swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-15 13:49:11 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

wip: migrate client modules

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-04-02 19:25:58 +02:00
parent f6d2ff1544
commit 7ce27d5d2f
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
245 changed files with 20254 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

436
modules-clone/nixos/server/kanidm.nix Normal file
View file

@ -0,0 +1,436 @@
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
certsSopsFile = self + /secrets/repo/certs.yaml;
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy homeProxyIf webProxyIf dnsServer homeServiceAddress nginxAccessRules;
oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
immichDomain = globals.services.immich.domain;
paperlessDomain = globals.services.paperless.domain;
forgejoDomain = globals.services.forgejo.domain;
grafanaDomain = globals.services.grafana.domain;
nextcloudDomain = globals.services.nextcloud.domain;
certBase = "/etc/ssl";
certsDir = "${certBase}/certs";
privateDir = "${certBase}/private";
certPathBase = "${certsDir}/${serviceName}.crt";
certPath =
if config.swarselsystems.isImpermanence then
"/persist${certPathBase}"
else
"${certPathBase}";
keyPathBase = "${privateDir}/${serviceName}.key";
keyPath =
if config.swarselsystems.isImpermanence then
"/persist${keyPathBase}"
else
"${keyPathBase}";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds = {
kanidm = confLib.mkIds 984;
};
users.${serviceUser} = {
group = serviceGroup;
isSystemUser = true;
};
groups.${serviceGroup} = { };
};
sops = {
secrets = {
"kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
general.idmServer = config.node.name;
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence = {
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
certPathBase
keyPathBase
];
};
"/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
};
systemd.services = {
"generateSSLCert-${serviceName}" =
let
daysValid = 3650;
renewBeforeDays = 365;
in
{
before = [ "${serviceName}.service" ];
requiredBy = [ "${serviceName}.service" ];
after = [ "local-fs.target" ];
requires = [ "local-fs.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
need_gen=1
else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch ))
days_left=$(( seconds_left / 86400 ))
if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
need_gen=1
else
echo 'Certificate exists and is still valid'
fi
fi
if [ "$need_gen" -eq 1 ]; then
${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-keyout "${keyPath}" \
-out "${certPath}" \
-subj "/CN=${serviceDomain}" \
-addext "subjectAltName=DNS:${serviceDomain}"
chmod 0644 "${certPath}"
chmod 0600 "${keyPath}"
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi
'';
};
kanidm = {
environment.KANIDM_TRUST_X_FORWARD_FOR = "true";
serviceConfig.RestartSec = "30";
};
};
# system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
# deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
# };
# system.activationScripts."generateSSLCert-${serviceName}" =
# let
# daysValid = 3650;
# renewBeforeDays = 365;
# in
# {
# text = ''
# set -eu
# ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
# ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
# need_gen=0
# if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
# need_gen=1
# else
# enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
# end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
# now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
# seconds_left=$(( end_epoch - now_epoch ))
# days_left=$(( seconds_left / 86400 ))
# if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
# need_gen=1
# fi
# fi
# if [ "$need_gen" -eq 1 ]; then
# ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
# -keyout "${keyPath}" \
# -out "${certPath}" \
# -subj "/CN=${serviceDomain}" \
# -addext "subjectAltName=DNS:${serviceDomain}"
# chmod 0644 "${certPath}"
# chmod 0600 "${keyPath}"
# chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
# fi
# '';
# deps = [
# "etc"
# (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
# ];
# };
services = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning_1_9;
server = {
enable = true;
settings = {
domain = serviceDomain;
origin = "https://${serviceDomain}";
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPathBase;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPathBase;
bindaddress = "0.0.0.0:${toString servicePort}";
