From 29d17591860558f502e84e1a2dceafd7ad9b1d69 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Wed, 29 Jan 2025 18:17:17 +0400 Subject: [PATCH] merge auth SP module into main configuration; add `enableSso` option `enableSso` is being added to the following SP modules: * gitea (forgejo) * nextcloud * roundcube * simple-nixos-mailserver --- sp-modules/auth/module.nix => auth/auth.nix | 21 ++++++- {sp-modules/auth => auth}/kanidm.nix | 0 flake.nix | 8 ++- sp-modules/auth/config-paths-needed.json | 9 --- sp-modules/auth/flake.lock | 27 -------- sp-modules/auth/flake.nix | 62 ------------------- sp-modules/auth/icon.svg | 1 - sp-modules/gitea/module.nix | 11 +++- sp-modules/nextcloud/module.nix | 2 +- sp-modules/roundcube/module.nix | 11 +++- sp-modules/simple-nixos-mailserver/common.nix | 3 +- .../simple-nixos-mailserver/options.nix | 9 +++ 12 files changed, 59 insertions(+), 105 deletions(-) rename sp-modules/auth/module.nix => auth/auth.nix (92%) rename {sp-modules/auth => auth}/kanidm.nix (100%) delete mode 100644 sp-modules/auth/config-paths-needed.json delete mode 100644 sp-modules/auth/flake.lock delete mode 100644 sp-modules/auth/flake.nix delete mode 100644 sp-modules/auth/icon.svg diff --git a/sp-modules/auth/module.nix b/auth/auth.nix similarity index 92% rename from sp-modules/auth/module.nix rename to auth/auth.nix index f102434..22923ee 100644 --- a/sp-modules/auth/module.nix +++ b/auth/auth.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +nixpkgs-2411: { config, lib, pkgs, ... }: let cfg = config.selfprivacy.modules.auth; domain = config.selfprivacy.domain; @@ -83,6 +83,25 @@ in }; config = lib.mkIf cfg.enable { + nixpkgs.overlays = [ + ( + _final: prev: { + inherit (nixpkgs-2411.legacyPackages.${prev.system}) kanidm; + kanidm-provision = + nixpkgs-2411.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: { + version = "git"; + src = prev.fetchFromGitHub { + owner = "oddlama"; + repo = "kanidm-provision"; + rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4"; + hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI="; + }; + }); + } + ) + ]; + + # kanidm uses TLS in internal connection with nginx too # FIXME revise this: maybe kanidm must not have access to a public TLS users.groups."acmereceivers".members = [ "kanidm" ]; diff --git a/sp-modules/auth/kanidm.nix b/auth/kanidm.nix similarity index 100% rename from sp-modules/auth/kanidm.nix rename to auth/kanidm.nix diff --git a/flake.nix b/flake.nix index 27c0444..5a526a6 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = github:nixos/nixpkgs; + nixpkgs-2411.url = github:nixos/nixpkgs/nixos-24.11; selfprivacy-api.url = git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git; @@ -10,7 +11,7 @@ selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, selfprivacy-api }: { + outputs = { self, nixpkgs, nixpkgs-2411, selfprivacy-api }: { nixosConfigurations-fun = { hardware-configuration , deployment @@ -24,6 +25,11 @@ hardware-configuration deployment ./configuration.nix + (import ./auth/auth.nix nixpkgs-2411) + { + disabledModules = [ "services/security/kanidm.nix" ]; + imports = [ ./auth/kanidm.nix ]; + } selfprivacy-api.nixosModules.default ({ pkgs, lib, ... }: { environment.etc = (lib.attrsets.mapAttrs' diff --git a/sp-modules/auth/config-paths-needed.json b/sp-modules/auth/config-paths-needed.json deleted file mode 100644 index c59d193..0000000 --- a/sp-modules/auth/config-paths-needed.json +++ /dev/null @@ -1,9 +0,0 @@ -[ - [ "security", "acme", "certs" ], - [ "selfprivacy", "domain" ], - [ "selfprivacy", "modules", "auth" ], - [ "services", "kanidm" ], - [ "services", "oauth2-proxy", "enable" ], - [ "services", "oauth2-proxy", "nginx" ], - [ "systemd", "services", "kanidm" ] -] diff --git a/sp-modules/auth/flake.lock b/sp-modules/auth/flake.lock deleted file mode 100644 index d9ce328..0000000 --- a/sp-modules/auth/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs-unstable": { - "locked": { - "lastModified": 1725194671, - "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/sp-modules/auth/flake.nix b/sp-modules/auth/flake.nix deleted file mode 100644 index 45d39e2..0000000 --- a/sp-modules/auth/flake.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ - description = "User authentication and authorization module"; - - # TODO remove when Kanidm provisioning without groups assertion lands in NixOS - # inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95; - # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=1bac99358baea6a3268027b4e585c68cd4ef107d; - inputs.nixos-unstable.url = github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d; - - outputs = { self, nixos-unstable }: { - overlays.default = _final: prev: { - inherit (nixos-unstable.legacyPackages.