sp-config/auth/auth.nix

{ config, lib, pkgs, ... }:
let
  domain = config.selfprivacy.domain;
  subdomain = "auth";
  auth-fqdn = subdomain + "." + domain;

  ldap-host = "127.0.0.1";
  ldap-port = 3636;

  keys-path = "/run/keys";

  admins-group = "sp.admins";
  full-users-group = "sp.full_users";

  kanidm-bind-address = "127.0.0.1:3013";

  selfprivacy-group = config.users.users."selfprivacy-api".group;

  selfprivacy-service-account-name = "sp.selfprivacy-api.service-account";

  kanidm-service-account-token-name =
    "${selfprivacy-group}-service-account-token";
  kanidm-service-account-token-fp =
    "${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
  kanidmExecStartPreScriptRoot = pkgs.writeShellScript
    "${selfprivacy-group}-kanidm-ExecStartPre-root-script.sh"
    ''
      # set-group-ID bit allows for kanidm user to create files,
      mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${selfprivacy-group}
      chown kanidm:${selfprivacy-group} /run/keys/${selfprivacy-group}
    '';

  spApiUserExecStartPostScript =
    pkgs.writeShellScript "spApiUserExecStartPostScript" ''
      export HOME=$RUNTIME_DIRECTORY/client_home
      readonly KANIDM="${pkgs.kanidm}/bin/kanidm"

      # get Kanidm service account for SelfPrivacyAPI
      KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${selfprivacy-service-account-name}$")"
      echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
      if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
      then
          echo "kanidm service account \"${selfprivacy-service-account-name}\" is found"
      else
          echo "kanidm service account \"${selfprivacy-service-account-name}\" is not found"
          echo "creating new kanidm service account \"${selfprivacy-service-account-name}\""
          if $KANIDM service-account create --name idm_admin "${selfprivacy-service-account-name}" "SelfPrivacy API service account" idm_admin
          then
              echo "kanidm service account \"${selfprivacy-service-account-name}\" created"
          else
              echo "error: cannot create kanidm service account \"${selfprivacy-service-account-name}\""
              exit 1
          fi
      fi

      $KANIDM group add-members idm_admins "${selfprivacy-service-account-name}"

      # create a new read-write token for kanidm
      if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${selfprivacy-service-account-name}" "${kanidm-service-account-token-name}" --output json)"
      then
          echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
          exit 1
      fi
      if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
      then
          echo "error: cannot get service-account API token from JSON"
          exit 1
      fi

      if ! install --mode=640 \
      <(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
      ${kanidm-service-account-token-fp}
      then
          echo "error: cannot write token to \"${kanidm-service-account-token-fp}\""
          exit 1
      fi
    '';

  # lua stuff for nginx for debugging only
  lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
  lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
  lua_path = "${lua_core_path};${lua_lrucache_path};";
in
lib.mkIf config.selfprivacy.sso.enable {
  networking.hosts = {
    # Allow the services to communicate with kanidm even if
    # there is no DNS record yet
    "127.0.0.1" = [ auth-fqdn ];
  };


  # kanidm uses TLS in internal connection with nginx too
  # FIXME revise this: maybe kanidm must not have access to a public TLS
  users.groups."acmereceivers".members = [ "kanidm" ];

  # for ExecStartPost scripts to have access to /run/keys/*
  users.groups.keys.members = [ "kanidm" ];

  services.kanidm = {
    enableServer = true;

    # kanidm with Rust code patches for OAuth and admin passwords provisioning
    package = pkgs.kanidm.withSecretProvisioning;

    serverSettings = {
      inherit domain;
      # The origin for webauthn. This is the url to the server, with the port
      # included if it is non-standard (any port except 443). This must match or
      # be a descendent of the domain name you configure above. If these two
      # items are not consistent, the server WILL refuse to start!
      origin = "https://" + auth-fqdn;

