kanidm:init

authentik killing time

modules/nixos/services/homeserver/default.nix

@@ -5,6 +5,7 @@
     ./authentik.nix
     ./caddy.nix
     ./cloudflared.nix
+    ./kanidm.nix
     ./nextcloud.nix
     ./ntfy.nix
     ./restic.nix

modules/nixos/services/homeserver/kanidm.nix

@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+{
+  sops.secrets = {
+    "acme/secrets.env" = {};
+
+    "kanidm/oauth2/nextcloud" = {
+      owner = "kanidm";
+      group = "kanidm";
+    };
+  };
+
+  users.groups.tls-kanidm.members = [ "caddy" "kanidm" ];
+
+  security.acme = {
+    acceptTerms = true;
+
+    certs."kanidm.wo2wz.fyi" = {
+      environmentFile = config.sops.secrets."acme/secrets.env".path;
+      email = "189177184+wo2wz@users.noreply.github.com";
+      dnsProvider = "cloudflare";
+
+      group = "tls-kanidm";
+      reloadServices = [ "caddy.service" "kanidm.service" ];
+    };
+  };
+
+  services.caddy.virtualHosts."kanidm.wo2wz.fyi".extraConfig =
+  assert config.services.caddy.enable;
+  ''
+    import default-settings
+    import cloudflare-tls
+
+    reverse_proxy https://localhost:8004 {
+        header_up Host {upstream_hostport}
+        transport http {
+            tls_server_name kanidm.wo2wz.fyi
+            tls_client_auth ${config.security.acme.certs."kanidm.wo2wz.fyi".directory}/fullchain.pem ${config.security.acme.certs."kanidm.wo2wz.fyi".directory}/key.pem
+        }
+    }
+  '';
+
+  services.kanidm = {
+    enableServer = true;
+    package = pkgs.kanidmWithSecretProvisioning_1_7;
+
+    serverSettings = {
+      version = "2";
+
+      bindaddress = "127.0.0.1:8004";
+      domain = "kanidm.wo2wz.fyi";
+      origin = "https://kanidm.wo2wz.fyi";
+      tls_chain = "${config.security.acme.certs."kanidm.wo2wz.fyi".directory}/fullchain.pem";
+      tls_key = "${config.security.acme.certs."kanidm.wo2wz.fyi".directory}/key.pem";
+      http_client_address_info.x-forward-for = [ "127.0.0.1" "::1" ];
+    };
+
+    provision = {
+      enable = true;
+
+      persons.wo2w = {
+        displayName = "wo2w";
+        legalName = "Wo2wz_";
+      };
+
+      groups.nextcloud-grp.members = [ "wo2w" ];
+
+      systems.oauth2 = {
+        nextcloud = {
+          displayName = "Nextcloud";
+          originUrl = "https://nextcloud.wo2wz.fyi/index.php/apps/user_oidc/code";
+          originLanding = "https://nextcloud.wo2wz.fyi/index.php";
+
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
+          scopeMaps.nextcloud-grp = [ "openid" "profile" ];
+        };
+      };
+    };
+
+    enableClient = true;
+    clientSettings.uri = "https://kanidm.wo2wz.fyi";
+  };
+}

