From 773c135b329ad331fffefed05c398b252e98977a Mon Sep 17 00:00:00 2001 From: wo2wz <189177184+wo2wz@users.noreply.github.com> Date: Sat, 1 Nov 2025 20:32:22 -0400 Subject: [PATCH] zipline: add oidc --- modules/nixos/services/homeserver/kanidm.nix | 19 ++++++++++++++++++- modules/nixos/services/homeserver/zipline.nix | 7 +++++++ secrets/secrets.yaml | 7 ++++--- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/homeserver/kanidm.nix b/modules/nixos/services/homeserver/kanidm.nix index 9e04276..f438315 100644 --- a/modules/nixos/services/homeserver/kanidm.nix +++ b/modules/nixos/services/homeserver/kanidm.nix @@ -8,6 +8,10 @@ owner = "kanidm"; group = "kanidm"; }; + "kanidm/oauth2/zipline" = { + owner = "kanidm"; + group = "kanidm"; + }; }; users.groups.tls-kanidm.members = [ "caddy" "kanidm" ]; @@ -63,7 +67,10 @@ legalName = "Wo2wz_"; }; - groups.nextcloud-grp.members = [ "wo2w" ]; + groups = { + nextcloud-grp.members = [ "wo2w" ]; + zipline-grp.members = [ "wo2w" ]; + }; systems.oauth2 = { nextcloud = { @@ -74,6 +81,16 @@ basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path; scopeMaps.nextcloud-grp = [ "openid" "profile" ]; }; + + zipline = { + displayName = "Zipline"; + originUrl = "https://zipline.wo2wz.fyi/api/auth/oauth/oidc"; + originLanding = "https://zipline.wo2wz.fyi"; + + allowInsecureClientDisablePkce = true; + basicSecretFile = config.sops.secrets."kanidm/oauth2/zipline".path; + scopeMaps.zipline-grp = [ "openid" "profile" "email" "offline_access" ]; + }; }; }; diff --git a/modules/nixos/services/homeserver/zipline.nix b/modules/nixos/services/homeserver/zipline.nix index 11f96ef..074d962 100755 --- a/modules/nixos/services/homeserver/zipline.nix +++ b/modules/nixos/services/homeserver/zipline.nix @@ -36,6 +36,13 @@ MFA_TOTP_ENABLED = "true"; MFA_PASSKEYS = "true"; + FEATURES_OAUTH_REGISTRATION = "true"; + OAUTH_BYPASS_LOCAL_LOGIN = "true"; + OAUTH_OIDC_CLIENT_ID = "zipline"; + OAUTH_OIDC_AUTHORIZE_URL = "https://kanidm.wo2wz.fyi/ui/oauth2"; + OAUTH_OIDC_USERINFO_URL = "https://kanidm.wo2wz.fyi/oauth2/openid/zipline/userinfo"; + OAUTH_OIDC_TOKEN_URL = "https://kanidm.wo2wz.fyi/oauth2/token"; + FILES_MAX_FILE_SIZE = "3091283091716487142128741263894122347014687124687124614791824619246129491246128461841279468127468912461924612974182746182468712468126487912648126481256487126491672941974612945618274610289417846192849712471eb"; FILES_ASSUME_MIMETYPES = "true"; FILES_REMOVE_GPS_METADATA = "true"; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f9ea6c6..82c2ed3 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -9,6 +9,7 @@ cloudflared: kanidm: oauth2: nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str] + zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str] nextcloud: adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str] onlyoffice: @@ -18,7 +19,7 @@ restic: vaultwarden: secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str] zipline: - secrets.env: ENC[AES256_GCM,data:+wBx60JmzMAW49HAH5hRhiWq1ufV0vsoUQcmU/1sVZc2AhGripu5SX8cJh28oIvR4BMN3pTDixZy8/0cGnlwqQ7vEJ2CgghaRNk32MagN9j2LmjwFKYbJHWGcw36vQQNcPlSNYSSOYLJcxYiiqhC0NQGiGLRcQ9bV7vR2Zwqu2Kqra3yVe7W4jdJOIqWpQ==,iv:jQKVGGE0x+6o49Q0AtGxNbWnYEYNOAbhUU7JExGYp98=,tag:SemVhXVPK2b3oJbjEpO3fg==,type:str] + secrets.env: ENC[AES256_GCM,data:wLU3M+yFHyf7g1MJ/1TJa9db8NT1L5aPDG9WgamOf1PVhiLyd0/p5m8EISD8DPePILe48jL2pxFBJVeeuKR8klKTrryyJye53V29YGGX2B3KMfWWKTIyYlAztOw91Xd0c9Qe256mX2UvoVa6xsZAxHSSxwjTm8zOijmzdwovzB2wiaNgoHNkYhKPBFO3aeZZLY5OrEQZ1gSQg3FkjU8jJuigxTJPgHEelQYwZXVwlUmGz51DXceWb0YJeal8Dw+nalhCGNWU3ZYa6ehKxIl170506ZisIl1/0CzrBWVvzttJX6HggLkQn88=,iv:g8/HnpTQKNtZQqplF4UoeLVtyHxR1QcY3Hch9dtoPkg=,tag:h3TDgC1I3QaTZuCHAs0rZg==,type:str] sops: age: - recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj @@ -30,7 +31,7 @@ sops: N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-31T16:41:02Z" - mac: ENC[AES256_GCM,data:IWJqR/RT4zh/rYOyTP+CxRzCpP6YadUd7F6ZiutxMx44QlCVjx6pEyG0MkFXqSl7A4PMFIx52Oh7uhoBcIYL1/g9maa2wQly2SfnZxA3trLzUwAYNbmDa1oBEDsZ/Ho3Hig49mZrV+ZY93wKRoKyPfhus7ewAyvXsbcjzX1ld9k=,iv:v8JpNjIu2avzkw58A2r74Zb31cWmgaQMJCl7vgYjBcI=,tag:oIO/+SzK3V1uN5VIMN9iTA==,type:str] + lastmodified: "2025-11-01T18:02:01Z" + mac: ENC[AES256_GCM,data:8AOmtfS69osCZOuqgD1TSva33S9fkUBpaZQxXXHWDzcf5f8pNeLUqtiSbWdq9/tUyzuP3klfMnSakoxIT30R45UKXNPdw4BKocRPFUGuQX+3qXOND3vklNRJxXjOSqcukevlOurqpAM+qD4D6udeOVGCP+L27Y3U8GY5wG92dvU=,iv:Fo4jMFhUj34M1VqzwHyBAp7moY2CSmXmg7OuyVeVO3E=,tag:ULoqtFQC0DOJvJppBqoedA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0