# trust_x_forward_for = true;
};
};
client = {
enable = true;
settings = {
uri = config.services.kanidm.server.settings.origin;
verify_ca = true;
verify_hostnames = true;
};
};
provision = {
enable = true;
adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
groups = {
"immich.access" = { };
"paperless.access" = { };
"forgejo.access" = { };
"forgejo.admins" = { };
"grafana.access" = { };
"grafana.editors" = { };
"grafana.admins" = { };
"grafana.server-admins" = { };
"nextcloud.access" = { };
"nextcloud.admins" = { };
"navidrome.access" = { };
"freshrss.access" = { };
"firefly.access" = { };
"radicale.access" = { };
"slink.access" = { };
"opkssh.access" = { };
"adguardhome.access" = { };
};
inherit (config.repo.secrets.local) persons;
systems = {
oauth2 = {
immich = {
displayName = "Immich";
originUrl = [
"https://${immichDomain}/auth/login"
"https://${immichDomain}/user-settings"
"app.immich:///oauth-callback"
"https://${immichDomain}/api/oauth/mobile-redirect"
];
originLanding = "https://${immichDomain}/";
basicSecretFile = config.sops.secrets.kanidm-immich.path;
preferShortUsername = true;
enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
scopeMaps."immich.access" = [
"openid"
"email"
"profile"
];
};
paperless = {
displayName = "Paperless";
originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/";
originLanding = "https://${paperlessDomain}/";
basicSecretFile = config.sops.secrets.kanidm-paperless.path;
preferShortUsername = true;
scopeMaps."paperless.access" = [
"openid"
"email"
"profile"
];
};
forgejo = {
displayName = "Forgejo";
originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
originLanding = "https://${forgejoDomain}/";
basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
scopeMaps."forgejo.access" = [
"openid"
"email"
"profile"
];
# XXX: PKCE is currently not supported by gitea/forgejo,
# see https://github.com/go-gitea/gitea/issues/21376.
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."forgejo.admins" = [ "admin" ];
};
};
grafana = {
displayName = "Grafana";
originUrl = "https://${grafanaDomain}/login/generic_oauth";
originLanding = "https://${grafanaDomain}/";
basicSecretFile = config.sops.secrets.kanidm-grafana.path;
preferShortUsername = true;
scopeMaps."grafana.access" = [
"openid"
"email"
"profile"
];
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"grafana.editors" = [ "editor" ];
"grafana.admins" = [ "admin" ];
"grafana.server-admins" = [ "server_admin" ];
};
};
};
nextcloud = {
displayName = "Nextcloud";
originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm";
originLanding = "https://${nextcloudDomain}/";
basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
allowInsecureClientDisablePkce = true;
scopeMaps."nextcloud.access" = [
"openid"
"email"
"profile"
];
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"nextcloud.admins" = [ "admin" ];
};
};
};
opkssh = {
displayName = "OPKSSH";
originUrl = [
"http://localhost:3000"
"http://localhost:3000/login-callback"
"http://localhost:10001/login-callback"
"http://localhost:11110/login-callback"
];
originLanding = "http://localhost:3000";
public = true;
enableLocalhostRedirects = true;
scopeMaps."opkssh.access" = [
"openid"
"email"
"profile"
];
};
oauth2-proxy = {
displayName = "Oauth2-Proxy";
originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
originLanding = "https://${oauth2ProxyDomain}/";
basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
scopeMaps = {
"freshrss.access" = [
"openid"
"email"
"profile"
];
"navidrome.access" = [
"openid"
"email"
"profile"
];
"firefly.access" = [
"openid"
"email"
"profile"
];
"radicale.access" = [
"openid"
"email"
"profile"
];
"slink.access" = [
"openid"
"email"
"profile"
];
"adguardhome.access" = [
"openid"
"email"
"profile"
];
};
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"freshrss.access" = [ "ttrss_access" ];
"navidrome.access" = [ "navidrome_access" ];
"firefly.access" = [ "firefly_access" ];
"radicale.access" = [ "radicale_access" ];
"slink.access" = [ "slink_access" ];
"adguardhome.access" = [ "adguardhome_access" ];
};
};
};
};
};
};
};
};
nodes =
let
extraConfig = ''
allow ${globals.networks.home-lan.vlans.services.cidrv4};
allow ${globals.networks.home-lan.vlans.services.cidrv6};
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; };
${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = extraConfig + nginxAccessRules; serviceAddress = homeServiceAddress; };
};
};
}