wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

vaultwarden: enable SSO

Browse source
This commit is contained in:
wo2wz 2026-01-12 19:13:39 -05:00
parent 586af7a61f
commit 3a9c4c11d4
3 changed files with 43 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

44
modules/nixos/services/homeserver/kanidm.nix
View file

@ -3,20 +3,17 @@
{ {
sops.secrets = { sops.secrets = {
"acme/secrets.env" = {}; "acme/secrets.env" = {};
}
"kanidm/oauth2/grafana" = { // lib.genAttrs [
"kanidm/oauth2/grafana"
"kanidm/oauth2/jellyfin"
"kanidm/oauth2/nextcloud"
"kanidm/oauth2/vaultwarden"
]
(x: {
owner = "kanidm"; owner = "kanidm";
group = "kanidm"; group = "kanidm";
}; });
"kanidm/oauth2/jellyfin" = {
owner = "kanidm";
group = "kanidm";
};
"kanidm/oauth2/nextcloud" = {
owner = "kanidm";
group = "kanidm";
};
};
users.groups.tls-kanidm.members = [ "caddy" "kanidm" ]; users.groups.tls-kanidm.members = [ "caddy" "kanidm" ];
@ -75,17 +72,20 @@
"grafana_users" "grafana_users"
"jellyfin_users" "jellyfin_users"
"nextcloud_users" "nextcloud_users"
"vaultwarden_users"
"grafana_admins" "grafana_admins"
"jellyfin_admins" "jellyfin_admins"
]; ];
}; };
groups = { groups = lib.genAttrs [
grafana_users = {}; "grafana_users"
jellyfin_users = {}; "jellyfin_users"
nextcloud_users = {}; "nextcloud_users"
"vaultwarden_users"
] (x: {})
// {
grafana_admins.members = [ "grafana_users" ]; grafana_admins.members = [ "grafana_users" ];
jellyfin_admins.members = [ "jellyfin_users" ]; jellyfin_admins.members = [ "jellyfin_users" ];
}; };
@ -122,6 +122,16 @@
basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path; basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
scopeMaps.nextcloud_users = [ "openid" "profile" ]; scopeMaps.nextcloud_users = [ "openid" "profile" ];
}; };
vaultwarden = {
displayName = "Vaultwarden";
originUrl = "https://vaultwarden.taild5f7e6.ts.net/identity/connect/oidc-signin";
originLanding = "https://vaultwarden.taild5f7e6.ts.net";
preferShortUsername = true;
basicSecretFile = config.sops.secrets."kanidm/oauth2/vaultwarden".path;
scopeMaps.vaultwarden_users = [ "openid" "email" "profile" "offline_access" ];
};
}; };
}; };

11
modules/nixos/services/homeserver/vaultwarden.nix
View file

@ -1,7 +1,10 @@
{ config, ... }: { config, ... }:
{ {
sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ]; sops.secrets = {
"vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
"kanidm/oauth2/vaultwarden".restartUnits = [ "vaultwarden.service" ];
};
services.caddy.virtualHosts."vaultwarden.taild5f7e6.ts.net".extraConfig = services.caddy.virtualHosts."vaultwarden.taild5f7e6.ts.net".extraConfig =
assert config.services.caddy.enable; assert config.services.caddy.enable;
@ -23,6 +26,12 @@
IP_HEADER = "X-Forwarded-For"; IP_HEADER = "X-Forwarded-For";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
SSO_ENABLED = true;
SSO_ONLY = true;
SSO_CLIENT_ID = "vaultwarden";
SSO_AUTHORITY = "https://kanidm.wo2wz.fyi/oauth2/openid/vaultwarden";
SSO_SCOPES = "openid email profile offline_access";
SSO_CLIENT_CACHE_EXPIRATION = 600;
TRASH_AUTO_DELETE_DAYS = 30; TRASH_AUTO_DELETE_DAYS = 30;
}; };

