host: opt: www: Added declaritive groups, oauth clients, and persons …

…to kanidm
aftix · Jan 7, 2025 · 905c24b · 905c24b
1 parent 4c4d69b
commit 905c24b
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/host/opt/www/kanidm.nix b/host/opt/www/kanidm.nix
@@ -60,6 +60,31 @@ in {
           adminPasswordFile = config.sops.secrets.kanidm_admin_password.path;
           idmAdminPasswordFile = config.sops.secrets.kanidm_idmadmin_password.path;
           instanceUrl = "https://localhost:${builtins.toString cfg.port}";
+
+          groups = {
+            administrators.present = true;
+            forgejo_users.present = true;
+          };
+
+          persons = {
+            administrator = {
+              displayName = "Administrator";
+              groups = [
+                "administrators"
+                "forgejo_users"
+              ];
+              present = true;
+            };
+          };
+
+          systems.oauth2.forgejo = {
+            allowInsecureClientDisablePkce = true;
+            displayName = "Forgejo";
+            present = true;
+            originLanding = "https://forge.aftix.xyz/";
+            originUrl = "https://forge.aftix.xyz/user/oauth2/kanidm/callback";
+            scopeMaps.forgejo_users = ["email" "groups" "openid" "profile"];
+          };
         };
         serverSettings = {
           inherit (cfg) domain;