2025-06-18 19:53:44 +03:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2025-03-16 19:51:18 +04:00
|
|
|
let
|
|
|
|
|
inherit (lib)
|
|
|
|
|
mkOption
|
|
|
|
|
types
|
|
|
|
|
;
|
|
|
|
|
auth-passthru = config.selfprivacy.passthru.auth;
|
|
|
|
|
keys-path = auth-passthru.keys-path;
|
|
|
|
|
# generate OAuth2 client secret
|
2025-06-18 19:53:44 +03:00
|
|
|
mkKanidmExecStartPreScript =
|
|
|
|
|
oauthClientID: linuxGroup:
|
2025-03-16 19:51:18 +04:00
|
|
|
let
|
2025-04-11 16:34:50 +04:00
|
|
|
secretFP = auth-passthru.mkOAuth2ClientSecretFP linuxGroup;
|
2025-03-16 19:51:18 +04:00
|
|
|
in
|
2025-06-18 19:53:44 +03:00
|
|
|
pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPre-script.sh" ''
|
2025-04-17 12:42:46 +04:00
|
|
|
set -o pipefail
|
|
|
|
|
set -o errexit
|
|
|
|
|
if ! [ -f "${secretFP}" ]
|
|
|
|
|
then
|
|
|
|
|
"${lib.getExe pkgs.openssl}" rand -base64 32 \
|
|
|
|
|
| tr "\n:@/+=" "012345" > "${secretFP}"
|
2025-03-16 19:51:18 +04:00
|
|
|
chmod 640 "${secretFP}"
|
2025-04-17 12:42:46 +04:00
|
|
|
fi
|
2025-03-16 19:51:18 +04:00
|
|
|
'';
|
2025-06-18 19:53:44 +03:00
|
|
|
mkKanidmExecStartPostScript =
|
|
|
|
|
oauthClientID: linuxGroup: isMailserver:
|
2025-03-16 19:51:18 +04:00
|
|
|
let
|
|
|
|
|
kanidmServiceAccountName = "sp.${oauthClientID}.service-account";
|
|
|
|
|
kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
|
2025-06-18 19:53:44 +03:00
|
|
|
kanidmServiceAccountTokenFP = auth-passthru.mkServiceAccountTokenFP linuxGroup;
|
2025-04-22 01:21:15 +04:00
|
|
|
isRW = oauthClientID == "selfprivacy-api";
|
2025-03-16 19:51:18 +04:00
|
|
|
in
|
2025-06-18 19:53:44 +03:00
|
|
|
pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPost-script.sh" (
|
|
|
|
|
''
|
2025-03-16 19:51:18 +04:00
|
|
|
export HOME=$RUNTIME_DIRECTORY/client_home
|
|
|
|
|
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
|
|
|
|
|
|
|
|
|
|
# try to get existing Kanidm service account
|
|
|
|
|
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${kanidmServiceAccountName}$")"
|
|
|
|
|
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
|
|
|
|
|
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
|
|
|
|
|
then
|
|
|
|
|
echo "kanidm service account \"${kanidmServiceAccountName}\" is found"
|
|
|
|
|
else
|
|
|
|
|
echo "kanidm service account \"${kanidmServiceAccountName}\" is not found"
|
|
|
|
|
echo "creating new kanidm service account \"${kanidmServiceAccountName}\""
|
|
|
|
|
if $KANIDM service-account create --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountName}" idm_admin
|
|
|
|
|
then
|
|
|
|
|
echo "kanidm service account \"${kanidmServiceAccountName}\" created"
|
|
|
|
|
else
|
|
|
|
|
echo "error: cannot create kanidm service account \"${kanidmServiceAccountName}\""
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
2025-04-22 01:21:15 +04:00
|
|
|
# create a new token for kanidm
|
|
|
|
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
|
2025-03-16 19:51:18 +04:00
|
|
|
then
|
|
|
|
|
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
|
|
|
|
|
then
|
|
|
|
|
echo "error: cannot get service-account API token from JSON"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! install --mode=640 \
|
|
|
|
|
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
|
|
|
|
|
${kanidmServiceAccountTokenFP}
|
|
|
|
|
then
|
|
|
|
|
echo "error: cannot write token to \"${kanidmServiceAccountTokenFP}\""
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
2025-04-21 18:54:49 +04:00
|
|
|
|
|
|
|
|
''
|
|
|
|
|
+ lib.strings.optionalString isMailserver ''
|
|
|
|
|
# add Kanidm service account to `idm_mail_servers` group
|
|
|
|
|
$KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}"
|
2025-04-22 01:21:15 +04:00
|
|
|
''
|
|
|
|
|
+ lib.strings.optionalString isRW ''
|
|
|
|
|
$KANIDM group add-members idm_admins "${kanidmServiceAccountName}"
|
|
|
|
|
''
|
2025-06-18 19:53:44 +03:00
|
|
|
);
|
2025-03-16 19:51:18 +04:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.selfprivacy.auth = {
|
|
|
|
|
clients = mkOption {