7
secrets/drone.yaml
View file

@ -13,6 +13,7 @@ kanidm:
grafana: ENC[AES256_GCM,data:9aWa5SJ4UNWcQCCRT9rL6XnoUjlkXeifBYe3fL4xRbNC3bc5L6jNtJOF9v0ZZ874pTr/dnv5LzLz/ISLDQWfnw==,iv:+V+JjP2EA02cn7aFif262DjqoCXYRLqXv2jR0pc457c=,tag:CI9daTCxkeOueb3d//hx0A==,type:str] grafana: ENC[AES256_GCM,data:9aWa5SJ4UNWcQCCRT9rL6XnoUjlkXeifBYe3fL4xRbNC3bc5L6jNtJOF9v0ZZ874pTr/dnv5LzLz/ISLDQWfnw==,iv:+V+JjP2EA02cn7aFif262DjqoCXYRLqXv2jR0pc457c=,tag:CI9daTCxkeOueb3d//hx0A==,type:str]
jellyfin: ENC[AES256_GCM,data:37edw83rscw19EiFOVUYoq33awKMWw+XXN6KKYYjEdKwtBx7I01RuOha3DkspFM7zJdmZf3E6IL1UT3N/sBB6w==,iv:T9N4h90799xOhFeNxqmKR0nDGn6BXuIGB4DiOIkt6vk=,tag:JZuu+uqRKAbQskKxzOPIEQ==,type:str] jellyfin: ENC[AES256_GCM,data:37edw83rscw19EiFOVUYoq33awKMWw+XXN6KKYYjEdKwtBx7I01RuOha3DkspFM7zJdmZf3E6IL1UT3N/sBB6w==,iv:T9N4h90799xOhFeNxqmKR0nDGn6BXuIGB4DiOIkt6vk=,tag:JZuu+uqRKAbQskKxzOPIEQ==,type:str]
nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str] nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
vaultwarden: ENC[AES256_GCM,data:8k89RkSKDExFhFMcdWXG6+R/SJX70gPpbv8F5hlOga6BexaqNisdVdDhkejxpsFX9YdBEPFR9Kzm9/b7f0aQlw==,iv:vTlczksBkENWjxBgyNab5v//AWCgron5mjjuM/+CH/4=,tag:XwB8nSWeK4qyI6qYa+7iHA==,type:str]
nextcloud: nextcloud:
adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str] adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str]
restic: restic:
@ -24,7 +25,7 @@ syncthing:
cert.pem: ENC[AES256_GCM,data:BHZ+GuWS9MWWyeXmcGna2IaSli63QbMKOeYFoKZhs3nvLLI1fdsvWhkhR+UZ1/dPrKPz8ZcgvqeClCDnGQLR+UBOIV8/nbuLk/jQxcw+KRl4+OziFeDnHdHdk1ZeSrF8ek7ThCX/MIz3t0/UPv+X0kZQEpwtOYrrLqeYLh3syUKdnVm9N96erv3UWKfSot5dch5EEMDLvli48rZtbqDrNCdx1bg8/CLj56OvmVxKtyPrUW/DZ3euG7PuL4Crrxw1ZeafTWHINpGoTZDrpOfanLEO5BtK65WY6J18ggJ467P9SgpeC2MeRnCJu6WaH1nqRSM5KitDYwhMFFlcdGKDUF30pCUf/W63BZ8AokJFozuhwtTbCWJHAk39j/wYoU+S0MfIhb/5gZu2vs+2Qnkle6r0ew8AS3l0BNcNJbbSdWKnGbYo8uUAtUh6GmK4ADYFx2z8h31z7kONzFAeE03nAkhAEoDtUccDNUlwF6WBeQdaIKYk2lVwU0bi5C4L5RM5qanAlKvsWtqQ7re5B0nbn4QcnGFLBJZsLmxSzX73e+9MRxTaPUyVoPmAsELLuOMBL7y3wqBtmNeLPRih+7zfn2AwQGaZ/UgnfX1s2gJtx3+OnCy8GMRbaxTd+8AM2JkZsFpkQjwG+eI1HE28dELHcpeDZ4ZqzGUh4Xlgq15kmaXo3Ww89Ukq/QCMHs6xqQdbw4ra84Oh33Stt7YFtL+xVcJkoAzIVYKeoJDtqIwPf+LXukvAUZyMbaLSmEJTsfNnKkhsGU1clxyZXs6DK0EaP3LCY6iw9tv096PkrI9wFFNNxbIjuERkQK4xdus506s=,iv:rUJIqoZa9pSMUxSqUmUKnlUahKLEW/vzzmNI4V0LniE=,tag:EKExs0ms3LbIh7FJA923aA==,type:str] cert.pem: ENC[AES256_GCM,data:BHZ+GuWS9MWWyeXmcGna2IaSli63QbMKOeYFoKZhs3nvLLI1fdsvWhkhR+UZ1/dPrKPz8ZcgvqeClCDnGQLR+UBOIV8/nbuLk/jQxcw+KRl4+OziFeDnHdHdk1ZeSrF8ek7ThCX/MIz3t0/UPv+X0kZQEpwtOYrrLqeYLh3syUKdnVm9N96erv3UWKfSot5dch5EEMDLvli48rZtbqDrNCdx1bg8/CLj56OvmVxKtyPrUW/DZ3euG7PuL4Crrxw1ZeafTWHINpGoTZDrpOfanLEO5BtK65WY6J18ggJ467P9SgpeC2MeRnCJu6WaH1nqRSM5KitDYwhMFFlcdGKDUF30pCUf/W63BZ8AokJFozuhwtTbCWJHAk39j/wYoU+S0MfIhb/5gZu2vs+2Qnkle6r0ew8AS3l0BNcNJbbSdWKnGbYo8uUAtUh6GmK4ADYFx2z8h31z7kONzFAeE03nAkhAEoDtUccDNUlwF6WBeQdaIKYk2lVwU0bi5C4L5RM5qanAlKvsWtqQ7re5B0nbn4QcnGFLBJZsLmxSzX73e+9MRxTaPUyVoPmAsELLuOMBL7y3wqBtmNeLPRih+7zfn2AwQGaZ/UgnfX1s2gJtx3+OnCy8GMRbaxTd+8AM2JkZsFpkQjwG+eI1HE28dELHcpeDZ4ZqzGUh4Xlgq15kmaXo3Ww89Ukq/QCMHs6xqQdbw4ra84Oh33Stt7YFtL+xVcJkoAzIVYKeoJDtqIwPf+LXukvAUZyMbaLSmEJTsfNnKkhsGU1clxyZXs6DK0EaP3LCY6iw9tv096PkrI9wFFNNxbIjuERkQK4xdus506s=,iv:rUJIqoZa9pSMUxSqUmUKnlUahKLEW/vzzmNI4V0LniE=,tag:EKExs0ms3LbIh7FJA923aA==,type:str]
key.pem: ENC[AES256_GCM,data:jhYr/fFLvWOGKb7poh3reEDs6WatAoVgYEWw7Y5jwI06eAUO7yQCPpJefKZ+/0VRi0noX71U9Ul/Nv7VNo5bnZ8Yf0fcVxw8FBo0tMXYwg5AMqnJOIr3B48UZUJ9JiWjKG53rE7iGSbnJ4rzvVxB1Opu/wcEDzY=,iv:90R7tjucK/ogTicwAYL5VZ7YF0gCU7KberPQNtAwkBU=,tag:ECCuskrOefltx11+lk2NBA==,type:str] key.pem: ENC[AES256_GCM,data:jhYr/fFLvWOGKb7poh3reEDs6WatAoVgYEWw7Y5jwI06eAUO7yQCPpJefKZ+/0VRi0noX71U9Ul/Nv7VNo5bnZ8Yf0fcVxw8FBo0tMXYwg5AMqnJOIr3B48UZUJ9JiWjKG53rE7iGSbnJ4rzvVxB1Opu/wcEDzY=,iv:90R7tjucK/ogTicwAYL5VZ7YF0gCU7KberPQNtAwkBU=,tag:ECCuskrOefltx11+lk2NBA==,type:str]
vaultwarden: vaultwarden:
secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str] secrets.env: ENC[AES256_GCM,data:t2eCgDCvN7kZQcSMb2LhJjnbX32YEHCn2fEQ8npW0HQAqnFoFZjik0UzjN/kCmILV7pFk1TKDaXctYbEsOyRZXPJaLDS5URYJQspPJlFEi1hsapWy49f8FG+rnjLCDHLKHt+UsIN4vfNbNZGVK4vpqHdx+1hVi4vWBQVVihMR+Ho9FVm9tTaP7B7Fm88ibGzc1ov9B/PUagEheVljy+9Y+8V3wFeiTzVotbhTJ7qr4Nj/80df2LTkMfzWSc5YVFom6crxihlSX7F779e4JgYGtjfp3O3xW/hQGJHHd98F1KbjT+q/eDO5A==,iv:iCMHcHwozcWzyb2ewgWwbEmF4qm5gAHA1NCcqI6pPYw=,tag:DPWsHovqpMzevMHv/msQLg==,type:str]
sops: sops:
age: age:
- recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj - recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj
@ -36,7 +37,7 @@ sops:
N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ== RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-18T17:37:25Z" lastmodified: "2026-01-11T18:41:54Z"
mac: ENC[AES256_GCM,data:WAbxmwCprdQOJSH1tXdPoTU8BxeesDRfCR5iY4t3LV5AbCDJBGETtBNIRN7/RcHjAZQri1AW/Z+esqAzbytp29To3vaGJX3LgHLM/1A+jpW10V2dUwlBrILNKivift2/wY4+oUMVqK5xY3rxtvvL2GO6gFq4B5Yu4NIhzgv2VgE=,iv:aoislG3JujD8clv1UIT92PZrxZgLcH5wQ77LvLnQgYA=,tag:0n5TpxlJpxwvkBRn5UrHdA==,type:str] mac: ENC[AES256_GCM,data:3PAGANiT332H89BQnKgES5eolecmdjfbYT14Tr+svutKBao3T+jmcbUotlAS00fzfjnqozEgdDNDeuCTK5UugZsdwJ5RH2QcpL4oV/jTPPoMVpvvKGL9X0z3PdryyloBcTNOYRMk8rEDs7bPCmEZzbshHIcx8PkIaP6BeT0TO/U=,iv:Vvy+gH/rqJA0e/R/WFP8UBfMZgDqqHm5z53gdv5G8r4=,tag:q0amJGRC1fbvqUDHTA2GeQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0