From f0b3d4b490b3d1b66b40258be5a1fc6304994cc6 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 18 Oct 2024 14:35:52 +0200 Subject: [PATCH] feat(kanidm): Use kanidm-provision to setup active members --- machines/compute01/kanidm/default.nix | 113 +++++++++++++++++++++++++- meta/options.nix | 46 +++++++---- meta/organization.nix | 5 ++ 3 files changed, 147 insertions(+), 17 deletions(-) diff --git a/machines/compute01/kanidm/default.nix b/machines/compute01/kanidm/default.nix index ad2ab6b..ad8c27b 100644 --- a/machines/compute01/kanidm/default.nix +++ b/machines/compute01/kanidm/default.nix @@ -1,12 +1,20 @@ { config, lib, + meta, nixpkgs, ... }: let - inherit (lib) escapeRegex concatStringsSep; + inherit (lib) + attrValues + catAttrs + escapeRegex + concatStringsSep + mapAttrs' + nameValuePair + ; domain = "sso.dgnum.eu"; port = 8443; @@ -28,6 +36,8 @@ let "netbird-beta.hubrecht.ovh" ] ); + + usernameFor = member: meta.organization.members.${member}.username; in { services.kanidm = { @@ -48,6 +58,107 @@ in tls_chain = "${cert.directory}/fullchain.pem"; tls_key = "${cert.directory}/key.pem"; }; + + provision = { + enable = true; + + persons = mapAttrs' ( + _: + { + email, + name, + username, + ... + }: + nameValuePair username { + displayName = name; + mailAddresses = [ email ]; + } + ) meta.organization.members; + + groups = + { + grp_active.members = catAttrs "username" (attrValues meta.organization.members); + } + // (mapAttrs' ( + name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } + ) meta.organization.groups); + + # INFO: The authentication resources declared here can only be for internal services, + # as regular members cannot be statically known. + systems.oauth2 = { + dgn_grafana = { + displayName = "Grafana [Analysis]"; + originLanding = "https://grafana.dgnum.eu"; + originUrl = "https://grafana.dgnum.eu/"; + preferShortUsername = true; + + scopeMaps.grp_active = [ + "openid" + "profile" + "email" + ]; + }; + + dgn_librenms = { + allowInsecureClientDisablePkce = true; + displayName = "LibreNMS [Network]"; + enableLegacyCrypto = true; + originLanding = "https://nms.dgnum.eu"; + originUrl = "https://nms.dgnum.eu/"; + preferShortUsername = true; + + scopeMaps.grp_active = [ + "openid" + "profile" + "email" + ]; + }; + + dgn_netbird = { + displayName = "Netbird [VPN]"; + enableLocalhostRedirects = true; + originLanding = "https://netbird.dgnum.eu"; + originUrl = "https://netbird.dgnum.eu/"; + preferShortUsername = true; + public = true; + + scopeMaps.grp_active = [ + "openid" + "profile" + "email" + ]; + }; + + dgn_netbox = { + allowInsecureClientDisablePkce = true; + displayName = "Netbox [Inventory]"; + enableLegacyCrypto = true; + originLanding = "https://netbox.dgnum.eu"; + originUrl = "https://netbox.dgnum.eu/"; + preferShortUsername = true; + + scopeMaps.grp_active = [ + "openid" + "profile" + "email" + ]; + }; + + dgn_outline = { + displayName = "Outline [Docs]"; + originUrl = "https://docs.dgnum.eu/"; + originLanding = "https://docs.dgnum.eu"; + preferShortUsername = true; + + scopeMaps.grp_active = [ + "openid" + "profile" + "email" + ]; + }; + }; + }; }; users.users.kanidm.extraGroups = [ cert.group ]; diff --git a/meta/options.nix b/meta/options.nix index e8f4e6a..538ebf9 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -41,23 +41,37 @@ in options = { organization = { members = mkOption { - type = attrsOf (submodule { - options = { - name = mkOption { - type = str; - description = '' - Name of the member. - ''; - }; + type = attrsOf ( + submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = str; + description = '' + Name of the member. + ''; + }; - email = mkOption { - type = str; - description = '' - Main e-mail address of the member. - ''; - }; - }; - }); + email = mkOption { + type = str; + description = '' + Main e-mail address of the member. + ''; + }; + + username = mkOption { + type = str; + default = name; + description = '' + The username used for authentication. + WARNING: Must be the same as the ens login! + ''; + }; + }; + } + ) + ); description = '' Members of the DGNum organization. diff --git a/meta/organization.nix b/meta/organization.nix index 3fe4d67..1178810 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -8,11 +8,13 @@ catvayor = { name = "Lubin Bailly"; email = "catvayor@dgnum.eu"; + username = "lbailly"; }; cst1 = { name = "Constantin Gierczak--Galle"; email = "cst1@dgnum.eu"; + username = "cgierczakgalle"; }; ecoppens = { @@ -23,11 +25,13 @@ jemagius = { name = "Jean-Marc Gailis"; email = "jm@dgnum.eu"; + username = "jgaillis"; }; luj = { name = "Julien Malka"; email = "luj@dgnum.eu"; + username = "jmalka"; }; mdebray = { @@ -38,6 +42,7 @@ raito = { name = "Ryan Lahfa"; email = "ryan@dgnum.eu"; + username = "rlahfa"; }; thubrecht = {