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "Configurations for OAuth2 & LDAP servers clients services. Corresponding Kanidm provisioning configuration and systemd scripts are generated.";
|
2025-03-16 19:51:18 +04:00
|
|
|
default = { };
|
|
|
|
|
type = types.attrsOf (
|
|
|
|
|
types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
clientID = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
Name of this client service. Used as OAuth2 client ID and to form Kanidm sp.$\{clientID}.* group names. Defaults to attribute name in virtualHosts;
|
|
|
|
|
'';
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
displayName = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = "Display name showed in Kanidm Web GUI. Defaults to clientID.";
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
enablePkce = mkOption {
|
|
|
|
|
type = lib.types.bool;
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "Whether PKCE must be used between client and Kanidm.";
|
2025-03-16 19:51:18 +04:00
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
adminsGroup = mkOption {
|
2025-06-18 19:53:44 +03:00
|
|
|
type = types.nullOr (lib.types.strMatching "sp\.[A-Za-z0-9]+\.admins");
|
|
|
|
|
description = "Name of admins group in Kanidm, whose members have admin level access to resources (service) associated with OAuth2 client authorization.";
|
2025-03-16 19:51:18 +04:00
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
usersGroup = mkOption {
|
2025-06-18 19:53:44 +03:00
|
|
|
type = types.nullOr (lib.types.strMatching "sp\.[A-Za-z0-9]+\.users");
|
|
|
|
|
description = "Name of users group in Kanidm, whose members have user level access to resources (service) associated with OAuth2 client authorization.";
|
2025-03-16 19:51:18 +04:00
|
|
|
default = null;
|
|
|
|
|
};
|
2025-03-26 15:57:59 +04:00
|
|
|
originLanding = mkOption {
|
|
|
|
|
type = types.nullOr lib.types.str;
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "The origin landing of the service for OAuth2 redirects.";
|
2025-03-26 15:57:59 +04:00
|
|
|
};
|
2025-03-16 19:51:18 +04:00
|
|
|
originUrl = mkOption {
|
|
|
|
|
type = types.nullOr lib.types.str;
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "The origin URL of the service for OAuth2 redirects.";
|
2025-03-16 19:51:18 +04:00
|
|
|
};
|
|
|
|
|
subdomain = lib.mkOption {
|
2025-06-18 19:53:44 +03:00
|
|
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
2025-03-16 19:51:18 +04:00
|
|
|
description = "Subdomain of the service.";
|
|
|
|
|
};
|
|
|
|
|
# when true, "name" is passed to a service instead of "name@domain"
|
|
|
|
|
useShortPreferredUsername = mkOption {
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "Use 'name' instead of 'spn' in the preferred_username claim.";
|
2025-03-16 19:51:18 +04:00
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
linuxUserOfClient = mkOption {
|
|
|
|
|
type = types.nullOr lib.types.str;
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "Name of a Linux OAuth2 client user, under which it should get access through a folder with keys.";
|
2025-03-16 19:51:18 +04:00
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
linuxGroupOfClient = mkOption {
|
|
|
|
|
type = types.nullOr lib.types.str;
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "Name of Linux OAuth2 client group, under which it should read an OAuth2 client secret file.";
|
2025-03-16 19:51:18 +04:00
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
isTokenNeeded = mkOption {
|
2025-06-18 19:53:44 +03:00
|
|
|
description = "Whether a read-only needs to be generated for LDAP access.";
|
2025-03-16 19:51:18 +04:00
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
clientSystemdUnits = mkOption {
|
|
|
|
|
description = "A list of systemd services, which depend on OAuth service";
|
|
|
|
|
# taken from nixos/lib/systemd-lib.nix: unitNameType
|
2025-06-18 19:53:44 +03:00
|
|
|
type = types.listOf (
|
|
|
|
|
types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)"
|
|
|
|
|
);
|
2025-03-16 19:51:18 +04:00
|
|
|
};
|
|
|
|
|
scopeMaps = mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Maps kanidm groups to returned oauth scopes.
