From 258bcac59750a5ef585ab28c39d1972b9479326d Mon Sep 17 00:00:00 2001
From: William <baduhai@proton.me>
Date: Sat, 8 Nov 2025 23:56:40 -0300
Subject: [PATCH] Integrate Kanidm with Nextcloud via OIDC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added Kanidm identity provider integration with Nextcloud:
- Enabled Kanidm client in kanidm.nix for CLI access
- Added user_oidc app to Nextcloud for OpenID Connect authentication
- Configured allow_local_remote_servers to permit Nextcloud to reach
  Kanidm at auth.baduhai.dev (resolves to local IP 192.168.15.142)

OAuth2 client configuration (done via kanidm CLI):
- Client ID: nextcloud
- Scopes: openid, email, profile mapped to idm_all_accounts group
- Redirect URI: https://cloud.baduhai.dev/apps/user_oidc/code
- User mapping: name claim maps to Nextcloud username

This allows users to authenticate to Nextcloud using their Kanidm
credentials, with existing Nextcloud accounts linked via username.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 hosts/alexandria/kanidm.nix    | 5 +++++
 hosts/alexandria/nextcloud.nix | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/hosts/alexandria/kanidm.nix b/hosts/alexandria/kanidm.nix
index ee56bc1..eaaa9b9 100644
--- a/hosts/alexandria/kanidm.nix
+++ b/hosts/alexandria/kanidm.nix
@@ -15,6 +15,7 @@ in
 {
   services.kanidm = {
     enableServer = true;
+    enableClient = true;
     package = pkgs.kanidm;
 
     serverSettings = {
@@ -27,6 +28,10 @@ in
       tls_chain = "${kanidmCertDir}/cert.pem";
       tls_key = "${kanidmCertDir}/key.pem";
     };
+
+    clientSettings = {
+      uri = "https://auth.baduhai.dev";
+    };
   };
 
   services.nginx.virtualHosts = mkNginxVHosts {
diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix
index 2368a3c..c449cce 100644
--- a/hosts/alexandria/nextcloud.nix
+++ b/hosts/alexandria/nextcloud.nix
@@ -29,6 +29,7 @@ in
           contacts
           notes
           tasks
+          user_oidc
           ;
       };
       extraAppsEnable = true;
@@ -40,6 +41,7 @@ in
         trusted_proxies = [ "127.0.0.1" ];
         default_phone_region = "BR";
         maintenance_window_start = "4";
+        allow_local_remote_servers = true;
         enabledPreviewProviders = [
           "OC\\Preview\\BMP"
           "OC\\Preview\\EMF"