kanidm 1.4.0

2024-11-23 12:01:27 +00:00 · 2024-11-05 23:02:01 +04:00 · 2024-11-05 23:02:01 +04:00 · 8ec86f35a1
parent 8f82a4c574
commit 8ec86f35a1
5 changed files with 56 additions and 55 deletions
--- a/sp-modules/auth/config-paths-needed.json
+++ b/sp-modules/auth/config-paths-needed.json
@ -3,5 +3,6 @@
  ["security", "acme", "certs"],
  ["selfprivacy", "domain"],
  ["selfprivacy", "modules"],
-  ["services"]
+  ["services"],
+  ["systemd", "services", "kanidm"]
 ]
--- a/sp-modules/auth/flake.nix
+++ b/sp-modules/auth/flake.nix
@ -1,13 +1,24 @@
 {
  description = "User authentication and authorization module";

-  # TODO remove when working Kanidm lands in nixpkgs and Hydra
-  inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
+  # TODO remove when Kanidm provisioning without groups assertion lands in NixOS
+  inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
+  # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2;

-  outputs = { self, nixpkgs-unstable }: {
+  outputs = { self, nixos-unstable }: {
    overlays.default = _final: prev: {
-      inherit (nixpkgs-unstable.legacyPackages.${prev.system})
-        kanidm kanidm-provision oauth2-proxy;
+      inherit (nixos-unstable.legacyPackages.${prev.system})
+        kanidm oauth2-proxy;
+      kanidm-provision =
+        nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
+          # version = "git";
+          # src = prev.fetchFromGitHub {
+          #   owner = "oddlama";
+          #   repo = "kanidm-provision";
+          #   rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
+          #   hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
+          # };
+        });
    };

    nixosModules.default = { ... }: {
@ -17,11 +28,11 @@
        "services/security/oauth2-proxy-nginx.nix"
      ];
      imports = [
-        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+        (nixos-unstable.legacyPackages.x86_64-linux.path
          + /nixos/modules/services/security/kanidm.nix)
-        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+        (nixos-unstable.legacyPackages.x86_64-linux.path
          + /nixos/modules/services/security/oauth2-proxy.nix)
-        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+        (nixos-unstable.legacyPackages.x86_64-linux.path
          + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
        ./module.nix
      ];
--- a/sp-modules/auth/module.nix
+++ b/sp-modules/auth/module.nix
@ -53,18 +53,18 @@ in
      enableServer = true;

      # kanidm with Rust code patches for OAuth and admin passwords provisioning
-      # package = pkgs.kanidm.withSecretProvisioning;
+      package = pkgs.kanidm.withSecretProvisioning;
      # FIXME
-      package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
-        version = "git";
-        src = pkgs.fetchFromGitHub {
-          owner = "AleXoundOS";
-          repo = "kanidm";
-          rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
-          hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
-        };
-        doCheck = false;
-      });
+      # package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
+      #   version = "git";
+      #   src = pkgs.fetchFromGitHub {
+      #     owner = "AleXoundOS";
+      #     repo = "kanidm";
+      #     rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
+      #     hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
+      #   };
+      #   doCheck = false;
+      # });

      serverSettings = {
        inherit domain;
@ -93,8 +93,8 @@ in
        autoRemove = false;

        # FIXME read randomly generated password from ?
-        adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
-        idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
+        # adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
+        # idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
      };
      enableClient = true;
      clientSettings = {
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@ -2,5 +2,6 @@
  ["selfprivacy", "domain"],
  ["selfprivacy", "modules", "roundcube"],
  ["selfprivacy", "modules", "auth"],
+  ["service", "kanidm"],
  ["mailserver", "fqdn"]
 ]
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@ -59,24 +59,11 @@ in
        description = "Roundcube service slice";
      };
    };
-    services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
-      lib.mkIf auth-module.enable {
-        displayName = "Roundcube";
-        originUrl = "https://${cfg.subdomain}.${domain}/";
-        originLanding = "https://${cfg.subdomain}.${domain}/";
-        basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
-        preferShortUsername = false;
-        allowInsecureClientDisablePkce = true; # FIXME is it required?
-        scopeMaps.roundcube_users = [
-          "email"
-          "openid"
-          "profile"
-          # "dovecotprofile"
-          # "groups"
-        ];
-      };
-    services.kanidm.provision.systems.oauth2.roundcube =
-      lib.mkIf auth-module.enable {
+
+    services.kanidm.provision = lib.mkIf auth-module.enable {
+      groups.roundcube_users.present = true;
+      systems.oauth2.roundcube =
+        {
          displayName = "Roundcube";
          originUrl = "https://${cfg.subdomain}.${domain}/";
          originLanding = "https://${cfg.subdomain}.${domain}/";
@ -93,4 +80,5 @@ in
          ];
        };
    };
+  };
 }