|
|
|
|
|
See [Scope Relations](https://kanidm.github.io/kanidm/stable/integrations/oauth2.html#scope-relationships) for more information.
|
|
|
|
|
'';
|
|
|
|
|
type = types.nullOr (types.attrsOf (types.listOf types.str));
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
claimMaps = mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Adds additional claims (and values) based on which kanidm groups an authenticating party belongs to.
|
|
|
|
|
See [Claim Maps](https://kanidm.github.io/kanidm/master/integrations/oauth2.html#custom-claim-maps) for more information.
|
|
|
|
|
'';
|
|
|
|
|
default = { };
|
|
|
|
|
type = types.attrsOf (
|
|
|
|
|
types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
joinType = mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Determines how multiple values are joined to create the claim value.
|
|
|
|
|
See [Claim Maps](https://kanidm.github.io/kanidm/master/integrations/oauth2.html#custom-claim-maps) for more information.
|
|
|
|
|
'';
|
|
|
|
|
type = types.enum [
|
|
|
|
|
"array"
|
|
|
|
|
"csv"
|
|
|
|
|
"ssv"
|
|
|
|
|
];
|
|
|
|
|
default = "array";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
valuesByGroup = mkOption {
|
|
|
|
|
description = "Maps kanidm groups to values for the claim.";
|
|
|
|
|
default = { };
|
|
|
|
|
type = types.attrsOf (types.listOf types.str);
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
};
|
2025-04-16 14:55:55 +04:00
|
|
|
imageFile = mkOption {
|
|
|
|
|
type = types.nullOr lib.types.path;
|
|
|
|
|
description = ''
|
|
|
|
|
Filepath of an image which is displayed in Kanidm web GUI for a service.
|
|
|
|
|
'';
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
2025-04-21 18:54:49 +04:00
|
|
|
isMailserver = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether client is a mailserver.
|
|
|
|
|
'';
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
2025-03-16 19:51:18 +04:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
config = lib.mkIf config.selfprivacy.sso.enable (
|
|
|
|
|
let
|
2025-06-18 19:53:44 +03:00
|
|
|
clientsAttrsList = lib.attrsets.mapAttrsToList (
|
|
|
|
|
name: attrs:
|
|
|
|
|
attrs
|
|
|
|
|
// rec {
|
|
|
|
|
clientID = if attrs.clientID == null then name else attrs.clientID;
|
|
|
|
|
displayName = if attrs.displayName == null then clientID else attrs.displayName;
|
|
|
|
|
adminsGroup = if attrs.adminsGroup == null then "sp.${clientID}.admins" else attrs.adminsGroup;
|
|
|
|
|
usersGroup = if attrs.usersGroup == null then "sp.${clientID}.users" else attrs.usersGroup;
|
|
|
|
|
basicSecretFile = "${keys-path}/${linuxGroupOfClient}/kanidm-oauth-client-secret";
|
|
|
|
|
linuxUserOfClient = if attrs.linuxUserOfClient == null then clientID else attrs.linuxUserOfClient;
|
2025-03-16 19:51:18 +04:00
|
|
|
linuxGroupOfClient =
|
2025-06-18 19:53:44 +03:00
|
|
|
if attrs.linuxGroupOfClient == null then clientID else attrs.linuxGroupOfClient;
|
2025-03-26 15:57:59 +04:00
|
|
|
originLanding =
|
2025-06-18 19:53:44 +03:00
|
|
|
if attrs.originLanding == null then
|
|
|
|
|
"https://${attrs.subdomain}.${config.selfprivacy.domain}/"
|
|
|
|
|
else
|
|
|
|
|
attrs.originLanding;
|
2025-03-16 19:51:18 +04:00
|
|
|
scopeMaps =
|
2025-06-18 19:53:44 +03:00
|
|
|
if attrs.scopeMaps == null then
|
|
|
|
|
{
|
|
|
|
|
"${usersGroup}" = [
|
|
|
|
|
"email"
|
|
|
|
|
"openid"
|
|
|
|
|
"profile"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
attrs.scopeMaps;
|
|
|
|
|
}
|
|
|
|
|
) config.selfprivacy.auth.clients;
