From 14e8cf359d39d5fec7a39088c661f8dec5ac78c6 Mon Sep 17 00:00:00 2001 From: nhnn Date: Thu, 22 May 2025 16:50:34 +0300 Subject: [PATCH] fix: various kanidm, jitsi and general fixes --- auth/auth-module.nix | 2 +- auth/auth.nix | 4 +- configuration.nix | 2 +- flake.lock | 43 ++++++------------- flake.nix | 15 +------ sp-modules/{vikunja => jitsi-meet}/flake.lock | 12 +++--- sp-modules/jitsi-meet/flake.nix | 6 ++- sp-modules/jitsi-meet/module.nix | 14 +++--- .../simple-nixos-mailserver/auth-dovecot.nix | 2 +- .../config-paths-needed.json | 3 +- sp-modules/vikunja/flake.nix | 8 +--- sp-modules/vikunja/module.nix | 4 +- 12 files changed, 44 insertions(+), 71 deletions(-) rename sp-modules/{vikunja => jitsi-meet}/flake.lock (54%) diff --git a/auth/auth-module.nix b/auth/auth-module.nix index 22a502f..a7c11e1 100644 --- a/auth/auth-module.nix +++ b/auth/auth-module.nix @@ -38,7 +38,7 @@ let pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPost-script.sh" ( '' export HOME=$RUNTIME_DIRECTORY/client_home - readonly KANIDM="${pkgs.kanidm}/bin/kanidm" + readonly KANIDM="${config.services.kanidm.package}/bin/kanidm" # try to get existing Kanidm service account KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${kanidmServiceAccountName}$")" diff --git a/auth/auth.nix b/auth/auth.nix index 09f1a22..a892b60 100644 --- a/auth/auth.nix +++ b/auth/auth.nix @@ -62,7 +62,7 @@ lib.mkIf config.selfprivacy.sso.enable { enableServer = true; # kanidm with Rust code patches for OAuth and admin passwords provisioning - package = pkgs.kanidm.withSecretProvisioning; + package = pkgs.kanidm_1_5.withSecretProvisioning; serverSettings = { inherit domain; @@ -158,7 +158,7 @@ lib.mkIf config.selfprivacy.sso.enable { systemd.services.kanidm.serviceConfig.ExecStartPre = # idempotent script to run on each startup only for kanidm v1.5.0 - lib.mkIf (pkgs.kanidm.version == "1.5.0") (lib.mkBefore [ kanidmMigrateDbScript ]); + lib.mkIf (lib.versionAtLeast config.services.kanidm.package.version "1.5.0") (lib.mkBefore [ kanidmMigrateDbScript ]); selfprivacy.passthru.auth = { inherit diff --git a/configuration.nix b/configuration.nix index d8f2743..b7113fb 100644 --- a/configuration.nix +++ b/configuration.nix @@ -233,7 +233,7 @@ in environment.memoryAllocator.provider = "libc"; # Scudo has problems with PHP, which may cause PHP to segfault... security.sudo.enable = false; - + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only? "kernel.core_pattern" = "|${pkgs.coreutils}/bin/false"; # Ignore coredumps diff --git a/flake.lock b/flake.lock index c37d755..49ca055 100644 --- a/flake.lock +++ b/flake.lock @@ -1,39 +1,23 @@ { "nodes": { - "nixos-unstable": { - "locked": { - "lastModified": 1745930157, - "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1746055187, - "narHash": "sha256-3dqArYSMP9hM7Qpy5YWhnSjiqniSaT2uc5h2Po7tmg0=", - "owner": "nixos", + "lastModified": 1747676747, + "narHash": "sha256-LXkWBVqilgx7Pohwqu/ABxDVw+Cmi5/Mj2S2mpUH0Fw=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e362ce63e16b9572d8c2297c04f7c19ab6725a5", + "rev": "72841a4a8761d1aed92ef6169a636872c986c76d", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { - "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs", "selfprivacy-api": "selfprivacy-api" } @@ -45,17 +29,18 @@ ] }, "locked": { - "lastModified": 1746195080, - "narHash": "sha256-WIqCd8unsDW8QboNMVrqtsXYbsL2BF9L4uJ7DfmAsGo=", - "ref": "inex/nixos-24.11", - "rev": "8146a556fbac2180e009916ac2b459c5a5040574", - "revCount": 1776, + "lastModified": 1747923731, + "narHash": "sha256-vh1VdbWVq85ZTOTb5snYCwnWG21pdt1Wn6CW9QTSuQE=", + "ref": "nhnn/nixos-25.05", + "rev": "7e3526547923215a068fb7d9c2e81f8b9631a60c", + "revCount": 1777, "type": "git", - "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" + "url": "https://git.selfprivacy.org/nhnn/selfprivacy-rest-api.git" }, "original": { + "ref": "nhnn/nixos-25.05", "type": "git", - "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" + "url": "https://git.selfprivacy.org/nhnn/selfprivacy-rest-api.git" } } }, diff --git a/flake.nix b/flake.nix index 058dc05..a954ea8 100644 --- a/flake.nix +++ b/flake.nix @@ -2,10 +2,9 @@ description = "SelfPrivacy NixOS configuration flake"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs"; - nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; - selfprivacy-api.url = "git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"; + selfprivacy-api.url = "git+https://git.selfprivacy.org/nhnn/selfprivacy-rest-api.git?ref=nhnn/nixos-25.05"; # make selfprivacy-api use the same shared nixpkgs selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs"; }; @@ -14,7 +13,6 @@ { self, nixpkgs, - nixos-unstable, selfprivacy-api, }: { @@ -35,15 +33,6 @@ ./configuration.nix ./auth/auth.nix { - nixpkgs.overlays = [ - (_final: prev: { - inherit (nixos-unstable.legacyPackages.