secrets/secrets.yaml

@@ -1,3 +1,5 @@
+acme:
+    secrets.env: ENC[AES256_GCM,data:RcSc1yJM/dx0TzH6R/TUf+K5Q7U1AnM1/Up1hmmqbauohoKTjYIQEnCbFKN1K7ZgAhAnkarKXfZb,iv:tmXSCLtvjoEmt984e6sjgi5lhv0UZ2T3g8Xog22Mgnw=,tag:z3UnnRCn7utQRAcuYpDOsA==,type:str]
 authentik:
     secrets.env: ENC[AES256_GCM,data:tNlefZK5emnwTOLNwMBsXj6yB8wDI584TPnrrbu5p7ohO/PnziLMTQREvah6q8pKWfSGTjMiEAdf3Dy5M3VhJH34phE3eLxT6G9/4ayxOiLLc2QmZ4nryst3mvpx6KVfOqo5dJAUS82SPZllIUFk3n1LV6SGaF+mvQFTHYlYu34B3FgOwl3zw0Ks7UsZTyDjk5qbJsGaDg==,iv:FpJ9/kJxkBfZ7Tr9ZX8GRNDyDN2uzcvCBdExE9UykMY=,tag:UrKZ7YF1Zr0JbvuJM3dt+w==,type:str]
 caddy:
@@ -6,6 +8,9 @@ caddy:
     wo2wz.fyi.key: ENC[AES256_GCM,data:8uiuUyVx9yTtRQFR8DBpE5nh39pbsevlU1YFoKu2I/mO6Z1rS1LfUGh4fH6KuKqh1CNtd+e4JYtpUigCrWwcFg5th6K7tj7Zs+4bxigIn7DFpD38wko+1I2BoUOS6nyIgBJ8RL7DDlldS2K/Pow6F6j9kflha6sjUQ5ZFOeoWW1HV6GRNPKlk4/TDueRbYZKsPM0KeDRyCntbDWLE4ap2vLUvIGYoQAk+Ng5Xt3LMKeG2/LBUXp+EU7m4R1WHsmzHjIKtT7qgkhSvg6RwelBVFutp3fg3GbSEsC96D76osNsWNM/tDCqyu8VpG5fIYNXS+aS06wdvCmcvm13Qa1wnYMCvN7GrfNG+4BrarxrGBeb00UU1zBM11vNUyg2sWAhIrOt+5aTHM55rrcjNxJz+3OxEpEtkH7bKl6aL0Yk0/qxRFYHoBaAiRVd3kQ/2FbgTXF336fF40UGSSEoQ/y3Tbp0ad0rpqnxwP1mzK2s+blK5ljBQF3+vNyhQUbhmns3xZN063gvgE6OnK10RcnoKszQpPJ0uHEnjaHxHPkh1BxEgGHhH615+xcLT9O3jWUE/gONBEMQwBaL/f0qxPZZQrR837Yp3QphFrdfo8aobLNlGWZPgAmaphI09CEkDt9IiwM0GmbgoSMLa8uGaBY24W8q294zQwJtpjMt0ALSTEA1h4GdXpyM+iIDhCN5t8AENhFGF65cvHeKk9vvKkFIFOh4PXV/ITQd5VG3CSLgaKCbK3DA2TqFGscL1zf2j8crAR/ZajwTij+IEZd9qIutDE9al4zsSFD6EnkvKPAelC91MZ5S0UZ+c7HWY3j+BtYSEloq9hqZIW7eGO0HIPvhtVMHWlj6E8ujv3Jm0k0WnJ/pP2kEQGMfmutFSx/hAcb/vxs497i5H9oI7CY+yTIFZQiCjNy14m3sKR9dSCe0js7+fjP66KzKnJcoOyJRaOOE8zEz0pU8dgJiTF4mrGD0DTVLmBSq3l5GOOlH0a4FjOVqMzTy0NrbEAoTfqnPcBHhczbXQs+1NjNI2SwWXhSkXZbtnlPJKDUsHv9gjfUQOzL0jQGfmjy/CzEXq5dQUU/gl28i9/HehOvb84IE7hQIKL0Ddn7a8YJDzB0LfEadPjXA5R4sbml69SmUYNWQKQDmABfqM1nB45v/2+f5uzYe+fCxJiP89PR/FEWNvxipf8C9yMO3N+wjj05z4n0UK8q3YwxzZ35ry1kjOHelzXKTI9IakQ5yDlkX8ahDOrG01+qRRLQNoc6e2q7aEhTdNa1mY6ndhRHl1EV8Ed4As/77qDQOiVM6lhykdMdb/BI4d3qBVXwNqRH2kNOQig6mWmSKYL5YEA9sWOQ+CbK3j7TNGZPl8n4u7ya1zcP1m67vCFvc2Fr7rsKJOxoZzH22elfuE6hw6pHAv1m3iV8SYct2yDz81ngUYLzU5MBi8To/GgQIMVDoa4dZrh5aZtZ0OQpH/atQf+UfQS0GcrWw2o+HY96TaDMvGHSGDgE+lOM2ccoJLVFxNoZLqhYOxuK1CxMyd9DM8bjV/YExYritxG/D577M