forked from DGNum/infrastructure
feat(kanidm): Use kanidm-provision to setup active members
This commit is contained in:
parent
e7edf29e11
commit
f0b3d4b490
3 changed files with 147 additions and 17 deletions
|
@ -1,12 +1,20 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
meta,
|
||||
nixpkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) escapeRegex concatStringsSep;
|
||||
inherit (lib)
|
||||
attrValues
|
||||
catAttrs
|
||||
escapeRegex
|
||||
concatStringsSep
|
||||
mapAttrs'
|
||||
nameValuePair
|
||||
;
|
||||
|
||||
domain = "sso.dgnum.eu";
|
||||
port = 8443;
|
||||
|
@ -28,6 +36,8 @@ let
|
|||
"netbird-beta.hubrecht.ovh"
|
||||
]
|
||||
);
|
||||
|
||||
usernameFor = member: meta.organization.members.${member}.username;
|
||||
in
|
||||
{
|
||||
services.kanidm = {
|
||||
|
@ -48,6 +58,107 @@ in
|
|||
tls_chain = "${cert.directory}/fullchain.pem";
|
||||
tls_key = "${cert.directory}/key.pem";
|
||||
};
|
||||
|
||||
provision = {
|
||||
enable = true;
|
||||
|
||||
persons = mapAttrs' (
|
||||
_:
|
||||
{
|
||||
email,
|
||||
name,
|
||||
username,
|
||||
...
|
||||
}:
|
||||
nameValuePair username {
|
||||
displayName = name;
|
||||
mailAddresses = [ email ];
|
||||
}
|
||||
) meta.organization.members;
|
||||
|
||||
groups =
|
||||
{
|
||||
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
||||
}
|
||||
// (mapAttrs' (
|
||||
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
||||
) meta.organization.groups);
|
||||
|
||||
# INFO: The authentication resources declared here can only be for internal services,
|
||||
# as regular members cannot be statically known.
|
||||
systems.oauth2 = {
|
||||
dgn_grafana = {
|
||||
displayName = "Grafana [Analysis]";
|
||||
originLanding = "https://grafana.dgnum.eu";
|
||||
originUrl = "https://grafana.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_librenms = {
|
||||
allowInsecureClientDisablePkce = true;
|
||||
displayName = "LibreNMS [Network]";
|
||||
enableLegacyCrypto = true;
|
||||
originLanding = "https://nms.dgnum.eu";
|
||||
originUrl = "https://nms.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_netbird = {
|
||||
displayName = "Netbird [VPN]";
|
||||
enableLocalhostRedirects = true;
|
||||
originLanding = "https://netbird.dgnum.eu";
|
||||
originUrl = "https://netbird.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
public = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_netbox = {
|
||||
allowInsecureClientDisablePkce = true;
|
||||
displayName = "Netbox [Inventory]";
|
||||
enableLegacyCrypto = true;
|
||||
originLanding = "https://netbox.dgnum.eu";
|
||||
originUrl = "https://netbox.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_outline = {
|
||||
displayName = "Outline [Docs]";
|
||||
originUrl = "https://docs.dgnum.eu/";
|
||||
originLanding = "https://docs.dgnum.eu";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.kanidm.extraGroups = [ cert.group ];
|
||||
|
|
|
@ -41,23 +41,37 @@ in
|
|||
options = {
|
||||
organization = {
|
||||
members = mkOption {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Name of the member.
|
||||
'';
|
||||
};
|
||||
type = attrsOf (
|
||||
submodule (
|
||||
{ name, ... }:
|
||||
{
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Name of the member.
|
||||
'';
|
||||
};
|
||||
|
||||
email = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Main e-mail address of the member.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
email = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Main e-mail address of the member.
|
||||
'';
|
||||
};
|
||||
|
||||
username = mkOption {
|
||||
type = str;
|
||||
default = name;
|
||||
description = ''
|
||||
The username used for authentication.
|
||||
WARNING: Must be the same as the ens login!
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
|
||||
description = ''
|
||||
Members of the DGNum organization.
|
||||
|
|
|
@ -8,11 +8,13 @@
|
|||
catvayor = {
|
||||
name = "Lubin Bailly";
|
||||
email = "catvayor@dgnum.eu";
|
||||
username = "lbailly";
|
||||
};
|
||||
|
||||
cst1 = {
|
||||
name = "Constantin Gierczak--Galle";
|
||||
email = "cst1@dgnum.eu";
|
||||
username = "cgierczakgalle";
|
||||
};
|
||||
|
||||
ecoppens = {
|
||||
|
@ -23,11 +25,13 @@
|
|||
jemagius = {
|
||||
name = "Jean-Marc Gailis";
|
||||
email = "jm@dgnum.eu";
|
||||
username = "jgaillis";
|
||||
};
|
||||
|
||||
luj = {
|
||||
name = "Julien Malka";
|
||||
email = "luj@dgnum.eu";
|
||||
username = "jmalka";
|
||||
};
|
||||
|
||||
mdebray = {
|
||||
|
@ -38,6 +42,7 @@
|
|||
raito = {
|
||||
name = "Ryan Lahfa";
|
||||
email = "ryan@dgnum.eu";
|
||||
username = "rlahfa";
|
||||
};
|
||||
|
||||
thubrecht = {
|
||||
|
|
Loading…
Reference in a new issue