wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

zipline: add oidc

Browse source
This commit is contained in:
wo2wz 2025-11-01 20:32:22 -04:00
parent ca1d1d0a32
commit 773c135b32
3 changed files with 29 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
modules/nixos/services/homeserver/kanidm.nix
View file

@ -8,6 +8,10 @@
owner = "kanidm"; owner = "kanidm";
group = "kanidm"; group = "kanidm";
}; };
"kanidm/oauth2/zipline" = {
owner = "kanidm";
group = "kanidm";
};
}; };
users.groups.tls-kanidm.members = [ "caddy" "kanidm" ]; users.groups.tls-kanidm.members = [ "caddy" "kanidm" ];
@ -63,7 +67,10 @@
legalName = "Wo2wz_"; legalName = "Wo2wz_";
}; };
groups.nextcloud-grp.members = [ "wo2w" ]; groups = {
nextcloud-grp.members = [ "wo2w" ];
zipline-grp.members = [ "wo2w" ];
};
systems.oauth2 = { systems.oauth2 = {
nextcloud = { nextcloud = {
@ -74,6 +81,16 @@
basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path; basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
scopeMaps.nextcloud-grp = [ "openid" "profile" ]; scopeMaps.nextcloud-grp = [ "openid" "profile" ];
}; };
zipline = {
displayName = "Zipline";
originUrl = "https://zipline.wo2wz.fyi/api/auth/oauth/oidc";
originLanding = "https://zipline.wo2wz.fyi";
allowInsecureClientDisablePkce = true;
basicSecretFile = config.sops.secrets."kanidm/oauth2/zipline".path;
scopeMaps.zipline-grp = [ "openid" "profile" "email" "offline_access" ];
};
}; };
}; };

7
modules/nixos/services/homeserver/zipline.nix
View file

@ -36,6 +36,13 @@
MFA_TOTP_ENABLED = "true"; MFA_TOTP_ENABLED = "true";
MFA_PASSKEYS = "true"; MFA_PASSKEYS = "true";
FEATURES_OAUTH_REGISTRATION = "true";
OAUTH_BYPASS_LOCAL_LOGIN = "true";
OAUTH_OIDC_CLIENT_ID = "zipline";
OAUTH_OIDC_AUTHORIZE_URL = "https://kanidm.wo2wz.fyi/ui/oauth2";
OAUTH_OIDC_USERINFO_URL = "https://kanidm.wo2wz.fyi/oauth2/openid/zipline/userinfo";
OAUTH_OIDC_TOKEN_URL = "https://kanidm.wo2wz.fyi/oauth2/token";
FILES_MAX_FILE_SIZE = "3091283091716487142128741263894122347014687124687124614791824619246129491246128461841279468127468912461924612974182746182468712468126487912648126481256487126491672941974612945618274610289417846192849712471eb"; FILES_MAX_FILE_SIZE = "3091283091716487142128741263894122347014687124687124614791824619246129491246128461841279468127468912461924612974182746182468712468126487912648126481256487126491672941974612945618274610289417846192849712471eb";
FILES_ASSUME_MIMETYPES = "true"; FILES_ASSUME_MIMETYPES = "true";
FILES_REMOVE_GPS_METADATA = "true"; FILES_REMOVE_GPS_METADATA = "true";

7
secrets/secrets.yaml
View file

@ -9,6 +9,7 @@ cloudflared:
kanidm: kanidm:
oauth2: oauth2:
nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str] nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str]
nextcloud: nextcloud:
adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str] adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str]
onlyoffice: onlyoffice:
@ -18,7 +19,7 @@ restic:
vaultwarden: vaultwarden:
secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str] secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str]
zipline: zipline:
secrets.env: ENC[AES256_GCM,data:+wBx60JmzMAW49HAH5hRhiWq1ufV0vsoUQcmU/1sVZc2AhGripu5SX8cJh28oIvR4BMN3pTDixZy8/0cGnlwqQ7vEJ2CgghaRNk32MagN9j2LmjwFKYbJHWGcw36vQQNcPlSNYSSOYLJcxYiiqhC0NQGiGLRcQ9bV7vR2Zwqu2Kqra3yVe7W4jdJOIqWpQ==,iv:jQKVGGE0x+6o49Q0AtGxNbWnYEYNOAbhUU7JExGYp98=,tag:SemVhXVPK2b3oJbjEpO3fg==,type:str] secrets.env: ENC[AES256_GCM,data:wLU3M+yFHyf7g1MJ/1TJa9db8NT1L5aPDG9WgamOf1PVhiLyd0/p5m8EISD8DPePILe48jL2pxFBJVeeuKR8klKTrryyJye53V29YGGX2B3KMfWWKTIyYlAztOw91Xd0c9Qe256mX2UvoVa6xsZAxHSSxwjTm8zOijmzdwovzB2wiaNgoHNkYhKPBFO3aeZZLY5OrEQZ1gSQg3FkjU8jJuigxTJPgHEelQYwZXVwlUmGz51DXceWb0YJeal8Dw+nalhCGNWU3ZYa6ehKxIl170506ZisIl1/0CzrBWVvzttJX6HggLkQn88=,iv:g8/HnpTQKNtZQqplF4UoeLVtyHxR1QcY3Hch9dtoPkg=,tag:h3TDgC1I3QaTZuCHAs0rZg==,type:str]
sops: sops:
age: age:
- recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj - recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj
@ -30,7 +31,7 @@ sops:
N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ== RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-31T16:41:02Z" lastmodified: "2025-11-01T18:02:01Z"
mac: ENC[AES256_GCM,data:IWJqR/RT4zh/rYOyTP+CxRzCpP6YadUd7F6ZiutxMx44QlCVjx6pEyG0MkFXqSl7A4PMFIx52Oh7uhoBcIYL1/g9maa2wQly2SfnZxA3trLzUwAYNbmDa1oBEDsZ/Ho3Hig49mZrV+ZY93wKRoKyPfhus7ewAyvXsbcjzX1ld9k=,iv:v8JpNjIu2avzkw58A2r74Zb31cWmgaQMJCl7vgYjBcI=,tag:oIO/+SzK3V1uN5VIMN9iTA==,type:str] mac: ENC[AES256_GCM,data:8AOmtfS69osCZOuqgD1TSva33S9fkUBpaZQxXXHWDzcf5f8pNeLUqtiSbWdq9/tUyzuP3klfMnSakoxIT30R45UKXNPdw4BKocRPFUGuQX+3qXOND3vklNRJxXjOSqcukevlOurqpAM+qD4D6udeOVGCP+L27Y3U8GY5wG92dvU=,iv:Fo4jMFhUj34M1VqzwHyBAp7moY2CSmXmg7OuyVeVO3E=,tag:ULoqtFQC0DOJvJppBqoedA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0