William
258bcac597
Added Kanidm identity provider integration with Nextcloud: - Enabled Kanidm client in kanidm.nix for CLI access - Added user_oidc app to Nextcloud for OpenID Connect authentication - Configured allow_local_remote_servers to permit Nextcloud to reach Kanidm at auth.baduhai.dev (resolves to local IP 192.168.15.142) OAuth2 client configuration (done via kanidm CLI): - Client ID: nextcloud - Scopes: openid, email, profile mapped to idm_all_accounts group - Redirect URI: https://cloud.baduhai.dev/apps/user_oidc/code - User mapping: name claim maps to Nextcloud username This allows users to authenticate to Nextcloud using their Kanidm credentials, with existing Nextcloud accounts linked via username. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
83 lines
2.2 KiB
Nix
83 lines
2.2 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
inputs,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
utils = import ../../utils.nix { inherit inputs lib; };
|
|
inherit (utils) mkNginxVHosts;
|
|
kanidmCertDir = "/var/lib/kanidm/certs";
|
|
in
|
|
|
|
{
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
enableClient = true;
|
|
package = pkgs.kanidm;
|
|
|
|
serverSettings = {
|
|
domain = "auth.baduhai.dev";
|
|
origin = "https://auth.baduhai.dev";
|
|
bindaddress = "127.0.0.1:8443";
|
|
ldapbindaddress = "127.0.0.1:636";
|
|
trust_x_forward_for = true;
|
|
# Use self-signed certificates for internal TLS
|
|
tls_chain = "${kanidmCertDir}/cert.pem";
|
|
tls_key = "${kanidmCertDir}/key.pem";
|
|
};
|
|
|
|
clientSettings = {
|
|
uri = "https://auth.baduhai.dev";
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts = mkNginxVHosts {
|
|
domains."auth.baduhai.dev" = {
|
|
locations."/" = {
|
|
proxyPass = "https://127.0.0.1:8443";
|
|
extraConfig = ''
|
|
proxy_ssl_verify off;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 636 ];
|
|
|
|
# Generate self-signed certificates for kanidm's internal TLS
|
|
systemd.services.kanidm-generate-certs = {
|
|
description = "Generate self-signed TLS certificates for Kanidm";
|
|
wantedBy = [ "multi-user.target" ];
|
|
before = [ "kanidm.service" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
script = ''
|
|
mkdir -p ${kanidmCertDir}
|
|
if [ ! -f ${kanidmCertDir}/key.pem ]; then
|
|
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
|
|
-keyout ${kanidmCertDir}/key.pem \
|
|
-out ${kanidmCertDir}/cert.pem \
|
|
-days 3650 -nodes \
|
|
-subj "/CN=localhost" \
|
|
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
|
|
chown -R kanidm:kanidm ${kanidmCertDir}
|
|
chmod 600 ${kanidmCertDir}/key.pem
|
|
chmod 644 ${kanidmCertDir}/cert.pem
|
|
fi
|
|
'';
|
|
};
|
|
|
|
# Ensure certificate generation runs before kanidm starts
|
|
systemd.services.kanidm = {
|
|
after = [ "kanidm-generate-certs.service" ];
|
|
wants = [ "kanidm-generate-certs.service" ];
|
|
};
|
|
}
|