forked from DGNum/infrastructure
217 lines
5.5 KiB
Nix
217 lines
5.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
meta,
|
|
nixpkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
attrValues
|
|
catAttrs
|
|
escapeRegex
|
|
concatStringsSep
|
|
mapAttrs'
|
|
nameValuePair
|
|
;
|
|
|
|
domain = "sso.dgnum.eu";
|
|
port = 8443;
|
|
|
|
cert = config.security.acme.certs.${domain};
|
|
|
|
allowedDomains = builtins.map escapeRegex (
|
|
(builtins.map (s: "${s}.dgnum.eu") [
|
|
# DGNum subdomains
|
|
"cloud"
|
|
"git"
|
|
"videos"
|
|
"social"
|
|
"demarches"
|
|
"netbird"
|
|
])
|
|
++ [
|
|
# Extra domains
|
|
"netbird-beta.hubrecht.ovh"
|
|
]
|
|
);
|
|
|
|
usernameFor = member: meta.organization.members.${member}.username;
|
|
in
|
|
{
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
|
|
package = nixpkgs.unstable.kanidm;
|
|
|
|
serverSettings = {
|
|
inherit domain;
|
|
|
|
origin = "https://${domain}";
|
|
|
|
bindaddress = "127.0.0.1:${builtins.toString port}";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
|
|
trust_x_forward_for = true;
|
|
|
|
tls_chain = "${cert.directory}/fullchain.pem";
|
|
tls_key = "${cert.directory}/key.pem";
|
|
};
|
|
|
|
provision = {
|
|
enable = true;
|
|
|
|
persons = mapAttrs' (
|
|
_:
|
|
{
|
|
email,
|
|
name,
|
|
username,
|
|
...
|
|
}:
|
|
nameValuePair username {
|
|
displayName = name;
|
|
mailAddresses = [ email ];
|
|
}
|
|
) meta.organization.members;
|
|
|
|
groups =
|
|
{
|
|
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
|
}
|
|
// (mapAttrs' (
|
|
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
|
) meta.organization.groups);
|
|
|
|
# INFO: The authentication resources declared here can only be for internal services,
|
|
# as regular members cannot be statically known.
|
|
systems.oauth2 = {
|
|
dgn_grafana = {
|
|
displayName = "Grafana [Analysis]";
|
|
originLanding = "https://grafana.dgnum.eu";
|
|
originUrl = "https://grafana.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_librenms = {
|
|
allowInsecureClientDisablePkce = true;
|
|
displayName = "LibreNMS [Network]";
|
|
enableLegacyCrypto = true;
|
|
originLanding = "https://nms.dgnum.eu";
|
|
originUrl = "https://nms.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_netbird = {
|
|
displayName = "Netbird [VPN]";
|
|
enableLocalhostRedirects = true;
|
|
originLanding = "https://netbird.dgnum.eu";
|
|
originUrl = "https://netbird.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
public = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_netbox = {
|
|
allowInsecureClientDisablePkce = true;
|
|
displayName = "Netbox [Inventory]";
|
|
enableLegacyCrypto = true;
|
|
originLanding = "https://netbox.dgnum.eu";
|
|
originUrl = "https://netbox.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_outline = {
|
|
displayName = "Outline [Docs]";
|
|
originUrl = "https://docs.dgnum.eu/";
|
|
originLanding = "https://docs.dgnum.eu";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.kanidm.extraGroups = [ cert.group ];
|
|
|
|
dgn-web.internalPorts.kanidm = port;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts.${domain} = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "https://127.0.0.1:${builtins.toString port}";
|
|
|
|
extraConfig = ''
|
|
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
|
return 444;
|
|
}
|
|
|
|
set $origin $http_origin;
|
|
|
|
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
|
|
set $origin 'https://${domain}';
|
|
}
|
|
|
|
proxy_hide_header Access-Control-Allow-Origin;
|
|
|
|
if ($request_method = 'OPTIONS') {
|
|
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
|
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
|
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
|
|
|
add_header Access-Control-Max-Age 1728000;
|
|
add_header Content-Type 'text/plain charset=UTF-8';
|
|
add_header Content-Length 0;
|
|
return 204;
|
|
}
|
|
|
|
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
|
add_header Access-Control-Allow-Origin "$origin" always;
|
|
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
|
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
|
add_header Access-Control-Allow-Credentials true always;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 636 ];
|
|
networking.firewall.allowedUDPPorts = [ 636 ];
|
|
|
|
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
|
|
}
|