openid" "profile" "email" "groups" ];
};
};
};
# Grant kanidm access to ACME certificates
users.users.kanidm.extraGroups = [ "acme" ];
# ACME certificate from internal CA
# Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
security.acme.certs."auth.home.2rjus.net" = {
listenHTTP = ":80";
reloadServices = [ "kanidm" ];
extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
};
# Vault secret for idm_admin password (used for provisioning)
vault.secrets.kanidm-idm-admin = {
secretPath = "kanidm/idm-admin-password";
extractKey = "password";
services = [ "kanidm" ];
owner = "kanidm";
group = "kanidm";
};
# Vault secret for Grafana OAuth2 client secret
vault.secrets.grafana-oauth2 = {
secretPath = "services/grafana/oauth2-client-secret";
extractKey = "password";
services = [ "kanidm" ];
owner = "kanidm";
group = "kanidm";
};
# Vault secret for OpenBao OAuth2 client secret
vault.secrets.openbao-oauth2 = {
secretPath = "services/openbao/oauth2-client-secret";
extractKey = "password";
services = [ "kanidm" ];
owner = "kanidm";
group = "kanidm";
};
# Note: Kanidm does not expose Prometheus metrics
# If metrics support is added in the future, uncomment:
# homelab.monitoring.scrapeTargets = [
# {
# job_name = "kanidm";
# port = 443;
# scheme = "https";
# }
# ];
}
Reference in New Issue View Git Blame Copy Permalink