feat(kanidm): Use kanidm-provision to setup active members

This commit is contained in:
Tom Hubrecht 2024-10-18 14:35:52 +02:00
parent e7edf29e11
commit f0b3d4b490
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
3 changed files with 147 additions and 17 deletions

View file

@ -1,12 +1,20 @@
{
config,
lib,
meta,
nixpkgs,
...
}:
let
inherit (lib) escapeRegex concatStringsSep;
inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu";
port = 8443;
@ -28,6 +36,8 @@ let
"netbird-beta.hubrecht.ovh"
]
);
usernameFor = member: meta.organization.members.${member}.username;
in
{
services.kanidm = {
@ -48,6 +58,107 @@ in
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};
users.users.kanidm.extraGroups = [ cert.group ];

View file

@ -41,23 +41,37 @@ in
options = {
organization = {
members = mkOption {
type = attrsOf (submodule {
options = {
name = mkOption {
type = str;
description = ''
Name of the member.
'';
};
type = attrsOf (
submodule (
{ name, ... }:
{
options = {
name = mkOption {
type = str;
description = ''
Name of the member.
'';
};
email = mkOption {
type = str;
description = ''
Main e-mail address of the member.
'';
};
};
});
email = mkOption {
type = str;
description = ''
Main e-mail address of the member.
'';
};
username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
};
};
}
)
);
description = ''
Members of the DGNum organization.

View file

@ -8,11 +8,13 @@
catvayor = {
name = "Lubin Bailly";
email = "catvayor@dgnum.eu";
username = "lbailly";
};
cst1 = {
name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu";
username = "cgierczakgalle";
};
ecoppens = {
@ -23,11 +25,13 @@
jemagius = {
name = "Jean-Marc Gailis";
email = "jm@dgnum.eu";
username = "jgaillis";
};
luj = {
name = "Julien Malka";
email = "luj@dgnum.eu";
username = "jmalka";
};
mdebray = {
@ -38,6 +42,7 @@
raito = {
name = "Ryan Lahfa";
email = "ryan@dgnum.eu";
username = "rlahfa";
};
thubrecht = {