mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-23 12:01:27 +00:00
kanidm 1.4.0
This commit is contained in:
Alexander Tomokhov
parent
8f82a4c574
commit
8ec86f35a1
|
|
@ -3,5 +3,6 @@
|
||||||
["security", "acme", "certs"],
|
["security", "acme", "certs"],
|
||||||
["selfprivacy", "domain"],
|
["selfprivacy", "domain"],
|
||||||
["selfprivacy", "modules"],
|
["selfprivacy", "modules"],
|
||||||
["services"]
|
["services"],
|
||||||
|
["systemd", "services", "kanidm"]
|
||||||
]
|
]
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,24 @@
|
||||||
{
|
{
|
||||||
description = "User authentication and authorization module";
|
description = "User authentication and authorization module";
|
||||||
|
|
||||||
# TODO remove when working Kanidm lands in nixpkgs and Hydra
|
# TODO remove when Kanidm provisioning without groups assertion lands in NixOS
|
||||||
inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
|
inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
|
||||||
|
# inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2;
|
||||||
|
|
||||||
outputs = { self, nixpkgs-unstable }: {
|
outputs = { self, nixos-unstable }: {
|
||||||
overlays.default = _final: prev: {
|
overlays.default = _final: prev: {
|
||||||
inherit (nixpkgs-unstable.legacyPackages.${prev.system})
|
inherit (nixos-unstable.legacyPackages.${prev.system})
|
||||||
kanidm kanidm-provision oauth2-proxy;
|
kanidm oauth2-proxy;
|
||||||
|
kanidm-provision =
|
||||||
|
nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
|
||||||
|
# version = "git";
|
||||||
|
# src = prev.fetchFromGitHub {
|
||||||
|
# owner = "oddlama";
|
||||||
|
# repo = "kanidm-provision";
|
||||||
|
# rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
|
||||||
|
# hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
|
||||||
|
# };
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
nixosModules.default = { ... }: {
|
nixosModules.default = { ... }: {
|
||||||
|
|
@ -17,11 +28,11 @@
|
||||||
"services/security/oauth2-proxy-nginx.nix"
|
"services/security/oauth2-proxy-nginx.nix"
|
||||||
];
|
];
|
||||||
imports = [
|
imports = [
|
||||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
(nixos-unstable.legacyPackages.x86_64-linux.path
|
||||||
+ /nixos/modules/services/security/kanidm.nix)
|
+ /nixos/modules/services/security/kanidm.nix)
|
||||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
(nixos-unstable.legacyPackages.x86_64-linux.path
|
||||||
+ /nixos/modules/services/security/oauth2-proxy.nix)
|
+ /nixos/modules/services/security/oauth2-proxy.nix)
|
||||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
(nixos-unstable.legacyPackages.x86_64-linux.path
|
||||||
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
|
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
|
||||||
./module.nix
|
./module.nix
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -53,18 +53,18 @@ in
|
||||||
enableServer = true;
|
enableServer = true;
|
||||||
|
|
||||||
# kanidm with Rust code patches for OAuth and admin passwords provisioning
|
# kanidm with Rust code patches for OAuth and admin passwords provisioning
|
||||||
# package = pkgs.kanidm.withSecretProvisioning;
|
package = pkgs.kanidm.withSecretProvisioning;
|
||||||
# FIXME
|
# FIXME
|
||||||
package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
|
# package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
|
||||||
version = "git";
|
# version = "git";
|
||||||
src = pkgs.fetchFromGitHub {
|
# src = pkgs.fetchFromGitHub {
|
||||||
owner = "AleXoundOS";
|
# owner = "AleXoundOS";
|
||||||
repo = "kanidm";
|
# repo = "kanidm";
|
||||||
rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
|
# rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
|
||||||
hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
|
# hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
|
||||||
};
|
# };
|
||||||
doCheck = false;
|
# doCheck = false;
|
||||||
});
|
# });
|
||||||
|
|
||||||
serverSettings = {
|
serverSettings = {
|
||||||
inherit domain;
|
inherit domain;
|
||||||
|
|
@ -93,8 +93,8 @@ in
|
||||||
autoRemove = false;
|
autoRemove = false;
|
||||||
|
|
||||||
# FIXME read randomly generated password from ?
|
# FIXME read randomly generated password from ?
|
||||||
adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
|
# adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
|
||||||
idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
|
# idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
|
||||||
};
|
};
|
||||||
enableClient = true;
|
enableClient = true;
|
||||||
clientSettings = {
|
clientSettings = {
|
||||||
|
|
|
||||||
|
|
@ -2,5 +2,6 @@
|
||||||
["selfprivacy", "domain"],
|
["selfprivacy", "domain"],
|
||||||
["selfprivacy", "modules", "roundcube"],
|
["selfprivacy", "modules", "roundcube"],
|
||||||
["selfprivacy", "modules", "auth"],
|
["selfprivacy", "modules", "auth"],
|
||||||
|
["service", "kanidm"],
|
||||||
["mailserver", "fqdn"]
|
["mailserver", "fqdn"]
|
||||||
]
|
]
|
||||||
|
|
|
||||||
|
|
@ -59,38 +59,26 @@ in
|
||||||
description = "Roundcube service slice";
|
description = "Roundcube service slice";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
|
|
||||||
lib.mkIf auth-module.enable {
|
services.kanidm.provision = lib.mkIf auth-module.enable {
|
||||||
displayName = "Roundcube";
|
groups.roundcube_users.present = true;
|
||||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
systems.oauth2.roundcube =
|
||||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
{
|
||||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
|
displayName = "Roundcube";
|
||||||
preferShortUsername = false;
|
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||||
allowInsecureClientDisablePkce = true; # FIXME is it required?
|
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||||
scopeMaps.roundcube_users = [
|
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
||||||
"email"
|
# when true, name is passed to a service instead of name@domain
|
||||||
"openid"
|
preferShortUsername = false;
|
||||||
"profile"
|
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
||||||
# "dovecotprofile"
|
scopeMaps.roundcube_users = [
|
||||||
# "groups"
|
"email"
|
||||||
];
|
# "groups"
|
||||||
};
|
"profile"
|
||||||
services.kanidm.provision.systems.oauth2.roundcube =
|
"openid"
|
||||||
lib.mkIf auth-module.enable {
|
# "dovecotprofile"
|
||||||
displayName = "Roundcube";
|
];
|
||||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
};
|
||||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
};
|
||||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
|
||||||
# when true, name is passed to a service instead of name@domain
|
|
||||||
preferShortUsername = false;
|
|
||||||
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
|
||||||
scopeMaps.roundcube_users = [
|
|
||||||
"email"
|
|
||||||
# "groups"
|
|
||||||
"profile"
|
|
||||||
"openid"
|
|
||||||
# "dovecotprofile"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue