nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions
machines/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm_application.nix
Kaare Hoff Skovgaard 30cf1f407a
All checks were successful
/ rust-packages (push) Successful in 52s
Details
/ dev-shell (push) Successful in 47s
Details
/ terraform-providers (push) Successful in 51s
Details
/ check (push) Successful in 1m41s
Details
/ systems (push) Successful in 4m2s
Details
Split up terraform configurations even more 
This should allow for disks to survive destruction of
instances.

Also support creating additional disks on hetzner, storing
a mapping of nix names for disks with their linux device paths.
Something similiar should also be possible to create for openstack
allowing a provider agnostic way of mapping between them.
2025-08-04 23:46:01 +02:00

119 lines
3.6 KiB
Nix
Raw Blame History

{
config,
lib,
...
}:
let
cfg = config.khscodes.security.kanidm;
secretFileForApplication = key: "/run/kanidm/${key}_secret";
secretFiles = lib.attrsets.mapAttrsToList (
key: value: secretFileForApplication key
) cfg.applications;
vaultAgentTemplates = lib.attrsets.mapAttrsToList (key: value: {
contents = ''
{{- with secret "kanidm/data/apps/${key}" -}}
{{ .Data.data.basic_secret }}
{{- end -}}
'';
destination = secretFileForApplication key;
perms = "0600";
owner = "kanidm";
group = "kanidm";
reloadOrRestartUnits = [ "kanidm.service" ];
}) cfg.applications;
terranixModules = lib.attrsets.mapAttrsToList (
key: value:
{ config, ... }:
let
sanitizedKey = lib.khscodes.sanitize-terraform-name (
if value.terranixName == null then key else value.terranixName
);
in
{
resource.random_password."${sanitizedKey}_secret" = {
length = 48;
numeric = true;
lower = true;
upper = true;
special = false;
};
resource.vault_kv_secret_v2."${sanitizedKey}_secret" = {
mount = config.khscodes.vault.output.mount.kanidm.path;
name = "apps/${key}";
data_json = ''
{ "basic_secret": "''${ resource.random_password.${sanitizedKey}_secret.result }" }
'';
};
}
) cfg.applications;
systemsOauth2 = lib.attrsets.mapAttrs (key: value: {
inherit (value) scopeMaps claimMaps allowInsecureClientDisablePkce;
present = true;
public = false;
preferShortUsername = true;
basicSecretFile = lib.mkIf (!bootstrapping) (secretFileForApplication key);
originUrl = value.allowedRedirectUris;
originLanding = value.landingUri;
displayName = value.displayName;
}) cfg.applications;
kanidmApplication = lib.khscodes.mkSubmodule {
description = "Kanidm application";
options = {
terranixName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
displayName = lib.mkOption {
type = lib.types.str;
};
scopeMaps = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
};
allowedRedirectUris = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
allowInsecureClientDisablePkce = lib.mkOption {
type = lib.types.bool;
default = false;
};
landingUri = lib.mkOption {
type = lib.types.str;
};
claimMaps = lib.mkOption {
type = lib.types.anything;
default = { };
};
};
};
bootstrapping = config.khscodes."security.kaareskovgaard.net".bootstrap.enable;
in
{
options.khscodes.security.kanidm.applications = lib.mkOption {
type = lib.types.attrsOf kanidmApplication;
};
config = {
# Allow the server to read the secrets for its own apps
khscodes.infrastructure.vault-server-approle.policy."kanidm/data/apps/*" = {
capabilities = [ "read" ];
};
# Don't add dependencies from bootstrapping when not bootstrapping.
systemd.services.kanidm = lib.mkIf (!bootstrapping) {
unitConfig = {
ConditionPathExists = secretFiles;
};
};
khscodes.services.vault-agent.templates = vaultAgentTemplates;
khscodes.infrastructure.provisioning.configuration.modules = terranixModules ++ [
{
terraform.required_providers.random = {
source = "hashicorp/random";
version = "3.7.2";
};
provider.random = { };
}
];
# We cannot add oauth2 apps before the secrets for them are generated.
services.kanidm.provision.systems.oauth2 = lib.mkIf (!bootstrapping) systemsOauth2;
};
}
Reference in a new issue View git blame Copy permalink