|
2025-03-16 19:51:18 +04:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
# for each OAuth2 client: member of the `keys` group for directory access
|
2025-06-18 19:53:44 +03:00
|
|
|
users.groups.keys.members = lib.mkMerge (
|
|
|
|
|
lib.forEach clientsAttrsList ({ linuxUserOfClient, ... }: [ linuxUserOfClient ])
|
2025-03-16 19:51:18 +04:00
|
|
|
);
|
|
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
systemd.tmpfiles.settings."kanidm-secrets" = lib.mkMerge (
|
|
|
|
|
lib.forEach clientsAttrsList (
|
|
|
|
|
{ linuxGroupOfClient, ... }:
|
|
|
|
|
{
|
|
|
|
|
"${keys-path}/${linuxGroupOfClient}".d = {
|
|
|
|
|
user = "kanidm";
|
|
|
|
|
group = linuxGroupOfClient;
|
|
|
|
|
mode = "2750";
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
)
|
2025-04-11 16:13:59 +04:00
|
|
|
);
|
|
|
|
|
|
2025-03-16 19:51:18 +04:00
|
|
|
# for each OAuth2 client: scripts with Kanidm CLI commands
|
|
|
|
|
systemd.services.kanidm = {
|
2025-06-18 19:53:44 +03:00
|
|
|
before = lib.lists.concatMap ({ clientSystemdUnits, ... }: clientSystemdUnits) clientsAttrsList;
|
|
|
|
|
serviceConfig = lib.mkMerge (
|
|
|
|
|
lib.forEach clientsAttrsList (
|
|
|
|
|
{
|
|
|
|
|
clientID,
|
|
|
|
|
isTokenNeeded,
|
|
|
|
|
linuxGroupOfClient,
|
|
|
|
|
isMailserver,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
{
|
|
|
|
|
ExecStartPre = [
|
|
|
|
|
# "-" prefix means to ignore exit code of prefixed script
|
|
|
|
|
("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient)
|
|
|
|
|
];
|
|
|
|
|
ExecStartPost = lib.mkIf isTokenNeeded (
|
|
|
|
|
lib.mkAfter [
|
|
|
|
|
("-" + mkKanidmExecStartPostScript clientID linuxGroupOfClient isMailserver)
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
2025-03-16 19:51:18 +04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# for each OAuth2 client: Kanidm provisioning options
|
2025-06-18 19:53:44 +03:00
|
|
|
services.kanidm.provision = lib.mkMerge (
|
|
|
|
|
lib.forEach clientsAttrsList (
|
|
|
|
|
{
|
|
|
|
|
adminsGroup,
|
|
|
|
|
basicSecretFile,
|
|
|
|
|
claimMaps,
|
|
|
|
|
clientID,
|
|
|
|
|
displayName,
|
|
|
|
|
enablePkce,
|
|
|
|
|
imageFile,
|
|
|
|
|
originLanding,
|
|
|
|
|
originUrl,
|
|
|
|
|
scopeMaps,
|
|
|
|
|
useShortPreferredUsername,
|
|
|
|
|
usersGroup,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
{
|
|
|
|
|
groups = lib.mkIf (clientID != "selfprivacy-api") {
|
|
|
|
|
"${adminsGroup}".members = [ auth-passthru.admins-group ];
|
|
|
|
|
"${usersGroup}".members = [
|
|
|
|
|
adminsGroup
|
|
|
|
|
auth-passthru.full-users-group
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
systems.oauth2.${clientID} = {
|
|
|
|
|
inherit
|
|
|
|
|
basicSecretFile
|
|
|
|
|
claimMaps
|
|
|
|
|
displayName
|
|
|
|
|
imageFile
|
|
|
|
|
originLanding
|
|
|
|
|
originUrl
|
|
|
|
|
scopeMaps
|
|
|
|
|
;
|
|
|
|
|
preferShortUsername = useShortPreferredUsername;
|
|
|
|
|
allowInsecureClientDisablePkce = !enablePkce;
|
|
|
|
|
removeOrphanedClaimMaps = true;
|
2025-03-16 19:51:18 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# NOTE https://github.com/oddlama/kanidm-provision/issues/15
|
|
|
|
|
# add more scopes when a user is a member of specific group
|
|
|
|
|
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
|
|
|
|
|
# supplementaryScopeMaps."${admins-group}" =
|
|
|
|
|
# [ "read:admin" "write:admin" ];
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
2025-03-16 19:51:18 +04:00
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
}
|
