fix: various kanidm, jitsi and general fixes

2025-05-22 16:50:34 +03:00
parent eb29949a03
commit 14e8cf359d
12 changed files with 44 additions and 71 deletions
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -38,7 +38,7 @@ let
    pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPost-script.sh" (
      ''
        export HOME=$RUNTIME_DIRECTORY/client_home
-        readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
+        readonly KANIDM="${config.services.kanidm.package}/bin/kanidm"
        # try to get existing Kanidm service account
        KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${kanidmServiceAccountName}$")"
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -62,7 +62,7 @@ lib.mkIf config.selfprivacy.sso.enable {
    enableServer = true;
    # kanidm with Rust code patches for OAuth and admin passwords provisioning
-    package = pkgs.kanidm.withSecretProvisioning;
+    package = pkgs.kanidm_1_5.withSecretProvisioning;
    serverSettings = {
      inherit domain;
@@ -158,7 +158,7 @@ lib.mkIf config.selfprivacy.sso.enable {
  systemd.services.kanidm.serviceConfig.ExecStartPre =
    # idempotent script to run on each startup only for kanidm v1.5.0
-    lib.mkIf (pkgs.kanidm.version == "1.5.0") (lib.mkBefore [ kanidmMigrateDbScript ]);
+    lib.mkIf (lib.versionAtLeast config.services.kanidm.package.version "1.5.0") (lib.mkBefore [ kanidmMigrateDbScript ]);
  selfprivacy.passthru.auth = {
    inherit
--- a/configuration.nix
+++ b/configuration.nix
@@ -233,7 +233,7 @@ in
  environment.memoryAllocator.provider = "libc"; # Scudo has problems with PHP, which may cause PHP to segfault...
  security.sudo.enable = false;
-  
+
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
    "kernel.core_pattern" = "|${pkgs.coreutils}/bin/false"; # Ignore coredumps
--- a/flake.lock
+++ b/flake.lock
@@ -1,39 +1,23 @@
 {
  "nodes": {
    "nixos-unstable": {
      "locked": {
        "lastModified": 1745930157,
        "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1746055187,
+        "lastModified": 1747676747,
-        "narHash": "sha256-3dqArYSMP9hM7Qpy5YWhnSjiqniSaT2uc5h2Po7tmg0=",
+        "narHash": "sha256-LXkWBVqilgx7Pohwqu/ABxDVw+Cmi5/Mj2S2mpUH0Fw=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3e362ce63e16b9572d8c2297c04f7c19ab6725a5",
+        "rev": "72841a4a8761d1aed92ef6169a636872c986c76d",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixos-unstable": "nixos-unstable",
        "nixpkgs": "nixpkgs",
        "selfprivacy-api": "selfprivacy-api"
      }
@@ -45,17 +29,18 @@
        ]
      },
      "locked": {
-        "lastModified": 1746195080,
+        "lastModified": 1747923731,
-        "narHash": "sha256-WIqCd8unsDW8QboNMVrqtsXYbsL2BF9L4uJ7DfmAsGo=",
+        "narHash": "sha256-vh1VdbWVq85ZTOTb5snYCwnWG21pdt1Wn6CW9QTSuQE=",
-        "ref": "inex/nixos-24.11",
+        "ref": "nhnn/nixos-25.05",
-        "rev": "8146a556fbac2180e009916ac2b459c5a5040574",
+        "rev": "7e3526547923215a068fb7d9c2e81f8b9631a60c",
-        "revCount": 1776,
+        "revCount": 1777,
        "type": "git",
-        "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
+        "url": "https://git.selfprivacy.org/nhnn/selfprivacy-rest-api.git"
      },
      "original": {
        "ref": "nhnn/nixos-25.05",
        "type": "git",
-        "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
+        "url": "https://git.selfprivacy.org/nhnn/selfprivacy-rest-api.git"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@@ -2,10 +2,9 @@
  description = "SelfPrivacy NixOS configuration flake";
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    selfprivacy-api.url = "git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git";
+    selfprivacy-api.url = "git+https://git.selfprivacy.org/nhnn/selfprivacy-rest-api.git?ref=nhnn/nixos-25.05";
    # make selfprivacy-api use the same shared nixpkgs
    selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs";
  };
@@ -14,7 +13,6 @@
    {
      self,
      nixpkgs,
      nixos-unstable,
      selfprivacy-api,
    }:
    {
@@ -35,15 +33,6 @@
                ./configuration.nix
                ./auth/auth.nix
                {
                  nixpkgs.overlays = [
                    (_final: prev: {
