minimal kanidm setup

Only Roundcube and Dovecot communicate with Kanidm.
2024-11-01 21:26:34 +04:00
parent bf299b19b8
commit f388e18ef0
6 changed files with 294 additions and 4 deletions
--- a/sp-modules/auth/flake.nix
+++ b/sp-modules/auth/flake.nix
@@ -0,0 +1,34 @@
+{
+  description = "User authentication and authorization module";
+
+  # TODO remove when working Kanidm lands in nixpkgs and Hydra
+  inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
+
+  outputs = { self, nixpkgs-unstable }: {
+    overlays.default = _final: prev: {
+      inherit (nixpkgs-unstable.legacyPackages.${prev.system})
+        kanidm kanidm-provision oauth2-proxy;
+    };
+
+    nixosModules.default = { ... }: {
+      disabledModules = [
+        "services/security/kanidm.nix"
+        "services/security/oauth2-proxy.nix"
+        "services/security/oauth2-proxy-nginx.nix"
+      ];
+      imports = [
+        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+          + /nixos/modules/services/security/kanidm.nix)
+        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+          + /nixos/modules/services/security/oauth2-proxy.nix)
+        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+          + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
+        ./module.nix
+      ];
+      nixpkgs.overlays = [ self.overlays.default ];
+    };
+
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}