${prev.system}) - kanidm - kanidm-provision - ; - selfprivacy_nix_2_26 = nixos-unstable.legacyPackages.${prev.system}.nixVersions.nix_2_26; - }) - ]; disabledModules = [ "services/security/kanidm.nix" ]; imports = [ ./auth/kanidm.nix ]; } diff --git a/sp-modules/vikunja/flake.lock b/sp-modules/jitsi-meet/flake.lock similarity index 54% rename from sp-modules/vikunja/flake.lock rename to sp-modules/jitsi-meet/flake.lock index c48dced..9d67303 100644 --- a/sp-modules/vikunja/flake.lock +++ b/sp-modules/jitsi-meet/flake.lock @@ -1,24 +1,24 @@ { "nodes": { - "nixpkgs-24-11": { + "nixpkgs-2405": { "locked": { - "lastModified": 1744440957, - "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { - "nixpkgs-24-11": "nixpkgs-24-11" + "nixpkgs-2405": "nixpkgs-2405" } } }, diff --git a/sp-modules/jitsi-meet/flake.nix b/sp-modules/jitsi-meet/flake.nix index d4c7d76..c057a7f 100644 --- a/sp-modules/jitsi-meet/flake.nix +++ b/sp-modules/jitsi-meet/flake.nix @@ -1,10 +1,12 @@ { description = "PoC SP module for Jitsi Meet video conferences server"; + inputs.nixpkgs-2405.url = "github:NixOS/nixpkgs/nixos-24.05"; + outputs = - { self }: + { self, nixpkgs-2405 }: { - nixosModules.default = import ./module.nix; + nixosModules.default = import ./module.nix nixpkgs-2405.legacyPackages.x86_64-linux; configPathsNeeded = builtins.fromJSON (builtins.readFile ./config-paths-needed.json); meta = { lib, ... }: diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index 6f9a5bb..ed4bfc5 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +oldPkgs: { config, lib, ... }: let domain = config.selfprivacy.domain; cfg = config.selfprivacy.modules.jitsi-meet; @@ -46,13 +46,13 @@ in config = lib.mkIf cfg.enable { nixpkgs.overlays = [ - (_: prev: { - # We disable E2E for clients below - jitsi-meet = prev.jitsi-meet.overrideAttrs (old: { - meta = old.meta // { - knownVulnerabilities = [ ]; - }; + (final: prev: { + jicofo = oldPkgs.jicofo; + jitsi-meet = oldPkgs.jitsi-meet.overrideAttrs (old: { + meta = old.meta // { knownVulnerabilities = [ ]; }; }); + jitsi-videobridge = oldPkgs.jitsi-videobridge; + jitsi-meet-prosody = oldPkgs.jitsi-meet-prosody; }) ]; diff --git a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix index 5c1a8e0..34b8f47 100644 --- a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix +++ b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix @@ -25,7 +25,7 @@ let # create service account token, needed for LDAP kanidmExecStartPostScript = pkgs.writeShellScript "mailserver-kanidm-ExecStartPost-script.sh" '' export HOME=$RUNTIME_DIRECTORY/client_home - readonly KANIDM="${pkgs.kanidm}/bin/kanidm" + readonly KANIDM="${config.services.kanidm.package}/bin/kanidm" # get Kanidm service account for mailserver KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${mailserver-service-account-name}$")" diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json index e8ed883..af11220 100644 --- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json +++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json @@ -30,5 +30,6 @@ [ "services", "redis", "servers", "rspamd", "bind" ], [ "services", "redis", "servers", "rspamd", "port" ], [ "services", "redis", "servers", "rspamd", "requirePass" ], - [ "services", "rspamd" ] + [ "services", "rspamd" ], + [ "services", "kanidm", "package" ] ] diff --git a/sp-modules/vikunja/flake.nix b/sp-modules/vikunja/flake.nix index f2649be..b239c6c 100644 --- a/sp-modules/vikunja/flake.nix +++ b/sp-modules/vikunja/flake.nix @@ -1,14 +1,10 @@ { description = "PoC SP module for Vikunja service"; - inputs = { - nixpkgs-24-11.url = "github:NixOS/nixpkgs/nixos-24.11"; - }; - outputs = - { nixpkgs-24-11, ... }: + { ... }: { - nixosModules.default = import ./module.nix nixpkgs-24-11.legacyPackages.x86_64-linux; + nixosModules.default = import ./module.nix; configPathsNeeded = builtins.fromJSON (builtins.readFile ./config-paths-needed.json); meta = { lib, ... }: diff --git a/sp-modules/vikunja/module.nix b/sp-modules/vikunja/module.nix index 0539cba..b37ff8c 100644 --- a/sp-modules/vikunja/module.nix +++ b/sp-modules/vikunja/module.nix @@ -1,7 +1,7 @@ -latestPkgs: { config, lib, + pkgs, ... }: let @@ -17,7 +17,7 @@ let oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID; - vikunjaPackage = latestPkgs.vikunja.overrideAttrs (old: { + vikunjaPackage = pkgs.vikunja.overrideAttrs (old: { doCheck = false; # Tests are slow. patches = (old.patches or [ ]) ++ [ ./load-client-secret-from-env.patch