/bSJtpar+AAPrBp5RMjybhsnyxTPahQvihZz07Q4rLZIXjxr2eW04ijI8DBTDXX9uftUc8vDdY4dSy0CKoZ080ziDl6LLO3fVahuXQ6gmwrZdJ9W48Yt0Zc8eiDMZsQV/32IVJocvniZIIkS5nJA09+qoKCQGd+lW0uxjeiRTMYQWXVN7ktnmjaEeDeg1uqAF9QMdhwXGgVyPAppzp7u1s2tXAp8dZoPamczVLpktUg6kEcrDJHEVMTD8Zyoi+koy2C/g331E7Npe/jBrX3m8EBfE2nNBo17BBV7tRn8yBBGHLerw/4IjoOPZrF0NWcvJE/Xirx6lphBhu/JpFvDsfrO3v8qOClgadGIMbf4bA0UQ8NsqCvTmr95+5T7XpsK++YqlznEV4QveQwfxg67A9/uUyurBoidjx/dyMkFHjepk3TB05GZOKk6xuOwt9QhDq192ta2+PAyOoWJQMeexrIELKU1e1652zP+DQv797aqKRvE9og9Pog88VPHOg+8IJe534P9LCVdeTEV2WgfsY5Pj7Vp1qQft+d8aSCftFuQ2/umKlxaxnV/A2mXZcpZE0YQs9IE+P3YjqmqCfvkIzAGVr/HH2o5EdkYCBmuma296zgSyeQ2QfqYVcP09jkQLeCUKJAVEpvSV/TNWdzU8Hse58y7dZtabjcrXNJcv4V6sIaIUzk0D0QjqXxW8etZtglv3uWz,iv:bj2qvdXB4aSUIqzN5mRcMpC0cdgK5lQGFQHZQQ/or9g=,tag:zsqkNqyUcjB/YlblwdoOPw==,type:str]
 cloudflared:
     8af2892d-d534-4e32-b867-5b79308a99d5.json: ENC[AES256_GCM,data:4fOlt/pNxQ9CSuKf1ZPv9odtdU+Q7NTlO56xGp5yY0AEZrbpljSlTS/b8dON5iVwRoUjUbUui8+jvDri7ad99e+kZUwzDC2S294oaQyPa5Bl4jrYZSFn6SWZbnBzyV5tVN0hoQlIMQ/oU53TvBAtNrj10toePH7iLB12AmqMCBshWEFUViAJqGcZZMrcarAT453FgtpR+f3vR8Wv90SGc7wHXARJZ4NzEIRmYD4dGA==,iv:1Mt9FJTlT7Sv9FvrNY97icXSi757ejt56lhc7OG1dJM=,tag:JxW5Cg6nPzzh4zxi9Wvw0A==,type:str]
+kanidm:
+    oauth2:
+        nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
 nextcloud:
     adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str]
 onlyoffice:
@@ -27,7 +32,7 @@ sops:
             N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
             RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-11T00:48:44Z"
+    lastmodified: "2025-10-31T14:53:31Z"
-    mac: ENC[AES256_GCM,data:8tmoqN7fUNuAFa4j+gpdqAg3vqeV0vkEDsRMzozDotVOnd3SEyZfiXDNmWkpDvJrHXzy50jmFoC4DfBfFCrE31eSDAFIFfE8j7pdMi/NCm9F4djNyqJ1C2WhjymIRo1RK70LFRGiEGg8XfhS8pj1m/7DhgBQW0K++1+du6N2Oks=,iv:GdfQxxJQAONqTBRhHNV+JfQTEBoGgFBT7cvAjAKV/wM=,tag:paYy8msjsqzHcYxhfwtkBw==,type:str]
+    mac: ENC[AES256_GCM,data:HtjXMIO95tdnFg+2k51QJoF/IcG2OYudxuUTeOSdkb2m/SpTLHPjrXf6gylsYmME6BukTTkZxl7aFMqgbPl2L9ppD96MuEj49PiK9bk9XvGvSQc4K8tQZPwA38xV0rcjgErgw5HDkXwi/vbTCDLKcysTkDAb5FPcPNqbsU8EjKY=,iv:6XggO3OLnCwccntUhmCaCpTuJI8N76e3T1S16/gBw1o=,tag:51wvZgRwKSbvqHPv7B3AkQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0