thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge auth SP module into main configuration; add enableSso option

Browse Source 
`enableSso` is being added to the following SP modules:
* gitea (forgejo)
* nextcloud
* roundcube
* simple-nixos-mailserver
This commit is contained in:
Alexander Tomokhov
2025-01-29 18:17:17 +04:00
parent 3a8a3dfc95
commit 29d1759186
12 changed files with 59 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
sp-modules/auth/module.nix → auth/auth.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: nixpkgs-2411: { config, lib, pkgs, ... }:
let let
cfg = config.selfprivacy.modules.auth; cfg = config.selfprivacy.modules.auth;
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
@@ -83,6 +83,25 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(
_final: prev: {
inherit (nixpkgs-2411.legacyPackages.${prev.system}) kanidm;
kanidm-provision =
nixpkgs-2411.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
version = "git";
src = prev.fetchFromGitHub {
owner = "oddlama";
repo = "kanidm-provision";
rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
};
});
}
)
];
# kanidm uses TLS in internal connection with nginx too # kanidm uses TLS in internal connection with nginx too
# FIXME revise this: maybe kanidm must not have access to a public TLS # FIXME revise this: maybe kanidm must not have access to a public TLS
users.groups."acmereceivers".members = [ "kanidm" ]; users.groups."acmereceivers".members = [ "kanidm" ];

0
sp-modules/auth/kanidm.nix → auth/kanidm.nix
View File

8
flake.nix
View File

@@ -3,6 +3,7 @@
inputs = { inputs = {
nixpkgs.url = github:nixos/nixpkgs; nixpkgs.url = github:nixos/nixpkgs;
nixpkgs-2411.url = github:nixos/nixpkgs/nixos-24.11;
selfprivacy-api.url = selfprivacy-api.url =
git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git; git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git;
@@ -10,7 +11,7 @@
selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs"; selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { self, nixpkgs, selfprivacy-api }: { outputs = { self, nixpkgs, nixpkgs-2411, selfprivacy-api }: {
nixosConfigurations-fun = nixosConfigurations-fun =
{ hardware-configuration { hardware-configuration
, deployment , deployment
@@ -24,6 +25,11 @@
hardware-configuration hardware-configuration
deployment deployment
./configuration.nix ./configuration.nix
(import ./auth/auth.nix nixpkgs-2411)
{
disabledModules = [ "services/security/kanidm.nix" ];
imports = [ ./auth/kanidm.nix ];
}
selfprivacy-api.nixosModules.default selfprivacy-api.nixosModules.default
({ pkgs, lib, ... }: { ({ pkgs, lib, ... }: {
environment.etc = (lib.attrsets.mapAttrs' environment.etc = (lib.attrsets.mapAttrs'

9
sp-modules/auth/config-paths-needed.json
View File

@@ -1,9 +0,0 @@
[
[ "security", "acme", "certs" ],
[ "selfprivacy", "domain" ],
[ "selfprivacy", "modules", "auth" ],
[ "services", "kanidm" ],
[ "services", "oauth2-proxy", "enable" ],
[ "services", "oauth2-proxy", "nginx" ],
[ "systemd", "services", "kanidm" ]
]

27
sp-modules/auth/flake.lock generated
View File

@@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs-unstable": {
"locked": {
"lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs-unstable": "nixpkgs-unstable"
}
}
},
"root": "root",
"version": 7
}

62
sp-modules/auth/flake.nix
View File

@@ -1,62 +0,0 @@
{
description = "User authentication and authorization module";
# TODO remove when Kanidm provisioning without groups assertion lands in NixOS
# inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
# inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=1bac99358baea6a3268027b4e585c68cd4ef107d;
inputs.nixos-unstable.url = github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d;
outputs = { self, nixos-unstable }: {
overlays.default = _final: prev: {
inherit (nixos-unstable.legacyPackages.${prev.system})
kanidm oauth2-proxy;
kanidm-provision =
nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
version = "git";
src = prev.fetchFromGitHub {
owner = "oddlama";
repo = "kanidm-provision";
rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
};
});
};
nixosModules.default = { ... }: {
disabledModules = [
"services/security/kanidm.nix"
"services/security/oauth2-proxy.nix"
"services/security/oauth2-proxy-nginx.nix"
];
imports = [
./kanidm.nix
(nixos-unstable.legacyPackages.x86_64-linux.path
+ /nixos/modules/services/security/oauth2-proxy.nix)
(nixos-unstable.legacyPackages.x86_64-linux.path
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
./module.nix
];
nixpkgs.overlays = [ self.overlays.default ];
};
configPathsNeeded =
builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
meta = { lib, ... }: {
spModuleSchemaVersion = 1;
id = "auth";
name = "Auth";
description = "Temporary auth module.";
svgIcon = builtins.readFile ./icon.svg;
isMovable = false;
isRequired = false;
backupDescription = "Useless service.";
systemdServices = [ "kanidm.service" ];
folders = [ ];
license = [ ];
homepage = "https://kanidm.com";
sourcePage = "https://github.com/kanidm";
supportLevel = "hallucinatory";
};
};
}

1
sp-modules/auth/icon.svg
View File

@@ -1 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" width="1" height="1"/>
Side by Side

Before

Width:  |  Height:  |  Size: 63 B

11
sp-modules/gitea/module.nix
View File

@@ -14,7 +14,7 @@ let
"gitea-light" "gitea-light"
"gitea-dark" "gitea-dark"
]; ];
is-auth-enabled = sp.modules.auth.enable or false; is-auth-enabled = cfg.enableSso;
oauth-client-id = "forgejo"; oauth-client-id = "forgejo";
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
oauth2-provider-name = auth-passthru.oauth2-provider-name; oauth2-provider-name = auth-passthru.oauth2-provider-name;
@@ -183,6 +183,15 @@ in
weight = 6; weight = 6;
}; };
}; };
enableSso = (lib.mkOption {
default = false;
type = lib.types.bool;
description = "Enable SSO for Forgejo";
}) // {
meta = {
type = "enable";
};
};
debug = lib.mkOption { debug = lib.mkOption {
default = false; default = false;
type = lib.types.bool; type = lib.types.bool;

2
sp-modules/nextcloud/module.nix
View File

@@ -11,8 +11,8 @@ let
hostName = "${cfg.subdomain}.${sp.domain}"; hostName = "${cfg.subdomain}.${sp.domain}";
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
is-auth-enabled = sp.modules.auth.enable or false;
cfg = sp.modules.nextcloud; cfg = sp.modules.nextcloud;
is-auth-enabled = cfg.enableSso;
ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}"; ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";

11
sp-modules/roundcube/module.nix
View File

@@ -2,7 +2,7 @@
let let
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.roundcube; cfg = config.selfprivacy.modules.roundcube;
is-auth-enabled = config.selfprivacy.modules.auth.enable or false; is-auth-enabled = cfg.enableSso;
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
auth-fqdn = auth-passthru.auth-fqdn; auth-fqdn = auth-passthru.auth-fqdn;
sp-module-name = "roundcube"; sp-module-name = "roundcube";
@@ -44,6 +44,15 @@ in
weight = 0; weight = 0;
}; };
}; };
enableSso = (lib.mkOption {
default = false;
type = lib.types.bool;
description = "Enable SSO for Roundcube";
}) // {
meta = {
type = "enable";
};
};
}; };
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (lib.mkMerge [

3
sp-modules/simple-nixos-mailserver/common.nix
View File

@@ -2,8 +2,9 @@
rec { rec {
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
is-auth-enabled = config.selfprivacy.modules.auth.enable or false;
group = "dovecot2"; group = "dovecot2";
is-auth-enabled =
config.selfprivacy.modules.simple-nixos-mailserver.enableSso;
appendSetting = appendSetting =
{ name, file, prefix, suffix ? "", passwordFile, destination }: { name, file, prefix, suffix ? "", passwordFile, destination }:

9
sp-modules/simple-nixos-mailserver/options.nix
View File

@@ -18,5 +18,14 @@
type = "location"; type = "location";
}; };
}; };
enableSso = (lib.mkOption {
default = false;
type = lib.types.bool;
description = "Enable SSO for mail server";
}) // {
meta = {
type = "enable";
};
};
}; };
} }