From 8ec86f35a1a6dd6fa8f64777d7cba0a0abff5658 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Tue, 5 Nov 2024 23:02:01 +0400 Subject: [PATCH] kanidm 1.4.0 --- sp-modules/auth/config-paths-needed.json | 3 +- sp-modules/auth/flake.nix | 27 +++++++--- sp-modules/auth/module.nix | 26 ++++----- sp-modules/roundcube/config-paths-needed.json | 1 + sp-modules/roundcube/module.nix | 54 ++++++++----------- 5 files changed, 56 insertions(+), 55 deletions(-) diff --git a/sp-modules/auth/config-paths-needed.json b/sp-modules/auth/config-paths-needed.json index f75f298..47db4d4 100644 --- a/sp-modules/auth/config-paths-needed.json +++ b/sp-modules/auth/config-paths-needed.json @@ -3,5 +3,6 @@ ["security", "acme", "certs"], ["selfprivacy", "domain"], ["selfprivacy", "modules"], - ["services"] + ["services"], + ["systemd", "services", "kanidm"] ] diff --git a/sp-modules/auth/flake.nix b/sp-modules/auth/flake.nix index a86ec75..46b2d32 100644 --- a/sp-modules/auth/flake.nix +++ b/sp-modules/auth/flake.nix @@ -1,13 +1,24 @@ { description = "User authentication and authorization module"; - # TODO remove when working Kanidm lands in nixpkgs and Hydra - inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957; + # TODO remove when Kanidm provisioning without groups assertion lands in NixOS + inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95; + # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2; - outputs = { self, nixpkgs-unstable }: { + outputs = { self, nixos-unstable }: { overlays.default = _final: prev: { - inherit (nixpkgs-unstable.legacyPackages.${prev.system}) - kanidm kanidm-provision oauth2-proxy; + inherit (nixos-unstable.legacyPackages.${prev.system}) + kanidm oauth2-proxy; + kanidm-provision = + nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: { + # version = "git"; + # src = prev.fetchFromGitHub { + # owner = "oddlama"; + # repo = "kanidm-provision"; + # rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4"; + # hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI="; + # }; + }); }; nixosModules.default = { ... }: { @@ -17,11 +28,11 @@ "services/security/oauth2-proxy-nginx.nix" ]; imports = [ - (nixpkgs-unstable.legacyPackages.x86_64-linux.path + (nixos-unstable.legacyPackages.x86_64-linux.path + /nixos/modules/services/security/kanidm.nix) - (nixpkgs-unstable.legacyPackages.x86_64-linux.path + (nixos-unstable.legacyPackages.x86_64-linux.path + /nixos/modules/services/security/oauth2-proxy.nix) - (nixpkgs-unstable.legacyPackages.x86_64-linux.path + (nixos-unstable.legacyPackages.x86_64-linux.path + /nixos/modules/services/security/oauth2-proxy-nginx.nix) ./module.nix ]; diff --git a/sp-modules/auth/module.nix b/sp-modules/auth/module.nix index 684915e..d49fcce 100644 --- a/sp-modules/auth/module.nix +++ b/sp-modules/auth/module.nix @@ -53,18 +53,18 @@ in enableServer = true; # kanidm with Rust code patches for OAuth and admin passwords provisioning - # package = pkgs.kanidm.withSecretProvisioning; + package = pkgs.kanidm.withSecretProvisioning; # FIXME - package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: { - version = "git"; - src = pkgs.fetchFromGitHub { - owner = "AleXoundOS"; - repo = "kanidm"; - rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2"; - hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8="; - }; - doCheck = false; - }); + # package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: { + # version = "git"; + # src = pkgs.fetchFromGitHub { + # owner = "AleXoundOS"; + # repo = "kanidm"; + # rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2"; + # hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8="; + # }; + # doCheck = false; + # }); serverSettings = { inherit domain; @@ -93,8 +93,8 @@ in autoRemove = false; # FIXME read randomly generated password from ? - adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword; - idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword; + # adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword; + # idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword; }; enableClient = true; clientSettings = { diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json index 4ee28e6..f017fdd 100644 --- a/sp-modules/roundcube/config-paths-needed.json +++ b/sp-modules/roundcube/config-paths-needed.json @@ -2,5 +2,6 @@ ["selfprivacy", "domain"], ["selfprivacy", "modules", "roundcube"], ["selfprivacy", "modules", "auth"], + ["service", "kanidm"], ["mailserver", "fqdn"] ] diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix index c88ecc6..004d9f6 100644 --- a/sp-modules/roundcube/module.nix +++ b/sp-modules/roundcube/module.nix @@ -59,38 +59,26 @@ in description = "Roundcube service slice"; }; }; - services.kanidm.serverSettings.provision.systems.oauth2.roundcube = - lib.mkIf auth-module.enable { - displayName = "Roundcube"; - originUrl = "https://${cfg.subdomain}.${domain}/"; - originLanding = "https://${cfg.subdomain}.${domain}/"; - basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME - preferShortUsername = false; - allowInsecureClientDisablePkce = true; # FIXME is it required? - scopeMaps.roundcube_users = [ - "email" - "openid" - "profile" - # "dovecotprofile" - # "groups" - ]; - }; - services.kanidm.provision.systems.oauth2.roundcube = - lib.mkIf auth-module.enable { - displayName = "Roundcube"; - originUrl = "https://${cfg.subdomain}.${domain}/"; - originLanding = "https://${cfg.subdomain}.${domain}/"; - basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; - # when true, name is passed to a service instead of name@domain - preferShortUsername = false; - allowInsecureClientDisablePkce = true; # FIXME is it needed? - scopeMaps.roundcube_users = [ - "email" - # "groups" - "profile" - "openid" - # "dovecotprofile" - ]; - }; + + services.kanidm.provision = lib.mkIf auth-module.enable { + groups.roundcube_users.present = true; + systems.oauth2.roundcube = + { + displayName = "Roundcube"; + originUrl = "https://${cfg.subdomain}.${domain}/"; + originLanding = "https://${cfg.subdomain}.${domain}/"; + basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; + # when true, name is passed to a service instead of name@domain + preferShortUsername = false; + allowInsecureClientDisablePkce = true; # FIXME is it needed? + scopeMaps.roundcube_users = [ + "email" + # "groups" + "profile" + "openid" + # "dovecotprofile" + ]; + }; + }; }; }