      # TODO revise this: maybe kanidm must not have access to a public TLS
      tls_chain =
        "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
      tls_key =
        "${config.security.acme.certs.${domain}.directory}/key.pem";

      # nginx should proxy requests to it
      bindaddress = kanidm-bind-address;

      ldapbindaddress =
        "${ldap-host}:${toString ldap-port}";

      # kanidm is behind a proxy
      trust_x_forward_for = true;

      log_level = if config.selfprivacy.sso.debug then "trace" else "info";
    };
    provision = {
      enable = true;
      autoRemove = true; # if false, obsolete oauth2 scopeMaps remain
      groups.${admins-group}.present = true;
      groups.${full-users-group}.present = true;
    };
    enableClient = true;
    clientSettings = {
      uri = "https://" + auth-fqdn;
      verify_ca = false; # FIXME
      verify_hostnames = false; # FIXME
    };
  };

  services.nginx = {
    enable = true;
    additionalModules =
      lib.mkIf config.selfprivacy.sso.debug [ pkgs.nginxModules.lua ];
    commonHttpConfig = lib.mkIf config.selfprivacy.sso.debug ''
      log_format kanidm escape=none '$request $status\n'
                                    '[Request body]: $request_body\n'
                                    '[Header]: $resp_header\n'
                                    '[Response Body]: $resp_body\n\n';
      lua_package_path "${lua_path}";
    '';
    virtualHosts.${auth-fqdn} = {
      useACMEHost = domain;
      forceSSL = true;
      locations."/" = {
        extraConfig = lib.mkIf config.selfprivacy.sso.debug ''
          access_log /var/log/nginx/kanidm.log kanidm;

          lua_need_request_body on;

          # log header
          set $req_header "";
          set $resp_header "";
          header_filter_by_lua '
            local h = ngx.req.get_headers()
            for k, v in pairs(h) do
              if type(v) == "table" then
                ngx.var.req_header = ngx.var.req_header .. k .. "=" .. table.concat(v, ", ") .. " "
              else
                ngx.var.req_header = ngx.var.req_header .. k .. "=" .. v .. " "
              end
            end
            local rh = ngx.resp.get_headers()
            for k, v in pairs(rh) do
              if type(v) == "table" then
                ngx.var.resp_header = ngx.var.resp_header .. k .. "=" .. table.concat(v, ", ") .. " "
              else
                ngx.var.resp_header = ngx.var.resp_header .. k .. "=" .. v .. " "
              end
            end
          ';

          # log body
          set $resp_body "";
          body_filter_by_lua '
            local resp_body = string.sub(ngx.arg[1], 1, 4000)
            ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
            if ngx.arg[2] then
              ngx.var.resp_body = ngx.ctx.buffered
            end
          ';
        '';
        proxyPass = "https://${kanidm-bind-address}";
      };
    };
  };

  systemd.services.kanidm.serviceConfig.ExecStartPre =
    [ ("+" + kanidmExecStartPreScriptRoot) ];
  systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
    [ spApiUserExecStartPostScript ];

  selfprivacy.passthru.auth = {
    inherit
      admins-group
      auth-fqdn
      full-users-group
      ldap-host
      ldap-port
      keys-path
      ;
    oauth2-introspection-url-prefix = client_id: "https://${client_id}:";
    oauth2-introspection-url-postfix =
      "@${auth-fqdn}/oauth2/token/introspect";
    oauth2-discovery-url = client_id:
      "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
    oauth2-provider-name = "Kanidm";
    oauth2-systemd-service = "kanidm.service";

    # e.g. "dc=mydomain,dc=com"
    ldap-base-dn =
      lib.strings.concatMapStringsSep
        ","
        (x: "dc=" + x)
        (lib.strings.splitString "." domain);

