feat(kanidm): Use kanidm-provision to setup active members

This commit is contained in:
Tom Hubrecht 2024-10-18 14:35:52 +02:00
parent e7edf29e11
commit f0b3d4b490
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
3 changed files with 147 additions and 17 deletions

View file

@ -1,12 +1,20 @@
{ {
config, config,
lib, lib,
meta,
nixpkgs, nixpkgs,
... ...
}: }:
let let
inherit (lib) escapeRegex concatStringsSep; inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
port = 8443; port = 8443;
@ -28,6 +36,8 @@ let
"netbird-beta.hubrecht.ovh" "netbird-beta.hubrecht.ovh"
] ]
); );
usernameFor = member: meta.organization.members.${member}.username;
in in
{ {
services.kanidm = { services.kanidm = {
@ -48,6 +58,107 @@ in
tls_chain = "${cert.directory}/fullchain.pem"; tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem"; tls_key = "${cert.directory}/key.pem";
}; };
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
}; };
users.users.kanidm.extraGroups = [ cert.group ]; users.users.kanidm.extraGroups = [ cert.group ];

View file

@ -41,23 +41,37 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf (submodule { type = attrsOf (
options = { submodule (
name = mkOption { { name, ... }:
type = str; {
description = '' options = {
Name of the member. name = mkOption {
''; type = str;
}; description = ''
Name of the member.
'';
};
email = mkOption { email = mkOption {
type = str; type = str;
description = '' description = ''
Main e-mail address of the member. Main e-mail address of the member.
''; '';
}; };
};
}); username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
};
};
}
)
);
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.

View file

@ -8,11 +8,13 @@
catvayor = { catvayor = {
name = "Lubin Bailly"; name = "Lubin Bailly";
email = "catvayor@dgnum.eu"; email = "catvayor@dgnum.eu";
username = "lbailly";
}; };
cst1 = { cst1 = {
name = "Constantin Gierczak--Galle"; name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu"; email = "cst1@dgnum.eu";
username = "cgierczakgalle";
}; };
ecoppens = { ecoppens = {
@ -23,11 +25,13 @@
jemagius = { jemagius = {
name = "Jean-Marc Gailis"; name = "Jean-Marc Gailis";
email = "jm@dgnum.eu"; email = "jm@dgnum.eu";
username = "jgaillis";
}; };
luj = { luj = {
name = "Julien Malka"; name = "Julien Malka";
email = "luj@dgnum.eu"; email = "luj@dgnum.eu";
username = "jmalka";
}; };
mdebray = { mdebray = {
@ -38,6 +42,7 @@
raito = { raito = {
name = "Ryan Lahfa"; name = "Ryan Lahfa";
email = "ryan@dgnum.eu"; email = "ryan@dgnum.eu";
username = "rlahfa";
}; };
thubrecht = { thubrecht = {