DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

feat(kanidm): Use kanidm-provision to setup active members
All checks were successful
Check meta / check_meta (pull_request) Successful in 18s
Details
Check meta / check_dns (pull_request) Successful in 17s
Details
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m16s
Details
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m4s
Details
build configuration / build_and_cache_geo02 (pull_request) Successful in 58s
Details
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m9s
Details
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m38s
Details
build configuration / build_and_cache_web03 (pull_request) Successful in 1m4s
Details
build configuration / build_and_cache_web02 (pull_request) Successful in 1m9s
Details
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m21s
Details
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m0s
Details
lint / check (pull_request) Successful in 23s
Details
build configuration / build_and_cache_web01 (pull_request) Successful in 1m41s
Details
Check meta / check_meta (push) Successful in 17s
Details
Check meta / check_dns (push) Successful in 18s
Details
build configuration / build_and_cache_rescue01 (push) Successful in 1m15s
Details
build configuration / build_and_cache_storage01 (push) Successful in 1m20s
Details
build configuration / build_and_cache_compute01 (push) Successful in 1m38s
Details
build configuration / build_and_cache_geo01 (push) Successful in 1m8s
Details
build configuration / build_and_cache_geo02 (push) Successful in 1m4s
Details
build configuration / build_and_cache_vault01 (push) Successful in 1m19s
Details
build configuration / build_and_cache_web02 (push) Successful in 1m8s
Details
build configuration / build_and_cache_web03 (push) Successful in 1m3s
Details
lint / check (push) Successful in 23s
Details
build configuration / build_and_cache_web01 (push) Successful in 1m49s
Details
build configuration / build_and_cache_bridge01 (push) Successful in 1m1s
Details

Browse source
This commit is contained in:
Tom Hubrecht 2024-10-18 14:35:52 +02:00
parent e7edf29e11
commit f0b3d4b490
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
3 changed files with 147 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

113
machines/compute01/kanidm/default.nix
View file

@ -1,12 +1,20 @@
{
config,
lib,
meta,
nixpkgs,
...
}:
let
inherit (lib) escapeRegex concatStringsSep;
inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu";
port = 8443;
@ -28,6 +36,8 @@ let
"netbird-beta.hubrecht.ovh"
]
);
usernameFor = member: meta.organization.members.${member}.username;
in
{
services.kanidm = {
@ -48,6 +58,107 @@ in
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};
users.users.kanidm.extraGroups = [ cert.group ];

18
meta/options.nix
View file

@ -41,7 +41,10 @@ in
options = {
organization = {
members = mkOption {
type = attrsOf (submodule {
type = attrsOf (
submodule (
{ name, ... }:
{
options = {
name = mkOption {
type = str;
@ -56,8 +59,19 @@ in
Main e-mail address of the member.
'';
};
username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
};
});
};
}
)
);
description = ''
Members of the DGNum organization.

5
meta/organization.nix
View file

@ -8,11 +8,13 @@
catvayor = {
name = "Lubin Bailly";
email = "catvayor@dgnum.eu";
username = "lbailly";
};
cst1 = {
name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu";
username = "cgierczakgalle";
};
ecoppens = {
@ -23,11 +25,13 @@
jemagius = {
name = "Jean-Marc Gailis";
email = "jm@dgnum.eu";
username = "jgaillis";
};
luj = {
name = "Julien Malka";
email = "luj@dgnum.eu";
username = "jmalka";
};
mdebray = {
@ -38,6 +42,7 @@
raito = {
name = "Ryan Lahfa";
email = "ryan@dgnum.eu";
username = "rlahfa";
};
thubrecht = {