    # TODO consider to pass a value or throw exception if token is not generated
    mkServiceAccountTokenFP = linuxGroup:
      "${keys-path}/${linuxGroup}/kanidm-service-account-token";

    mkOAuth2ClientSecretFP = linuxGroup:
      "${keys-path}/${linuxGroup}/kanidm-oauth-client-secret";
  };
}
auth: selfprivacy.sso.useKanidm_1_4 2025-04-18 21:06:18 +04:00			`{ config, lib, pkgs, ... }:`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00			`let`
chore: restructure LDAP related nix files 2024-12-26 18:27:25 +04:00			`domain = config.selfprivacy.domain;`
add options: selfprivacy.sso.enable && selfprivacy.sso.debug selfprivacy.sso.enable is true by default. 2025-02-03 01:35:21 +04:00			`subdomain = "auth";`
			`auth-fqdn = subdomain + "." + domain;`
auth: replace useless oauth2-introspection-url with prefix/postfix parts oauth2-introspection-url is useless, because it would contain OAuth client secret right in the URL. OAuth clients contruct URLs on its own. 2025-01-31 14:26:55 +04:00
			`ldap-host = "127.0.0.1";`
			`ldap-port = 3636;`

refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`keys-path = "/run/keys";`

auth: replace useless oauth2-introspection-url with prefix/postfix parts oauth2-introspection-url is useless, because it would contain OAuth client secret right in the URL. OAuth clients contruct URLs on its own. 2025-01-31 14:26:55 +04:00			`admins-group = "sp.admins";`
			`full-users-group = "sp.full_users";`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00
chore: restructure LDAP related nix files 2024-12-26 18:27:25 +04:00			`kanidm-bind-address = "127.0.0.1:3013";`

auth: generate kanidm API token for selfprivacy in /run/keys/... 2025-02-12 15:50:15 +04:00			`selfprivacy-group = config.users.users."selfprivacy-api".group;`

auth: create sp.selfprivacy-api.service-account 2025-01-15 14:53:58 +04:00			`selfprivacy-service-account-name = "sp.selfprivacy-api.service-account";`

auth: generate kanidm API token for selfprivacy in /run/keys/... 2025-02-12 15:50:15 +04:00			`kanidm-service-account-token-name =`
			`"${selfprivacy-group}-service-account-token";`
			`kanidm-service-account-token-fp =`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`"${keys-path}/${selfprivacy-group}/kanidm-service-account-token";`
auth: generate kanidm API token for selfprivacy in /run/keys/... 2025-02-12 15:50:15 +04:00			`kanidmExecStartPreScriptRoot = pkgs.writeShellScript`
			`"${selfprivacy-group}-kanidm-ExecStartPre-root-script.sh"`
			`''`
			`# set-group-ID bit allows for kanidm user to create files,`
			`mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${selfprivacy-group}`
			`chown kanidm:${selfprivacy-group} /run/keys/${selfprivacy-group}`
			`'';`

auth: create sp.selfprivacy-api.service-account 2025-01-15 14:53:58 +04:00			`spApiUserExecStartPostScript =`
			`pkgs.writeShellScript "spApiUserExecStartPostScript" ''`
			`export HOME=$RUNTIME_DIRECTORY/client_home`
			`readonly KANIDM="${pkgs.kanidm}/bin/kanidm"`

			`# get Kanidm service account for SelfPrivacyAPI`
			`KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin \| grep -E "^name: ${selfprivacy-service-account-name}$")"`
			`echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"`
			`if [ -n "$KANIDM_SERVICE_ACCOUNT" ]`
			`then`
			`echo "kanidm service account \"${selfprivacy-service-account-name}\" is found"`
			`else`
			`echo "kanidm service account \"${selfprivacy-service-account-name}\" is not found"`
			`echo "creating new kanidm service account \"${selfprivacy-service-account-name}\""`
			`if $KANIDM service-account create --name idm_admin "${selfprivacy-service-account-name}" "SelfPrivacy API service account" idm_admin`
			`then`
			`echo "kanidm service account \"${selfprivacy-service-account-name}\" created"`
			`else`
			`echo "error: cannot create kanidm service account \"${selfprivacy-service-account-name}\""`
			`exit 1`
			`fi`
			`fi`

