feat(kanidm): Use kanidm-provision to setup active members #158

Merged
thubrecht merged 1 commit from kanidm-declarative into main 2024-10-18 16:12:01 +02:00
3 changed files with 147 additions and 17 deletions
Showing only changes of commit f0b3d4b490 - Show all commits

View file

@ -1,12 +1,20 @@
{ {
config, config,
lib, lib,
meta,
nixpkgs, nixpkgs,
... ...
}: }:
let let
inherit (lib) escapeRegex concatStringsSep; inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
port = 8443; port = 8443;
@ -28,6 +36,8 @@ let
"netbird-beta.hubrecht.ovh" "netbird-beta.hubrecht.ovh"
] ]
); );
usernameFor = member: meta.organization.members.${member}.username;
in in
{ {
services.kanidm = { services.kanidm = {
@ -48,6 +58,107 @@ in
tls_chain = "${cert.directory}/fullchain.pem"; tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem"; tls_key = "${cert.directory}/key.pem";
}; };
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
}; };
users.users.kanidm.extraGroups = [ cert.group ]; users.users.kanidm.extraGroups = [ cert.group ];

View file

@ -41,7 +41,10 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf (submodule { type = attrsOf (
submodule (
{ name, ... }:
{
options = { options = {
name = mkOption { name = mkOption {
type = str; type = str;
@ -56,8 +59,19 @@ in
Main e-mail address of the member. Main e-mail address of the member.
''; '';
}; };
username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
}; };
}); };
}
)
);
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.

View file

@ -8,11 +8,13 @@
catvayor = { catvayor = {
name = "Lubin Bailly"; name = "Lubin Bailly";
email = "catvayor@dgnum.eu"; email = "catvayor@dgnum.eu";
username = "lbailly";
}; };
cst1 = { cst1 = {
name = "Constantin Gierczak--Galle"; name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu"; email = "cst1@dgnum.eu";
username = "cgierczakgalle";
}; };
ecoppens = { ecoppens = {
@ -23,11 +25,13 @@
jemagius = { jemagius = {
name = "Jean-Marc Gailis"; name = "Jean-Marc Gailis";
email = "jm@dgnum.eu"; email = "jm@dgnum.eu";
username = "jgaillis";
Review

plutôt:
username = "jgailis";

plutôt: ` username = "jgailis"; `
}; };
luj = { luj = {
name = "Julien Malka"; name = "Julien Malka";
email = "luj@dgnum.eu"; email = "luj@dgnum.eu";
username = "jmalka";
}; };
mdebray = { mdebray = {
@ -38,6 +42,7 @@
raito = { raito = {
name = "Ryan Lahfa"; name = "Ryan Lahfa";
email = "ryan@dgnum.eu"; email = "ryan@dgnum.eu";
username = "rlahfa";
}; };
thubrecht = { thubrecht = {