feat(router0-dmz0, sj-srv1/containers/webserver): set up kanidm

2024-10-16 18:27:42 +02:00 · 2024-10-16 18:27:42 +02:00 · 4c71887ea6
commit 4c71887ea6
parent 7f97ee3d47
7 changed files with 181 additions and 13 deletions
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -17,16 +17,19 @@ in {
    lib,
    repoFlake,
    nodeFlake,
+    system,
    ...
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?

    disabledModules = [
      "services/misc/forgejo.nix"
+      "services/security/kanidm.nix"
    ];

    imports = [
      "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
+      "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"

      ../profiles/containers/configuration.nix

@ -90,6 +93,16 @@ in {
          reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
        '';
      };
+
+      virtualHosts."kanidm.${domain}" = {
+        extraConfig = ''
+          reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
+            transport http {
+                tls_server_name ${config.services.kanidm.serverSettings.domain}
+            }
+          }
+        '';
+      };
    };

    services.hedgedoc = {
@ -116,12 +129,34 @@ in {
          url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
          bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
          # these are set via the `environmentFile`
-          bindCredentials = "$LDAP_ADMIN_PASSWORD";
+          # bindCredentials = "$LDAP_ADMIN_PASSWORD";
          searchBase = "ou=people,dc=stefanjunker,dc=de";
          searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
          useridField = "uid";
        };

+        oauth2 = let
+          originURL = config.services.kanidm.serverSettings.origin;
+        in {
+          providerName = "kanidm (${originURL})";
+
+          authorizationURL = "${originURL}/ui/oauth2";
+          tokenURL = "${originURL}/oauth2/token";
+          userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
+
+          scope = "openid email profile";
+          # rolesClaim = "roles";
+          # accessRole = "role/hedgedoc";
+
+          userProfileUsernameAttr = "name";
+          userProfileDisplayNameAttr = "displayname";
+          userProfileEmailAttr = "email";
+
+          clientID = "hedgedoc";
+          # set via the `environmentFile`
+          # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+        };
+
        uploadsPath = "/var/lib/hedgedoc/uploads";
      };

@ -268,6 +303,108 @@ in {
    systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
    systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
    systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
+
+    # combine a path watcher with a service that transfers the certs by caddy to kanidm
+    systemd.paths.kanidm-tls-watch = {
+      enable = true;
+      requiredBy = ["kanidm.service"];
+      pathConfig = {
+        PathChanged = [
+          "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
+          "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
+        ];
+        Unit = "kanidm-tls-update.service";
+      };
+    };
+    systemd.services.kanidm-tls-update = let
+      dbDir =
+        builtins.dirOf
+        config.services.kanidm.serverSettings.db_path;
+    in {
+      enable = true;
+      requiredBy = ["kanidm.service"];
+      unitConfig = {
+        # ConditionPathExists = [
+        #   "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
+        #   "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
+        # ];
+      };
+      serviceConfig.Type = "oneshot";
+      script = let
+        tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
+      in ''
+        set -xe
+
+        cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
+        cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
+
+        chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
+        chmod 400 tls.{key,chain}
+
+        # create the kanidm directory in case it's missing
+        if [[ ! -d ${tlsDir} ]]; then
+          mkdir -p ${tlsDir}
+          chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
+          chmod 700 ${tlsDir}
+        fi
+
+        mv tls.key ${config.services.kanidm.serverSettings.tls_key}
+        mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
+
+        if [[ ! -d ${dbDir} ]]; then
+          mkdir -p ${dbDir}
+          chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
+          chmod 700 ${dbDir}
+        fi
+      '';
+    };
+
+    systemd.services.kanidm.serviceConfig = let
+      dbDir =
+        builtins.dirOf
+        config.services.kanidm.serverSettings.db_path;
+      # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
+    in {
+      # ExecStartPre = ''
+      #   mkdir -p ${dbDir}
+      # '';
+      BindPaths = [
+        dbDir
+        # stateDir
+      ];
+    };
+
+    services.kanidm = let
+      dataDir = "/var/lib/kanidm";
+    in {
+      package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
+
+      enablePam = false;
+      enableClient = false;
+
+      enableServer = true;
+      serverSettings = {
+        role = "WriteReplica";
+        log_level = "debug";
+
+        domain = "kanidm.${domain}";
+        origin = "https://kanidm.${domain}";
+
+        db_path = "${dataDir}/db/kanidm.db";
+
+        bindaddress = "127.0.0.1:8444";
+
+        # don't expose ldap
+        # ldapbindaddress = "[::1]:6636";
+
+        tls_key = "${dataDir}/tls/tls.key";
+        tls_chain = "${dataDir}/tls/tls.chain";
+
+        online_backup = {
+          schedule = "00 06 * * *";
+        };
+      };
+    };
  };

  inherit autoStart;
@ -306,6 +443,11 @@ in {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
      isReadOnly = false;
    };
+
+    "/var/lib/kanidm" = {
+      hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm";
+      isReadOnly = false;
+    };
  };

  privateNetwork = true;
--- a/nix/os/containers/webserver_secrets.yaml
+++ b/nix/os/containers/webserver_secrets.yaml
@ -1,4 +1,4 @@
-hedgedoc_environment_file: ENC[AES256_GCM,data:ciVnpDXq5CZltHcAHJQNeKfelQlKhyXfGkUeuvwFBq8QUQDNEgLOVZ5X7Yw3kPGAvXEozK2Nz3aFfOpbGt76OmNdJ2TQNxOEpcHDJEvAoYSc/XTcctfDQmqga6MMWWAjIO3LXpFa9UD9riP6yUFNwGOB7waIvV7yD+D+QILwUyNda0/iVHtC/6HO8Yaj3nK6Fp1IDclppobIQ/MdzG+cy+yN7h0XUNOzMh91DGAC3ePIB5DX90wlXTzsox9HWWAUTh6Lpss=,iv:X7fROtc0Fn9AnZkWHAs8XFwIInBowQZzRJuLWSKSGWM=,tag:gKysRtqBhTtwLnxDv2QGBA==,type:str]
+hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str]
 authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
 authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
 lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
@ -23,8 +23,8 @@ sops:
            eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
            KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-13T17:41:14Z"
-    mac: ENC[AES256_GCM,data:1mqRRPa4tP1OFxC3Oo5uJhk3H79jxObUeIsIab8fOrafsrw9tbrqpb9lRgziR3C0ssDagb0deA6PAGH6YWvSU716Ayr3p+Ih2sXOkbkp8wV/u3AULsDUzSUglshgM5f1Hf5jvL7xoWBOzek8eMGIkFFFwu0VmkqwpqOalXY0Kxk=,iv:cC4hRQZlLuOyktS0pER6Ef0f7qVxMXfS8w9Q5p7AlTA=,tag:/maJgYz/Ks3iaQZr+WSUUA==,type:str]
+    lastmodified: "2024-10-16T12:28:51Z"
+    mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str]
    pgp:
        - created_at: "2023-07-09T17:51:27Z"
          enc: |-