${prev.system}) - kanidm oauth2-proxy; - kanidm-provision = - nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: { - version = "git"; - src = prev.fetchFromGitHub { - owner = "oddlama"; - repo = "kanidm-provision"; - rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4"; - hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI="; - }; - }); - }; - - nixosModules.default = { ... }: { - disabledModules = [ - "services/security/kanidm.nix" - "services/security/oauth2-proxy.nix" - "services/security/oauth2-proxy-nginx.nix" - ]; - imports = [ - ./kanidm.nix - (nixos-unstable.legacyPackages.x86_64-linux.path - + /nixos/modules/services/security/oauth2-proxy.nix) - (nixos-unstable.legacyPackages.x86_64-linux.path - + /nixos/modules/services/security/oauth2-proxy-nginx.nix) - ./module.nix - ]; - nixpkgs.overlays = [ self.overlays.default ]; - }; - - configPathsNeeded = - builtins.fromJSON (builtins.readFile ./config-paths-needed.json); - - meta = { lib, ... }: { - spModuleSchemaVersion = 1; - id = "auth"; - name = "Auth"; - description = "Temporary auth module."; - svgIcon = builtins.readFile ./icon.svg; - isMovable = false; - isRequired = false; - backupDescription = "Useless service."; - systemdServices = [ "kanidm.service" ]; - folders = [ ]; - license = [ ]; - homepage = "https://kanidm.com"; - sourcePage = "https://github.com/kanidm"; - supportLevel = "hallucinatory"; - }; - }; -} diff --git a/sp-modules/auth/icon.svg b/sp-modules/auth/icon.svg deleted file mode 100644 index 647bc16..0000000 --- a/sp-modules/auth/icon.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index c992599..062c470 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -14,7 +14,7 @@ let "gitea-light" "gitea-dark" ]; - is-auth-enabled = sp.modules.auth.enable or false; + is-auth-enabled = cfg.enableSso; oauth-client-id = "forgejo"; auth-passthru = config.passthru.selfprivacy.auth; oauth2-provider-name = auth-passthru.oauth2-provider-name; @@ -183,6 +183,15 @@ in weight = 6; }; }; + enableSso = (lib.mkOption { + default = false; + type = lib.types.bool; + description = "Enable SSO for Forgejo"; + }) // { + meta = { + type = "enable"; + }; + }; debug = lib.mkOption { default = false; type = lib.types.bool; diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index f353e17..2478dfa 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -11,8 +11,8 @@ let hostName = "${cfg.subdomain}.${sp.domain}"; auth-passthru = config.passthru.selfprivacy.auth; - is-auth-enabled = sp.modules.auth.enable or false; cfg = sp.modules.nextcloud; + is-auth-enabled = cfg.enableSso; ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}"; occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix index f01831d..dea1b29 100644 --- a/sp-modules/roundcube/module.nix +++ b/sp-modules/roundcube/module.nix @@ -2,7 +2,7 @@ let domain = config.selfprivacy.domain; cfg = config.selfprivacy.modules.roundcube; - is-auth-enabled = config.selfprivacy.modules.auth.enable or false; + is-auth-enabled = cfg.enableSso; auth-passthru = config.passthru.selfprivacy.auth; auth-fqdn = auth-passthru.auth-fqdn; sp-module-name = "roundcube"; @@ -44,6 +44,15 @@ in weight = 0; }; }; + enableSso = (lib.mkOption { + default = false; + type = lib.types.bool; + description = "Enable SSO for Roundcube"; + }) // { + meta = { + type = "enable"; + }; + }; }; config = lib.mkIf cfg.enable (lib.mkMerge [ diff --git a/sp-modules/simple-nixos-mailserver/common.nix b/sp-modules/simple-nixos-mailserver/common.nix index 17ce303..9ac427d 100644 --- a/sp-modules/simple-nixos-mailserver/common.nix +++ b/sp-modules/simple-nixos-mailserver/common.nix @@ -2,8 +2,9 @@ rec { auth-passthru = config.passthru.selfprivacy.auth; domain = config.selfprivacy.domain; - is-auth-enabled = config.selfprivacy.modules.auth.enable or false; group = "dovecot2"; + is-auth-enabled = + config.selfprivacy.modules.simple-nixos-mailserver.enableSso; appendSetting = { name, file, prefix, suffix ? "", passwordFile, destination }: diff --git a/sp-modules/simple-nixos-mailserver/options.nix b/sp-modules/simple-nixos-mailserver/options.nix index b8a5782..413b279 100644 --- a/sp-modules/simple-nixos-mailserver/options.nix +++ b/sp-modules/simple-nixos-mailserver/options.nix @@ -18,5 +18,14 @@ type = "location"; }; }; + enableSso = (lib.mkOption { + default = false; + type = lib.types.bool; + description = "Enable SSO for mail server"; + }) // { + meta = { + type = "enable"; + }; + }; }; }