kanidm user updates
This commit is contained in:
@@ -109,7 +109,10 @@ in
|
|||||||
--scopes openid \
|
--scopes openid \
|
||||||
--scopes profile \
|
--scopes profile \
|
||||||
--scopes email \
|
--scopes email \
|
||||||
|
--full-name-claim-name name \
|
||||||
--group-claim-name groups \
|
--group-claim-name groups \
|
||||||
|
--required-claim-name groups \
|
||||||
|
--required-claim-value gitea-users \
|
||||||
--admin-group gitea-users
|
--admin-group gitea-users
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -1,11 +1,13 @@
|
|||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
domain = "nayeonie.com";
|
domain = "nayeonie.com";
|
||||||
authDomain = "auth.${domain}";
|
authDomain = "auth.${domain}";
|
||||||
|
aliceSshKeys = config.users.users.alice.openssh.authorizedKeys.keys;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@@ -43,6 +45,7 @@ in
|
|||||||
persons = {
|
persons = {
|
||||||
alice = {
|
alice = {
|
||||||
displayName = "Alice";
|
displayName = "Alice";
|
||||||
|
mailAddresses = [ "aliceghuston@gmail.com" ];
|
||||||
present = true;
|
present = true;
|
||||||
groups = [ "gitea-users" ];
|
groups = [ "gitea-users" ];
|
||||||
};
|
};
|
||||||
@@ -79,6 +82,44 @@ in
|
|||||||
# Certs are currently group-readable by haproxy for docker HAProxy.
|
# Certs are currently group-readable by haproxy for docker HAProxy.
|
||||||
users.users.kanidm.extraGroups = [ "haproxy" ];
|
users.users.kanidm.extraGroups = [ "haproxy" ];
|
||||||
|
|
||||||
|
systemd.services.kanidm-person-ssh-keys-bootstrap = {
|
||||||
|
description = "Bootstrap Kanidm SSH public keys for alice";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = [ "kanidm.service" ];
|
||||||
|
after = [ "kanidm.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "root";
|
||||||
|
Group = "root";
|
||||||
|
};
|
||||||
|
path = [
|
||||||
|
config.services.kanidm.package
|
||||||
|
pkgs.coreutils
|
||||||
|
pkgs.gawk
|
||||||
|
pkgs.gnugrep
|
||||||
|
];
|
||||||
|
script = ''
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
url="https://${authDomain}"
|
||||||
|
password="$(<${config.sops.secrets."kanidm/admin_password".path})"
|
||||||
|
state_dir="/var/lib/kanidm/ssh-bootstrap"
|
||||||
|
mkdir -p "$state_dir"
|
||||||
|
chmod 700 "$state_dir"
|
||||||
|
export HOME="$state_dir"
|
||||||
|
|
||||||
|
# Authenticate idm_admin for CLI operations.
|
||||||
|
printf '%s\n' "$password" | kanidm login -H "$url" -D idm_admin >/dev/null
|
||||||
|
|
||||||
|
existing_keys="$(kanidm -H "$url" -D idm_admin person ssh list-publickeys alice || true)"
|
||||||
|
i=0
|
||||||
|
${lib.concatMapStringsSep "\n" (
|
||||||
|
key:
|
||||||
|
" i=$((i + 1))\n if ! printf '%s\\n' \"$existing_keys\" | grep -Fq ${lib.escapeShellArg key}; then\n kanidm -H \"$url\" -D idm_admin person ssh add-publickey alice \"home-key-$i\" ${lib.escapeShellArg key} >/dev/null\n fi"
|
||||||
|
) aliceSshKeys}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
3890
|
3890
|
||||||
8443
|
8443
|
||||||
|
|||||||
Reference in New Issue
Block a user