			`$KANIDM group add-members idm_admins "${selfprivacy-service-account-name}"`
auth: generate kanidm API token for selfprivacy in /run/keys/... 2025-02-12 15:50:15 +04:00
			`# create a new read-write token for kanidm`
			`if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${selfprivacy-service-account-name}" "${kanidm-service-account-token-name}" --output json)"`
			`then`
			`echo "error: kanidm CLI returns an error when trying to generate service-account api-token"`
			`exit 1`
			`fi`
			`if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" \| ${lib.getExe pkgs.jq} -r .result)"`
			`then`
			`echo "error: cannot get service-account API token from JSON"`
			`exit 1`
			`fi`

			`if ! install --mode=640 \`
			`<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \`
			`${kanidm-service-account-token-fp}`
			`then`
			`echo "error: cannot write token to \"${kanidm-service-account-token-fp}\""`
			`exit 1`
			`fi`
auth: create sp.selfprivacy-api.service-account 2025-01-15 14:53:58 +04:00			`'';`

refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`# lua stuff for nginx for debugging only`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";`
			`lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";`
			`lua_path = "${lua_core_path};${lua_lrucache_path};";`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00			`in`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`lib.mkIf config.selfprivacy.sso.enable {`
feat: Allow services to communicate with Kanidm even when there is no DNS record yet 2025-03-28 17:08:37 +03:00			`networking.hosts = {`
			`# Allow the services to communicate with kanidm even if`
			`# there is no DNS record yet`
			`"127.0.0.1" = [ auth-fqdn ];`
			`};`

refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00
			`# kanidm uses TLS in internal connection with nginx too`
			`# FIXME revise this: maybe kanidm must not have access to a public TLS`
			`users.groups."acmereceivers".members = [ "kanidm" ];`

			`# for ExecStartPost scripts to have access to /run/keys/*`
			`users.groups.keys.members = [ "kanidm" ];`

			`services.kanidm = {`
			`enableServer = true;`

			`# kanidm with Rust code patches for OAuth and admin passwords provisioning`
			`package = pkgs.kanidm.withSecretProvisioning;`

			`serverSettings = {`
			`inherit domain;`
			`# The origin for webauthn. This is the url to the server, with the port`
			`# included if it is non-standard (any port except 443). This must match or`
			`# be a descendent of the domain name you configure above. If these two`
			`# items are not consistent, the server WILL refuse to start!`
			`origin = "https://" + auth-fqdn;`

			`# TODO revise this: maybe kanidm must not have access to a public TLS`
			`tls_chain =`
			`"${config.security.acme.certs.${domain}.directory}/fullchain.pem";`
			`tls_key =`
			`"${config.security.acme.certs.${domain}.directory}/key.pem";`

			`# nginx should proxy requests to it`
			`bindaddress = kanidm-bind-address;`

			`ldapbindaddress =`
			`"${ldap-host}:${toString ldap-port}";`

			`# kanidm is behind a proxy`
			`trust_x_forward_for = true;`

			`log_level = if config.selfprivacy.sso.debug then "trace" else "info";`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00			`};`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`provision = {`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00			`enable = true;`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`autoRemove = true; # if false, obsolete oauth2 scopeMaps remain`
			`groups.${admins-group}.present = true;`
			`groups.${full-users-group}.present = true;`
			`};`
			`enableClient = true;`
			`clientSettings = {`
			`uri = "https://" + auth-fqdn;`
			`verify_ca = false; # FIXME`
			`verify_hostnames = false; # FIXME`
			`};`
			`};`

