From 05b96b8fae4c2b8fab3194e9f1d49636a8570656 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 9 Oct 2024 02:18:46 +0200 Subject: [PATCH] netbox: integrate with CCCHH ID (Keycloak) --- config/hosts/netbox/netbox.nix | 18 +++++++++++++++++- config/hosts/netbox/secrets.yaml | 5 +++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix index ff32349..e0f2df9 100644 --- a/config/hosts/netbox/netbox.nix +++ b/config/hosts/netbox/netbox.nix @@ -11,9 +11,19 @@ enable = true; package = pkgs.netbox; secretKeyFile = "/run/secrets/netbox_secret_key"; + keycloakClientSecret = "/run/secrets/netbox_keycloak_secret"; settings = { ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]; SESSION_COOKIE_SECURE = true; + # CCCHH ID (Keycloak) integration. + # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7 + # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html + REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2"; + SOCIAL_AUTH_KEYCLOAK_KEY = "netbox"; + # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option. + SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"; + SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"; + SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"; }; }; @@ -21,6 +31,12 @@ mode = "0440"; owner = "netbox"; group = "netbox"; - restartUnits = [ "netbox.service" ]; + restartUnits = [ "netbox.service" "netbox-rq.service" ]; + }; + sops.secrets."netbox_keycloak_secret" = { + mode = "0440"; + owner = "netbox"; + group = "netbox"; + restartUnits = [ "netbox.service" "netbox-rq.service" ]; }; } diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml index 6f9e3e5..831a7a1 100644 --- a/config/hosts/netbox/secrets.yaml +++ b/config/hosts/netbox/secrets.yaml @@ -1,4 +1,5 @@ netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str] +netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T01:07:35Z" - mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str] + lastmodified: "2024-10-08T23:54:23Z" + mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str] pgp: - created_at: "2024-05-26T01:07:22Z" enc: |-