even more backups of things

2025-10-28 16:11:45 -05:00 · 2025-10-28 16:11:45 -05:00 · 630f9b0074
commit 630f9b0074
parent b8d125d448
46 changed files with 1166 additions and 197 deletions
--- a/hosts/lithium/services/old-kanidm.nix
+++ b/hosts/lithium/services/old-kanidm.nix
@ -0,0 +1,79 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.kanidm;
+  authDomain = "auth.${config.networking.domain}";
+  certsDir = config.security.acme.certs."${authDomain}".directory;
+in
+{
+  # TODO: Pull in the appropriate sops-nix secrets and get this baby rolling.
+  # https://github.com/search?q=language%3ANix+services.kanidm&type=code
+  services.kanidm = {
+    # NOTE: Pin a specific kanidm version, we don't want issues from auto-updating.
+    package = pkgs.kanidm_1_6;
+    enableServer = true;
+
+    # TODO: Initial kanidm setup.
+    # I sort of want users to be able to create their own accounts and what I
+    # don't want is for any of their account information to be leaked here as
+    # it can be used for remote logins.
+    # So kanidm accounts aside from the administration will be "impure".
+    # I vastly prefer people being able to set their own credentials:
+    # https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#onboarding-a-new-person--resetting-credentials
+    provision = {
+      enable = true;
+      autoRemove = false;
+      # TODO: Add secrets from `sops-nix`.
+      adminPasswordFile = "TODO!SETME";
+      idmAdminPasswordFile = "TODO!SETME";
+
+      persons = {
+        # https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#resetting-person-account-credentials
+        # Needs to be a member of idm_people_admins and idm_high_privilege to prevent idm_service_desk from tampering.
+        zenware = {
+          displayName = "zenware";
+          legalName = "zenware";
+          mailAddresses = [ "zenware@${config.networking.domain} "];
+          groups = [
+            "idm_high_privilege"
+            "git.users"
+            "git.admins"
+          ];
+        };
+        # TODO: Make an idm_service_desk account.
+      };
+      groups = {
+        # This group is `git` because it could be forgejo, gitea, etc.
+        "git.users" = {};
+        "git.admins" = {};
+      };
+      systems.oauth2 = {
+        forgejo = {
+          displayName = "forgejo";
+          originUrl = "TODO!SETME";
+          originLanding = "TODO!SETME";
+          basicSecretFile = "TODO!SETME";
+          scopeMaps."git.users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+          # WARNING: PKCE is currently not supported by gitea/forgejo,
+          # see https://github.com/go-gitea/gitea/issues/21376
+          allowInsecureClientDisablePkce = true;
+          preferShortUsername = true;
+          claimMaps.groups = {
+            joinType = "array";
+            valuesByGroup."git.admins" = [ "admin" ];
+          };
+        };
+      };
+    };
+
+    #enableClient = false;
+    clientSettings = {
+      uri = "https://${authDomain}";
+      verify_hostnames = true;
+      verify_ca = true;
+    };
+  };
+}