thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: don't create admin group if service doesn't have it

Browse Source
This commit is contained in:
nhnn
2025-08-29 12:25:16 +03:00
parent 5c9c4ebe27
commit 59806327d1
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
auth/auth-module.nix
View File

@@ -252,7 +252,8 @@ in
// rec { // rec {
clientID = if attrs.clientID == null then name else attrs.clientID; clientID = if attrs.clientID == null then name else attrs.clientID;
displayName = if attrs.displayName == null then clientID else attrs.displayName; displayName = if attrs.displayName == null then clientID else attrs.displayName;
adminsGroup = if attrs.adminsGroup == null then "sp.${clientID}.admins" else attrs.adminsGroup; adminsGroupDefined = attrs.adminsGroup != null;
adminsGroup = attrs.adminsGroup;
usersGroup = if attrs.usersGroup == null then "sp.${clientID}.users" else attrs.usersGroup; usersGroup = if attrs.usersGroup == null then "sp.${clientID}.users" else attrs.usersGroup;
basicSecretFile = "${keys-path}/${linuxGroupOfClient}/kanidm-oauth-client-secret"; basicSecretFile = "${keys-path}/${linuxGroupOfClient}/kanidm-oauth-client-secret";
linuxUserOfClient = if attrs.linuxUserOfClient == null then clientID else attrs.linuxUserOfClient; linuxUserOfClient = if attrs.linuxUserOfClient == null then clientID else attrs.linuxUserOfClient;
@@ -327,6 +328,7 @@ in
services.kanidm.provision = lib.mkMerge ( services.kanidm.provision = lib.mkMerge (
lib.forEach clientsAttrsList ( lib.forEach clientsAttrsList (
{ {
adminsGroupDefined,
adminsGroup, adminsGroup,
basicSecretFile, basicSecretFile,
claimMaps, claimMaps,
@@ -342,13 +344,13 @@ in
... ...
}: }:
{ {
groups = lib.mkIf (clientID != "selfprivacy-api") { groups = lib.mkIf (clientID != "selfprivacy-api") ({
"${adminsGroup}".members = [ auth-passthru.admins-group ];
"${usersGroup}".members = [ "${usersGroup}".members = [
adminsGroup
auth-passthru.full-users-group auth-passthru.full-users-group
]; ] ++ lib.optional adminsGroupDefined adminsGroup;
}; } // lib.optionalAttrs adminsGroupDefined {
"${adminsGroup}".members = [ auth-passthru.admins-group ];
});
systems.oauth2.${clientID} = { systems.oauth2.${clientID} = {
inherit inherit
basicSecretFile basicSecretFile