tsuki: setup oauth2 for pgadmin

This commit also changes the pgadmin package from `22.11` to `unstable`
This commit is contained in:
Oystein Kristoffer Tveit 2023-03-17 00:54:36 +01:00
parent 5e2a5a939b
commit df3aa7c10e
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 53 additions and 8 deletions

View File

@ -99,8 +99,11 @@
android_sdk.accept_license = true;
};
overlays = [
(self: super: { kanidm = unstable-pkgs.callPackage ./package-overrides/kanidm.nix {}; })
overlays = let
nonrecursive-unstable-pkgs = nixpkgs-unstable.legacyPackages.${system};
in [
(self: super: { kanidm = super.callPackage ./package-overrides/kanidm.nix {}; })
(self: super: { pgadmin4 = nonrecursive-unstable-pkgs.pgadmin4; })
osuchan.overlays.default
];
};

View File

@ -14,17 +14,56 @@
# settings = {};
};
sops.secrets = {
"pgadmin/oauth2_secret" = rec {
restartUnits = [ "pgadmin.service" ];
owner = config.systemd.services.pgadmin.serviceConfig.User;
group = config.users.users.${owner}.group;
};
"pgadmin/initialPassword" = rec {
restartUnits = [ "pgadmin.service" ];
owner = config.systemd.services.pgadmin.serviceConfig.User;
group = config.users.users.${owner}.group;
};
};
services.pgadmin = {
enable = true;
openFirewall = true;
initialEmail = "h7x4@nani.wtf";
initialPasswordFile = "${config.machineVars.dataDrives.default}/keys/pgadmin_pass";
initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path;
port = secrets.ports.pgadmin;
settings = {
DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
settings = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
# FIXME: pgadmin does not work with NFS by default, because it uses
# some kind of metafiles in its data directory.
# DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
DATA_DIR = "/var/lib/pgadmin";
AUTHENTICATION_SOURCES = [ "oauth2" ];
OAUTH2_AUTO_CREATE_USER = true;
OAUTH2_CONFIG = [ rec {
OAUTH2_NAME = "KaniDM";
OAUTH2_DISPLAY_NAME = "KaniDM";
OAUTH2_CLIENT_ID = "pgadmin";
OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2";
OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token";
OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2";
OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo";
OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration";
OAUTH2_SCOPE = "openid email profile";
OAUTH2_ICON = "fa-lock";
OAUTH2_BUTTON_COLOR = "#ff6600";
}];
};
};
environment.etc."pgadmin/config_system.py".text = let
in ''
with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f:
OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read()
'';
services.postgresqlBackup = {
enable = true;
location = "${config.machineVars.dataDrives.drives.backup}/postgres";

View File

@ -1,5 +1,5 @@
headscale:
oauth_secret: ""
oauth2_secret: ENC[AES256_GCM,data:Ois+s0O9wgL3zWpgk6E35o5HczIW/4wnSq2KU+F59u4FBFPAtbl/WD0N4AKgWMrm,iv:UX8vhNvHvA5BmNmx5eW8ugce+yZCE1lt2ux8sJajZ8Q=,tag:xOpdLLryt8MptiVsKibNew==,type:str]
hedgedoc:
env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
cloudflare:
@ -9,6 +9,9 @@ drives:
credentials: ENC[AES256_GCM,data:ypMZhs7dQw/IlcLwHwFcIZw0N+kCzvFGLe3gEqZVe1hj0lzK8MCfxAR8GpA=,iv:by5ljMzOuuY4b6BDUQNLhp8/gcXDNe+rHkqhFzjNA6c=,tag:3C5iYsxEWwAKs9Blgr5o6g==,type:str]
postgres:
gitea: ENC[AES256_GCM,data:HyYgEgOzeOnaEvPDEXoL+fRhrnqCeGbb/wOYf2kHulxrU9PKIAcRzmNljsc=,iv:1N/N2RUQ++rAWw4VNQzhee2aV9LzOJym6cyM6CAnZUU=,tag:o7dblJrIAPd4/S8X2LKdcQ==,type:str]
pgadmin:
oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
sops:
kms: []
gcp_kms: []
@ -24,8 +27,8 @@ sops:
UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-08T14:35:20Z"
mac: ENC[AES256_GCM,data:V3LhoWRReZkj16s7/90zvS4GaAXDf7gY3qKGAoYRKPKrbBVDHS3Z6Vd+HZVTNcGZ0gfsJUeI8PXP2CnevN06/NKSIgyGP/8fDYSXCr2Qs3ccOnsWArAT6v83+xFxESIhlC9ww5plbAqCXPfUEHTg3SX7wa3vOQagOBjphKtPYD8=,iv:fYbmMGwbaMpyV7i8/rSTyOdK2TS0u4/0MUAPFZBV4E8=,tag:OIimZjzn6rvuweZVEmsnvw==,type:str]
lastmodified: "2023-03-16T22:23:30Z"
mac: ENC[AES256_GCM,data:WhmY8htyrpTsAHuA8Q6RquBSafTZR/ocyB/OvLRhIV4gksSbzCWeMR+5Jwvvr8XYkwzD3rpCgCiqpA6R8ibxfdhHYZwHKMJNrAlpBdXSom67q9RUvDJjiCEQyJpcsvjJmT1mM9J3E6iVymoI0h2WW+rGzN3vgONBIr86p0nknKI=,iv:JdHn/qSzPCwkaBL81Wax0ThXFtSGrb26shA1tfXy/aI=,tag:dZLtLJM5mNCO6OOWLtQwXg==,type:str]
pgp:
- created_at: "2023-03-07T12:32:53Z"
enc: |