kanidm user updates

2026-05-02 13:16:44 -04:00
parent 0f3e1b3e36
commit f100febf99
2 changed files with 44 additions and 0 deletions
--- a/systems/palatine-hill/kanidm.nix
+++ b/systems/palatine-hill/kanidm.nix
@@ -1,11 +1,13 @@
 {
  config,
+  lib,
  pkgs,
  ...
 }:
 let
  domain = "nayeonie.com";
  authDomain = "auth.${domain}";
+  aliceSshKeys = config.users.users.alice.openssh.authorizedKeys.keys;
 in
 {
  services = {
@@ -43,6 +45,7 @@ in
        persons = {
          alice = {
            displayName = "Alice";
+            mailAddresses = [ "aliceghuston@gmail.com" ];
            present = true;
            groups = [ "gitea-users" ];
          };
@@ -79,6 +82,44 @@ in
  # Certs are currently group-readable by haproxy for docker HAProxy.
  users.users.kanidm.extraGroups = [ "haproxy" ];

+  systemd.services.kanidm-person-ssh-keys-bootstrap = {
+    description = "Bootstrap Kanidm SSH public keys for alice";
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "kanidm.service" ];
+    after = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+      Group = "root";
+    };
+    path = [
+      config.services.kanidm.package
+      pkgs.coreutils
+      pkgs.gawk
+      pkgs.gnugrep
+    ];
+    script = ''
+            set -eu
+
+            url="https://${authDomain}"
+            password="$(<${config.sops.secrets."kanidm/admin_password".path})"
+            state_dir="/var/lib/kanidm/ssh-bootstrap"
+            mkdir -p "$state_dir"
+            chmod 700 "$state_dir"
+            export HOME="$state_dir"
+
+            # Authenticate idm_admin for CLI operations.
+            printf '%s\n' "$password" | kanidm login -H "$url" -D idm_admin >/dev/null
+
+            existing_keys="$(kanidm -H "$url" -D idm_admin person ssh list-publickeys alice || true)"
+            i=0
+      ${lib.concatMapStringsSep "\n" (
+        key:
+        "      i=$((i + 1))\n      if ! printf '%s\\n' \"$existing_keys\" | grep -Fq ${lib.escapeShellArg key}; then\n        kanidm -H \"$url\" -D idm_admin person ssh add-publickey alice \"home-key-$i\" ${lib.escapeShellArg key} >/dev/null\n      fi"
+      ) aliceSshKeys}
+    '';
+  };
+
  networking.firewall.allowedTCPPorts = [
    3890
    8443