zipline: add oidc

2025-11-01 20:32:22 -04:00 · 2025-11-01 20:32:22 -04:00 · 773c135b32
commit 773c135b32
parent ca1d1d0a32
3 changed files with 29 additions and 4 deletions
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@ -8,6 +8,10 @@
      owner = "kanidm";
      group = "kanidm";
    };
+    "kanidm/oauth2/zipline" = {
+      owner = "kanidm";
+      group = "kanidm";
+    };
  };

  users.groups.tls-kanidm.members = [ "caddy" "kanidm" ];
@ -63,7 +67,10 @@
        legalName = "Wo2wz_";
      };

-      groups.nextcloud-grp.members = [ "wo2w" ];
+      groups = {
+        nextcloud-grp.members = [ "wo2w" ];
+        zipline-grp.members = [ "wo2w" ];
+      };

      systems.oauth2 = {
        nextcloud = {
@ -74,6 +81,16 @@
          basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
          scopeMaps.nextcloud-grp = [ "openid" "profile" ];
        };
+
+        zipline = {
+          displayName = "Zipline";
+          originUrl = "https://zipline.wo2wz.fyi/api/auth/oauth/oidc";
+          originLanding = "https://zipline.wo2wz.fyi";
+
+          allowInsecureClientDisablePkce = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/zipline".path;
+          scopeMaps.zipline-grp = [ "openid" "profile" "email" "offline_access" ];
+        };
      };
    };

--- a/modules/nixos/services/homeserver/zipline.nix
+++ b/modules/nixos/services/homeserver/zipline.nix
@ -36,6 +36,13 @@
      MFA_TOTP_ENABLED = "true";
      MFA_PASSKEYS = "true";

+      FEATURES_OAUTH_REGISTRATION = "true";
+      OAUTH_BYPASS_LOCAL_LOGIN = "true";
+      OAUTH_OIDC_CLIENT_ID = "zipline";
+      OAUTH_OIDC_AUTHORIZE_URL = "https://kanidm.wo2wz.fyi/ui/oauth2";
+      OAUTH_OIDC_USERINFO_URL = "https://kanidm.wo2wz.fyi/oauth2/openid/zipline/userinfo";
+      OAUTH_OIDC_TOKEN_URL = "https://kanidm.wo2wz.fyi/oauth2/token";
+
      FILES_MAX_FILE_SIZE = "3091283091716487142128741263894122347014687124687124614791824619246129491246128461841279468127468912461924612974182746182468712468126487912648126481256487126491672941974612945618274610289417846192849712471eb";
      FILES_ASSUME_MIMETYPES = "true";
      FILES_REMOVE_GPS_METADATA = "true";
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -9,6 +9,7 @@ cloudflared:
 kanidm:
    oauth2:
        nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
+        zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str]
 nextcloud:
    adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str]
 onlyoffice:
@ -18,7 +19,7 @@ restic:
 vaultwarden:
    secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str]
 zipline:
-    secrets.env: ENC[AES256_GCM,data:+wBx60JmzMAW49HAH5hRhiWq1ufV0vsoUQcmU/1sVZc2AhGripu5SX8cJh28oIvR4BMN3pTDixZy8/0cGnlwqQ7vEJ2CgghaRNk32MagN9j2LmjwFKYbJHWGcw36vQQNcPlSNYSSOYLJcxYiiqhC0NQGiGLRcQ9bV7vR2Zwqu2Kqra3yVe7W4jdJOIqWpQ==,iv:jQKVGGE0x+6o49Q0AtGxNbWnYEYNOAbhUU7JExGYp98=,tag:SemVhXVPK2b3oJbjEpO3fg==,type:str]
+    secrets.env: ENC[AES256_GCM,data:wLU3M+yFHyf7g1MJ/1TJa9db8NT1L5aPDG9WgamOf1PVhiLyd0/p5m8EISD8DPePILe48jL2pxFBJVeeuKR8klKTrryyJye53V29YGGX2B3KMfWWKTIyYlAztOw91Xd0c9Qe256mX2UvoVa6xsZAxHSSxwjTm8zOijmzdwovzB2wiaNgoHNkYhKPBFO3aeZZLY5OrEQZ1gSQg3FkjU8jJuigxTJPgHEelQYwZXVwlUmGz51DXceWb0YJeal8Dw+nalhCGNWU3ZYa6ehKxIl170506ZisIl1/0CzrBWVvzttJX6HggLkQn88=,iv:g8/HnpTQKNtZQqplF4UoeLVtyHxR1QcY3Hch9dtoPkg=,tag:h3TDgC1I3QaTZuCHAs0rZg==,type:str]
 sops:
    age:
        - recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj
@ -30,7 +31,7 @@ sops:
            N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
            RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-31T16:41:02Z"
-    mac: ENC[AES256_GCM,data:IWJqR/RT4zh/rYOyTP+CxRzCpP6YadUd7F6ZiutxMx44QlCVjx6pEyG0MkFXqSl7A4PMFIx52Oh7uhoBcIYL1/g9maa2wQly2SfnZxA3trLzUwAYNbmDa1oBEDsZ/Ho3Hig49mZrV+ZY93wKRoKyPfhus7ewAyvXsbcjzX1ld9k=,iv:v8JpNjIu2avzkw58A2r74Zb31cWmgaQMJCl7vgYjBcI=,tag:oIO/+SzK3V1uN5VIMN9iTA==,type:str]
+    lastmodified: "2025-11-01T18:02:01Z"
+    mac: ENC[AES256_GCM,data:8AOmtfS69osCZOuqgD1TSva33S9fkUBpaZQxXXHWDzcf5f8pNeLUqtiSbWdq9/tUyzuP3klfMnSakoxIT30R45UKXNPdw4BKocRPFUGuQX+3qXOND3vklNRJxXjOSqcukevlOurqpAM+qD4D6udeOVGCP+L27Y3U8GY5wG92dvU=,iv:Fo4jMFhUj34M1VqzwHyBAp7moY2CSmXmg7OuyVeVO3E=,tag:ULoqtFQC0DOJvJppBqoedA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0