From f100febf99c003d7a61a25ec52b2577c95cadb02 Mon Sep 17 00:00:00 2001
From: ahuston-0 <aliceghuston@gmail.com>
Date: Sat, 2 May 2026 13:16:44 -0400
Subject: [PATCH] kanidm user updates

---
 systems/palatine-hill/gitea.nix  |  3 +++
 systems/palatine-hill/kanidm.nix | 41 ++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/systems/palatine-hill/gitea.nix b/systems/palatine-hill/gitea.nix
index df9c71c..b47908b 100644
--- a/systems/palatine-hill/gitea.nix
+++ b/systems/palatine-hill/gitea.nix
@@ -109,7 +109,10 @@ in
         --scopes openid \
         --scopes profile \
         --scopes email \
+        --full-name-claim-name name \
         --group-claim-name groups \
+        --required-claim-name groups \
+        --required-claim-value gitea-users \
         --admin-group gitea-users
     '';
   };
diff --git a/systems/palatine-hill/kanidm.nix b/systems/palatine-hill/kanidm.nix
index d4aacfb..354fb47 100644
--- a/systems/palatine-hill/kanidm.nix
+++ b/systems/palatine-hill/kanidm.nix
@@ -1,11 +1,13 @@
 {
   config,
+  lib,
   pkgs,
   ...
 }:
 let
   domain = "nayeonie.com";
   authDomain = "auth.${domain}";
+  aliceSshKeys = config.users.users.alice.openssh.authorizedKeys.keys;
 in
 {
   services = {
@@ -43,6 +45,7 @@ in
         persons = {
           alice = {
             displayName = "Alice";
+            mailAddresses = [ "aliceghuston@gmail.com" ];
             present = true;
             groups = [ "gitea-users" ];
           };
@@ -79,6 +82,44 @@ in
   # Certs are currently group-readable by haproxy for docker HAProxy.
   users.users.kanidm.extraGroups = [ "haproxy" ];
 
+  systemd.services.kanidm-person-ssh-keys-bootstrap = {
+    description = "Bootstrap Kanidm SSH public keys for alice";
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "kanidm.service" ];
+    after = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+      Group = "root";
+    };
+    path = [
+      config.services.kanidm.package
+      pkgs.coreutils
+      pkgs.gawk
+      pkgs.gnugrep
+    ];
+    script = ''
+            set -eu
+
+            url="https://${authDomain}"
+            password="$(<${config.sops.secrets."kanidm/admin_password".path})"
+            state_dir="/var/lib/kanidm/ssh-bootstrap"
+            mkdir -p "$state_dir"
+            chmod 700 "$state_dir"
+            export HOME="$state_dir"
+
+            # Authenticate idm_admin for CLI operations.
+            printf '%s\n' "$password" | kanidm login -H "$url" -D idm_admin >/dev/null
+
+            existing_keys="$(kanidm -H "$url" -D idm_admin person ssh list-publickeys alice || true)"
+            i=0
+      ${lib.concatMapStringsSep "\n" (
+        key:
+        "      i=$((i + 1))\n      if ! printf '%s\\n' \"$existing_keys\" | grep -Fq ${lib.escapeShellArg key}; then\n        kanidm -H \"$url\" -D idm_admin person ssh add-publickey alice \"home-key-$i\" ${lib.escapeShellArg key} >/dev/null\n      fi"
+      ) aliceSshKeys}
+    '';
+  };
+
   networking.firewall.allowedTCPPorts = [
     3890
     8443