infrastructure/machines/nixos/compute01/satosa/default.nix
Tom Hubrecht 88d9b8c3e3
Some checks failed
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m15s
Build all the nodes / bridge01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 1m55s
Build all the nodes / geo02 (pull_request) Successful in 1m53s
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m13s
Build all the nodes / storage01 (pull_request) Successful in 1m57s
Run pre-commit on all files / check (pull_request) Successful in 30s
Build all the nodes / web02 (pull_request) Successful in 1m47s
Build all the nodes / vault01 (pull_request) Successful in 2m21s
Build all the nodes / web03 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m54s
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Check workflows / check_workflows (push) Successful in 25s
Build all the nodes / ap01 (push) Successful in 1m16s
Build all the nodes / bridge01 (push) Successful in 1m41s
Build all the nodes / geo02 (push) Successful in 1m44s
Build all the nodes / geo01 (push) Successful in 1m53s
Build all the nodes / compute01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m46s
Build all the nodes / vault01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 30s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
chore: Add license and copyright information
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu>
Acked-by: Maurice Debray <maurice.debray@dgnum.eu>
Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu>
Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum.
Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
2024-12-13 12:41:38 +01:00

159 lines
4.9 KiB
Nix

# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
host = "saml-idp.dgnum.eu";
port = 8090;
in
{
imports = [ ./module.nix ];
services.satosa = {
enable = true;
inherit host port;
envFile = config.age.secrets."satosa-env_file".path;
frontendModules = {
saml2IDP = {
module = "satosa.frontends.saml2.SAMLFrontend";
name = "Saml2IDP";
config = {
endpoints.single_sign_on_service = {
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" = "sso/post";
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" = "sso/redirect";
};
entityid_endpoint = true;
enable_metadata_reload = false;
idp_config = {
organization = {
display_name = "Délégation Générale Numérique";
name = "DGNum";
url = "https://dgnum.eu";
};
contact_person = [
{
contact_type = "technical";
email_address = "mailto:tom.hubrecht@dgnum.eu";
given_name = "Tom Hubrecht";
}
];
key_file = "/var/lib/satosa/ssl/key.pem";
cert_file = "/var/lib/satosa/ssl/cert.pem";
metadata.local = [ ];
entityid = "https://${host}/Saml2IDP";
accepted_time_diff = 60;
service = {
idp = {
endpoints.single_sign_on_service = [ ];
name = "DGNum proxy IdP";
ui_info = {
display_name = [
{
lang = "fr";
text = "Service de connexion DGNum";
}
];
};
name_id_format = [
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
];
policy = {
default = {
attribute_restrictions = null;
fail_on_missing_requested = false;
lifetime = {
minutes = 15;
};
name_form = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri";
encrypt_assertion = false;
encrypted_advice_attributes = false;
};
};
};
};
};
};
};
};
backendModules = {
# module: satosa.backends.openid_connect.OpenIDConnectBackend
# name: openid_connect
# config:
# provider_metadata:
# issuer: https://op.example.com
# client:
# verify_ssl: yes
# auth_req_params:
# response_type: code
# scope: [openid, profile, email, address, phone]
# client_metadata:
# application_name: SATOSA
# application_type: web
# contacts: [ops@example.com]
# redirect_uris: [<base_url>/<name>]
# subject_type: public
# entity_info:
# contact_person:
# - contact_type: "technical"
# email_address: ["technical_test@example.com", "support_test@example.com"]
# given_name: "Test"
# sur_name: "OP"
# - contact_type: "support"
# email_address: ["support_test@example.com"]
# given_name: "Support_test"
# organization:
# display_name:
# - ["OP Identities", "en"]
# name:
# - ["En test-OP", "se"]
# - ["A test OP", "en"]
# url:
# - ["http://www.example.com", "en"]
# - ["http://www.example.se", "se"]
# ui_info:
# description:
# - ["This is a test OP", "en"]
# display_name:
# - ["OP - TEST", "en"]
kanidm = {
module = "satosa.backends.openid_connect.OpenIDConnectBackend";
name = "kanidm";
config = {
provider_metadata.issuer = "https://sso.dgnum.eu/oauth2/openid/satosa_dgn/";
client = {
auth_req_params = {
response_type = "code";
scope = [
"openid"
"profile"
"email"
];
};
client_metadata = {
client_id = "satosa_dgn";
client_secret = "ENV! SATOSA_FRONTEND_KANIDM_CLIENT_SECRET";
redirect_uris = [ "https://${host}/kanidm" ];
};
};
};
};
};
};
dgn-web.simpleProxies.satosa = {
inherit host port;
};
age-secrets.autoMatch = [ "satosa" ];
}