vaultwarden: enable SSO

2026-01-12 19:13:39 -05:00 · 2026-01-12 19:13:39 -05:00 · 3a9c4c11d4
commit 3a9c4c11d4
parent 586af7a61f
3 changed files with 43 additions and 23 deletions
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@ -3,20 +3,17 @@
 {
  sops.secrets = {
    "acme/secrets.env" = {};
-
-    "kanidm/oauth2/grafana" = {
-      owner = "kanidm";
-      group = "kanidm";
-    };
-    "kanidm/oauth2/jellyfin" = {
-      owner = "kanidm";
-      group = "kanidm";
-    };
-    "kanidm/oauth2/nextcloud" = {
-      owner = "kanidm";
-      group = "kanidm";
-    };
-  };
+  }
+  // lib.genAttrs [
+    "kanidm/oauth2/grafana"
+    "kanidm/oauth2/jellyfin"
+    "kanidm/oauth2/nextcloud"
+    "kanidm/oauth2/vaultwarden"
+  ]
+  (x: {
+    owner = "kanidm";
+    group = "kanidm";
+  });

  users.groups.tls-kanidm.members = [ "caddy" "kanidm" ];

@ -75,17 +72,20 @@
          "grafana_users"
          "jellyfin_users"
          "nextcloud_users"
+          "vaultwarden_users"

          "grafana_admins"
          "jellyfin_admins"
        ];
      };

-      groups = {
-        grafana_users = {};
-        jellyfin_users = {};
-        nextcloud_users = {};
-
+      groups = lib.genAttrs [
+        "grafana_users"
+        "jellyfin_users"
+        "nextcloud_users"
+        "vaultwarden_users"
+      ] (x: {})
+      // {
        grafana_admins.members = [ "grafana_users" ];
        jellyfin_admins.members = [ "jellyfin_users" ];
      };
@ -122,6 +122,16 @@
          basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
          scopeMaps.nextcloud_users = [ "openid" "profile" ];
        };
+        
+        vaultwarden = {
+          displayName = "Vaultwarden";
+          originUrl = "https://vaultwarden.taild5f7e6.ts.net/identity/connect/oidc-signin";
+          originLanding = "https://vaultwarden.taild5f7e6.ts.net";
+
+          preferShortUsername = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/vaultwarden".path;
+          scopeMaps.vaultwarden_users = [ "openid" "email" "profile" "offline_access" ];
+        };
      };
    };

--- a/modules/nixos/services/homeserver/vaultwarden.nix
+++ b/modules/nixos/services/homeserver/vaultwarden.nix
@ -1,7 +1,10 @@
 { config, ... }:

 {
-  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+  sops.secrets = {
+    "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+    "kanidm/oauth2/vaultwarden".restartUnits = [ "vaultwarden.service" ];
+  };

  services.caddy.virtualHosts."vaultwarden.taild5f7e6.ts.net".extraConfig =
    assert config.services.caddy.enable;
@ -23,6 +26,12 @@
      IP_HEADER = "X-Forwarded-For";

      SIGNUPS_ALLOWED = false;
+      SSO_ENABLED = true;
+      SSO_ONLY = true;
+      SSO_CLIENT_ID = "vaultwarden";
+      SSO_AUTHORITY = "https://kanidm.wo2wz.fyi/oauth2/openid/vaultwarden";
+      SSO_SCOPES = "openid email profile offline_access";
+      SSO_CLIENT_CACHE_EXPIRATION = 600;

      TRASH_AUTO_DELETE_DAYS = 30;
    };