			`services.nginx = {`
			`enable = true;`
			`additionalModules =`
			`lib.mkIf config.selfprivacy.sso.debug [ pkgs.nginxModules.lua ];`
			`commonHttpConfig = lib.mkIf config.selfprivacy.sso.debug ''`
			`log_format kanidm escape=none '$request $status\n'`
			`'[Request body]: $request_body\n'`
			`'[Header]: $resp_header\n'`
			`'[Response Body]: $resp_body\n\n';`
			`lua_package_path "${lua_path}";`
			`'';`
			`virtualHosts.${auth-fqdn} = {`
			`useACMEHost = domain;`
			`forceSSL = true;`
			`locations."/" = {`
			`extraConfig = lib.mkIf config.selfprivacy.sso.debug ''`
			`access_log /var/log/nginx/kanidm.log kanidm;`

			`lua_need_request_body on;`

			`# log header`
			`set $req_header "";`
			`set $resp_header "";`
			`header_filter_by_lua '`
			`local h = ngx.req.get_headers()`
			`for k, v in pairs(h) do`
			`if type(v) == "table" then`
			`ngx.var.req_header = ngx.var.req_header .. k .. "=" .. table.concat(v, ", ") .. " "`
			`else`
			`ngx.var.req_header = ngx.var.req_header .. k .. "=" .. v .. " "`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`end`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`end`
			`local rh = ngx.resp.get_headers()`
			`for k, v in pairs(rh) do`
			`if type(v) == "table" then`
			`ngx.var.resp_header = ngx.var.resp_header .. k .. "=" .. table.concat(v, ", ") .. " "`
			`else`
			`ngx.var.resp_header = ngx.var.resp_header .. k .. "=" .. v .. " "`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`end`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`end`
			`';`

			`# log body`
			`set $resp_body "";`
			`body_filter_by_lua '`
			`local resp_body = string.sub(ngx.arg[1], 1, 4000)`
			`ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body`
			`if ngx.arg[2] then`
			`ngx.var.resp_body = ngx.ctx.buffered`
			`end`
			`';`
			`'';`
			`proxyPass = "https://${kanidm-bind-address}";`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00			`};`
			`};`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`};`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`systemd.services.kanidm.serviceConfig.ExecStartPre =`
			`[ ("+" + kanidmExecStartPreScriptRoot) ];`
			`systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter`
			`[ spApiUserExecStartPostScript ];`

			`selfprivacy.passthru.auth = {`
			`inherit`
			`admins-group`
			`auth-fqdn`
			`full-users-group`
			`ldap-host`
			`ldap-port`
auth: module for easier integration of new services with Kanidm - Forgejo is migrated to this module. 2025-03-16 19:51:18 +04:00			`keys-path`
refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00			`;`
			`oauth2-introspection-url-prefix = client_id: "https://${client_id}:";`
			`oauth2-introspection-url-postfix =`
			`"@${auth-fqdn}/oauth2/token/introspect";`
			`oauth2-discovery-url = client_id:`
			`"https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";`
			`oauth2-provider-name = "Kanidm";`
			`oauth2-systemd-service = "kanidm.service";`

			`# e.g. "dc=mydomain,dc=com"`
			`ldap-base-dn =`
			`lib.strings.concatMapStringsSep`
			`","`
			`(x: "dc=" + x)`
			`(lib.strings.splitString "." domain);`
auth: module for easier integration of new services with Kanidm - Forgejo is migrated to this module. 2025-03-16 19:51:18 +04:00
			`# TODO consider to pass a value or throw exception if token is not generated`
clean auth/auth.nix and auth/auth-module.nix 2025-04-11 20:59:02 +04:00			`mkServiceAccountTokenFP = linuxGroup:`
			`"${keys-path}/${linuxGroup}/kanidm-service-account-token";`
auth: module for easier integration of new services with Kanidm - Forgejo is migrated to this module. 2025-03-16 19:51:18 +04:00
clean auth/auth.nix and auth/auth-module.nix 2025-04-11 20:59:02 +04:00			`mkOAuth2ClientSecretFP = linuxGroup:`
			`"${keys-path}/${linuxGroup}/kanidm-oauth-client-secret";`
minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. 2024-11-01 21:26:34 +04:00			`};`
			`}`