auth and git

2025-08-19 21:12:39 +02:00 · 2025-08-19 21:12:39 +02:00 · 2d9feaa634
commit 2d9feaa634
parent d35531c1bd
24 changed files with 787 additions and 16 deletions
--- a/fili/services/auth/default.nix
+++ b/fili/services/auth/default.nix
@ -0,0 +1,6 @@
+_: {
+  imports = [
+    ./kanidm.nix
+    ./oauth2-proxy.nix
+  ];
+}
--- a/fili/services/auth/kanidm.nix
+++ b/fili/services/auth/kanidm.nix
@ -0,0 +1,45 @@
+{pkgs, config, ...}: let
+  lib = pkgs.lib;
+  domain = "auth.donsz.nl";
+  port = 3013;
+  backupsDir = "/var/lib/kanidm/backup";
+in {
+  services.kanidm.enableServer = true;
+  services.kanidm.package = pkgs.kanidm_1_6;
+  services.kanidm.serverSettings = {
+    tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
+    tls_key = "/var/lib/acme/${domain}/key.pem";
+    bindaddress = "[::1]:${toString port}";
+    ldapbindaddress = "[::1]:3636";
+    inherit domain;
+    origin = "https://${domain}";
+    trust_x_forward_for = true;
+
+    online_backup = {
+      path = backupsDir;
+      schedule = "0 0 * * *";
+    };
+  };
+
+  systemd.services.kanidm = {
+    preStart = lib.mkBefore ''
+      mkdir -p "${backupsDir}"
+    '';
+    serviceConfig = {
+      SupplementaryGroups =
+        [ config.security.acme.certs.${domain}.group ];
+    };
+  };
+
+  environment.systemPackages = [pkgs.kanidm];
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    http2 = true;
+    enableACME = true;
+
+    locations."/" = {
+      proxyPass = "https://[::1]:${toString port}";
+    };
+  };
+}
--- a/fili/services/auth/oauth2-proxy.nix
+++ b/fili/services/auth/oauth2-proxy.nix
@ -0,0 +1,50 @@
+{pkgs, config, ...}: {
+  sops.secrets.oauth2-proxy = {
+    sopsFile = ../../../secrets/oauth2-proxy.env;
+  };
+
+  services.oauth2-proxy =
+    let
+      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
+    in {
+    enable = true;
+
+    provider = "oidc";
+    clientID = "${auth.clientId}";
+    oidcIssuerUrl = auth.oidcIssuerUri;
+
+    proxyPrefix = "/oauth2";
+    reverseProxy = true;
+
+    keyFile = config.sops.secrets.oauth2-proxy.path;
+
+    loginURL = auth.apiAuthUrl;
+    redeemURL = auth.tokenUrl;
+    validateURL = auth.rfc7662TokenIntrospectionUrl;
+    profileURL = auth.oidcUserInfo;
+
+    scope = "openid profile email";
+
+    email.domains = [ "*" ];
+
+    cookie = {
+      domain = "donsz.nl";
+      refresh = "1h";
+      secure = true;
+    };
+
+    extraConfig = {
+      whitelist-domain = ["*.donsz.nl"];
+    };
+
+    nginx.domain = "oauth2.donsz.nl";
+  };
+
+  services.nginx.virtualHosts."oauth2.donsz.nl" = {
+    forceSSL = true;
+    http2 = true;
+    enableACME = true;
+
+    locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
+  };
+}