mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-27 05:11:30 +00:00
kanidm 1.4.0
This commit is contained in:
parent
8f82a4c574
commit
8ec86f35a1
|
@ -3,5 +3,6 @@
|
|||
["security", "acme", "certs"],
|
||||
["selfprivacy", "domain"],
|
||||
["selfprivacy", "modules"],
|
||||
["services"]
|
||||
["services"],
|
||||
["systemd", "services", "kanidm"]
|
||||
]
|
||||
|
|
|
@ -1,13 +1,24 @@
|
|||
{
|
||||
description = "User authentication and authorization module";
|
||||
|
||||
# TODO remove when working Kanidm lands in nixpkgs and Hydra
|
||||
inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
|
||||
# TODO remove when Kanidm provisioning without groups assertion lands in NixOS
|
||||
inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
|
||||
# inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2;
|
||||
|
||||
outputs = { self, nixpkgs-unstable }: {
|
||||
outputs = { self, nixos-unstable }: {
|
||||
overlays.default = _final: prev: {
|
||||
inherit (nixpkgs-unstable.legacyPackages.${prev.system})
|
||||
kanidm kanidm-provision oauth2-proxy;
|
||||
inherit (nixos-unstable.legacyPackages.${prev.system})
|
||||
kanidm oauth2-proxy;
|
||||
kanidm-provision =
|
||||
nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
|
||||
# version = "git";
|
||||
# src = prev.fetchFromGitHub {
|
||||
# owner = "oddlama";
|
||||
# repo = "kanidm-provision";
|
||||
# rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
|
||||
# hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
|
||||
# };
|
||||
});
|
||||
};
|
||||
|
||||
nixosModules.default = { ... }: {
|
||||
|
@ -17,11 +28,11 @@
|
|||
"services/security/oauth2-proxy-nginx.nix"
|
||||
];
|
||||
imports = [
|
||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||
(nixos-unstable.legacyPackages.x86_64-linux.path
|
||||
+ /nixos/modules/services/security/kanidm.nix)
|
||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||
(nixos-unstable.legacyPackages.x86_64-linux.path
|
||||
+ /nixos/modules/services/security/oauth2-proxy.nix)
|
||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||
(nixos-unstable.legacyPackages.x86_64-linux.path
|
||||
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
|
||||
./module.nix
|
||||
];
|
||||
|
|
|
@ -53,18 +53,18 @@ in
|
|||
enableServer = true;
|
||||
|
||||
# kanidm with Rust code patches for OAuth and admin passwords provisioning
|
||||
# package = pkgs.kanidm.withSecretProvisioning;
|
||||
package = pkgs.kanidm.withSecretProvisioning;
|
||||
# FIXME
|
||||
package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
|
||||
version = "git";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "AleXoundOS";
|
||||
repo = "kanidm";
|
||||
rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
|
||||
hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
|
||||
};
|
||||
doCheck = false;
|
||||
});
|
||||
# package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
|
||||
# version = "git";
|
||||
# src = pkgs.fetchFromGitHub {
|
||||
# owner = "AleXoundOS";
|
||||
# repo = "kanidm";
|
||||
# rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
|
||||
# hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
|
||||
# };
|
||||
# doCheck = false;
|
||||
# });
|
||||
|
||||
serverSettings = {
|
||||
inherit domain;
|
||||
|
@ -93,8 +93,8 @@ in
|
|||
autoRemove = false;
|
||||
|
||||
# FIXME read randomly generated password from ?
|
||||
adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
|
||||
idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
|
||||
# adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
|
||||
# idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
|
||||
};
|
||||
enableClient = true;
|
||||
clientSettings = {
|
||||
|
|
|
@ -2,5 +2,6 @@
|
|||
["selfprivacy", "domain"],
|
||||
["selfprivacy", "modules", "roundcube"],
|
||||
["selfprivacy", "modules", "auth"],
|
||||
["service", "kanidm"],
|
||||
["mailserver", "fqdn"]
|
||||
]
|
||||
|
|
|
@ -59,38 +59,26 @@ in
|
|||
description = "Roundcube service slice";
|
||||
};
|
||||
};
|
||||
services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
|
||||
lib.mkIf auth-module.enable {
|
||||
displayName = "Roundcube";
|
||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
|
||||
preferShortUsername = false;
|
||||
allowInsecureClientDisablePkce = true; # FIXME is it required?
|
||||
scopeMaps.roundcube_users = [
|
||||
"email"
|
||||
"openid"
|
||||
"profile"
|
||||
# "dovecotprofile"
|
||||
# "groups"
|
||||
];
|
||||
};
|
||||
services.kanidm.provision.systems.oauth2.roundcube =
|
||||
lib.mkIf auth-module.enable {
|
||||
displayName = "Roundcube";
|
||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
||||
# when true, name is passed to a service instead of name@domain
|
||||
preferShortUsername = false;
|
||||
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
||||
scopeMaps.roundcube_users = [
|
||||
"email"
|
||||
# "groups"
|
||||
"profile"
|
||||
"openid"
|
||||
# "dovecotprofile"
|
||||
];
|
||||
};
|
||||
|
||||
services.kanidm.provision = lib.mkIf auth-module.enable {
|
||||
groups.roundcube_users.present = true;
|
||||
systems.oauth2.roundcube =
|
||||
{
|
||||
displayName = "Roundcube";
|
||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
||||
# when true, name is passed to a service instead of name@domain
|
||||
preferShortUsername = false;
|
||||
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
||||
scopeMaps.roundcube_users = [
|
||||
"email"
|
||||
# "groups"
|
||||
"profile"
|
||||
"openid"
|
||||
# "dovecotprofile"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue