thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
439 Commits 1 Branch 0 Tags
eb5074ba82167f48ed417c5ed096e4e1b0d408bc
Commit Graph

439 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Inex Code
b571449efe refactor: Disable SSH login using password 2025-03-28 17:08:09 +03:00
Alexander Tomokhov
2ee27353da auth,forgejo: fix originLanding 2025-03-26 15:59:23 +04:00
Alexander Tomokhov
3f95b80c3c auth module: add originLanding option 2025-03-26 15:57:59 +04:00
Alexander Tomokhov
838b5dc204 auth: add missing nixpkgs-2411 input to flake.lock 2025-03-26 14:58:02 +04:00
Alexander Tomokhov
8013f2e394 auth: module for easier integration of new services with Kanidm 
- Forgejo is migrated to this module.
 2025-03-21 16:40:18 +04:00
Alexander Tomokhov
403c4b31b1 refact: auth: variable for generated keys path in auth.nix 2025-03-16 19:50:41 +04:00
Alexander Tomokhov
c49a93bf9c auth: generate kanidm API token for selfprivacy in /run/keys/... 2025-02-12 15:50:19 +04:00
Alexander Tomokhov
1ff180ad1a add assertions: selfprivacy.sso.enable -> modules.*.enableSso 2025-02-03 02:17:54 +04:00
Alexander Tomokhov
331fa63b33 add options: selfprivacy.sso.enable && selfprivacy.sso.debug 
selfprivacy.sso.enable is true by default.
 2025-02-03 02:17:54 +04:00
Alexander Tomokhov
65548a1e73 SP modules do not depend on selfprivacy.modules.auth 2025-02-03 02:05:05 +04:00
Alexander Tomokhov
ea443d2150 gitea,nextcloud,roundcube,mailserver: depend on kanidm systemd service 2025-02-03 01:05:48 +04:00
Alexander Tomokhov
ee2e404eb8 passthru.selfprivacy -> selfprivacy.passthru 2025-02-03 01:05:48 +04:00
Alexander Tomokhov
365e01a4e3 fix selfprivacy.passthru: allow any types 2025-02-03 01:05:48 +04:00
Alexander Tomokhov
29d1759186 merge auth SP module into main configuration; add enableSso option 
`enableSso` is being added to the following SP modules:
* gitea (forgejo)
* nextcloud
* roundcube
* simple-nixos-mailserver
 2025-02-03 00:10:05 +04:00
Alexander Tomokhov
3a8a3dfc95 fix auth meta: add meta to flake.nix and icon.svg 2025-02-01 18:36:01 +04:00
Alexander Tomokhov
70a946cc66 auth: add meta to all options 2025-01-31 14:37:58 +04:00
Alexander Tomokhov
4c6228d694 roundcube & mailserver: fix oauth: mailserver is an OAuth secret donor 
Both of them use the same client ID and client secret, but Roundcube
depends on mailserver generally, so mailserver is the one to share OAuth
client id and secret.
 2025-01-31 14:31:58 +04:00
Alexander Tomokhov
89e7145a01 auth: replace useless oauth2-introspection-url with prefix/postfix parts 
oauth2-introspection-url is useless, because it would contain OAuth
client secret right in the URL. OAuth clients contruct URLs on its own.
 2025-01-31 14:26:58 +04:00
Alexander Tomokhov
f1d2119f62 define selfprivacy.passthru option (type = types.submodule) 
Stock NixOS passthru option cannot be defined in multiple places. But we
need to pass arbitrary parameters between SP modules.
 2025-01-31 14:24:09 +04:00
Alexander Tomokhov
67a943c829 fix roundcube: ['oauth_client_secret'] = file_get_contents... 2025-01-29 14:30:18 +04:00
Alexander Tomokhov
857d6729ef fix nextcloud when sp.modules.auth.enable is true 2025-01-29 13:21:36 +04:00
Alexander Tomokhov
2cc5743152 fix sp-modules: configPathsNeeded, requiring passthru.selfprivacy.auth 2025-01-29 12:53:44 +04:00
Alexander Tomokhov
2ed4cc0dee passthru.selfprivacy.auth.admins-group = "sp.admins" 2025-01-25 23:20:00 +04:00
Alexander Tomokhov
d008fbcc17 auth: sp.full_users group 2025-01-25 01:24:28 +04:00
Alexander Tomokhov
d8d1a1e86f fix mailserver: evaluate without auth module 2025-01-25 01:08:41 +04:00
Alexander Tomokhov
0c7a8d51b0 fix gitea,nextcloud,roundcube: evaluate without auth module 2025-01-24 16:27:48 +04:00
Alexander Tomokhov
f795bc977f fix auth: config.selfprivacy.modules.auth.enable or false 2025-01-17 16:12:22 +04:00
Alexander Tomokhov
f43ec2686d fix nextcloud: get rid of extra user_ldap configs; other fixes 2025-01-17 16:10:40 +04:00
Alexander Tomokhov
56fe5690c1 fix roundcube: OAuth secret, ExecStartPost ignore failure 2025-01-17 16:10:40 +04:00
Alexander Tomokhov
89d788aab2 fix nextcloud: OAuth secret, ExecStartPost ignore failure 2025-01-17 16:10:38 +04:00
Alexander Tomokhov
5cb3be9a36 fix forgejo: OAuth secret, ExecStartPost ignore failure, subdomain 2025-01-17 16:09:25 +04:00
Alexander Tomokhov
ed10508ed9 auth: create sp.selfprivacy-api.service-account 2025-01-17 16:09:25 +04:00
Alexander Tomokhov
0e7b113ce0 fix(nextcloud): user_oidc mapping-uid is preferred_username 2025-01-17 16:09:25 +04:00
Alexander Tomokhov
bf8fb31065 chore(mailserver): less hardcode 2025-01-17 16:09:25 +04:00
Alexander Tomokhov
041479a48b fix(auth,forgejo): recognize admins 2025-01-17 16:09:25 +04:00
Alexander Tomokhov
153e1c12d5 feat(auth,nextcloud): OAuth2 and LDAP integration 2025-01-17 16:09:22 +04:00
Alexander Tomokhov
a45cf792e5 fix(auth): rename oauth2-provider-name 2025-01-17 15:58:51 +04:00
Alexander Tomokhov
8db13dfccf feat auth,forgejo: OAuth2 and LDAP integration 2025-01-17 15:58:49 +04:00
Alexander Tomokhov
7f9f7a4db2 fix auth: sp.{service}.admins groups provisioning 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
bc8f998176 fix(auth): debug and enable options 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
dd4a356ae7 feat(auth,roundcube): sp.roundcube.admins inherits sp.roundcube.users 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
c127145425 feat(auth,roundcube): members of sp.admins group become admins 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
69c69dfb46 chore dovecot&postfix: rename nix files, disable debug 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
f07b867af2 security: harden some SP modules NixOS config evaluation permissions 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
3a904f599e chore: restructure LDAP related nix files 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
5d76f456c1 auth: ldap-dovecot.nix, clean code 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
ad6d3d6970 WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
b5de64105c kanidm 1.4.0 2025-01-17 15:56:47 +04:00
Alexander Tomokhov
f388e18ef0 minimal kanidm setup 
Only Roundcube and Dovecot communicate with Kanidm.
 2025-01-17 15:56:47 +04:00
Inex Code
bf299b19b8 fix: Remove lib.mkForce from allowed ports as it prevents SP modules from opening required ports 2024-12-26 18:19:21 +03:00