                      inherit (nixos-unstable.legacyPackages.${prev.system})
                        kanidm
                        kanidm-provision
                        ;
                      selfprivacy_nix_2_26 = nixos-unstable.legacyPackages.${prev.system}.nixVersions.nix_2_26;
                    })
                  ];
                  disabledModules = [ "services/security/kanidm.nix" ];
                  imports = [ ./auth/kanidm.nix ];
                }
--- a/sp-modules/jitsi-meet/flake.lock
+++ b/sp-modules/jitsi-meet/flake.lock
@@ -1,24 +1,24 @@
 {
  "nodes": {
-    "nixpkgs-24-11": {
+    "nixpkgs-2405": {
      "locked": {
-        "lastModified": 1744440957,
+        "lastModified": 1735563628,
-        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
-        "nixpkgs-24-11": "nixpkgs-24-11"
+        "nixpkgs-2405": "nixpkgs-2405"
      }
    }
  },
--- a/sp-modules/jitsi-meet/flake.nix
+++ b/sp-modules/jitsi-meet/flake.nix
@@ -1,10 +1,12 @@
 {
  description = "PoC SP module for Jitsi Meet video conferences server";
  inputs.nixpkgs-2405.url = "github:NixOS/nixpkgs/nixos-24.05";
  outputs =
-    { self }:
+    { self, nixpkgs-2405 }:
    {
-      nixosModules.default = import ./module.nix;
+      nixosModules.default = import ./module.nix nixpkgs-2405.legacyPackages.x86_64-linux;
      configPathsNeeded = builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
      meta =
        { lib, ... }:
--- a/sp-modules/jitsi-meet/module.nix
+++ b/sp-modules/jitsi-meet/module.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+oldPkgs: { config, lib, ... }:
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.jitsi-meet;
@@ -46,13 +46,13 @@ in
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
-      (_: prev: {
+      (final: prev: {
-        # We disable E2E for clients below
+        jicofo = oldPkgs.jicofo;
-        jitsi-meet = prev.jitsi-meet.overrideAttrs (old: {
+        jitsi-meet = oldPkgs.jitsi-meet.overrideAttrs (old: {
-          meta = old.meta // {
+          meta = old.meta // { knownVulnerabilities = [ ]; };
            knownVulnerabilities = [ ];
          };
        });
        jitsi-videobridge = oldPkgs.jitsi-videobridge;
        jitsi-meet-prosody = oldPkgs.jitsi-meet-prosody;
      })
    ];
--- a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix
+++ b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix
@@ -25,7 +25,7 @@ let
  # create service account token, needed for LDAP
  kanidmExecStartPostScript = pkgs.writeShellScript "mailserver-kanidm-ExecStartPost-script.sh" ''
    export HOME=$RUNTIME_DIRECTORY/client_home
-    readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
+    readonly KANIDM="${config.services.kanidm.package}/bin/kanidm"
    # get Kanidm service account for mailserver
    KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${mailserver-service-account-name}$")"
--- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json
+++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
@@ -30,5 +30,6 @@
  [ "services", "redis", "servers", "rspamd", "bind" ],
  [ "services", "redis", "servers", "rspamd", "port" ],
  [ "services", "redis", "servers", "rspamd", "requirePass" ],
-  [ "services", "rspamd" ]
+  [ "services", "rspamd" ],
  [ "services", "kanidm", "package" ]
 ]
--- a/sp-modules/vikunja/flake.nix
+++ b/sp-modules/vikunja/flake.nix
@@ -1,14 +1,10 @@
 {
  description = "PoC SP module for Vikunja service";
  inputs = {
    nixpkgs-24-11.url = "github:NixOS/nixpkgs/nixos-24.11";
  };
  outputs =
-    { nixpkgs-24-11, ... }:
+    { ... }:
    {
-      nixosModules.default = import ./module.nix nixpkgs-24-11.legacyPackages.x86_64-linux;
+      nixosModules.default = import ./module.nix;
      configPathsNeeded = builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
      meta =
        { lib, ... }:
--- a/sp-modules/vikunja/module.nix
+++ b/sp-modules/vikunja/module.nix
@@ -1,7 +1,7 @@
 latestPkgs:
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
@@ -17,7 +17,7 @@ let
  oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
-  vikunjaPackage = latestPkgs.vikunja.overrideAttrs (old: {
+  vikunjaPackage = pkgs.vikunja.overrideAttrs (old: {
    doCheck = false; # Tests are slow.
    patches = (old.patches or [ ]) ++ [
      ./load-client-secret-from-env.patch