auth: selfprivacy.sso.useKanidm_1_4

2025-04-18 21:06:18 +04:00
parent 43c3ea06ab
commit f2e9623d7f
5 changed files with 103 additions and 16 deletions
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -1,4 +1,4 @@
-nixos-unstable: { config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
  domain = config.selfprivacy.domain;
  subdomain = "auth";
@@ -82,17 +82,6 @@ let
  lua_path = "${lua_core_path};${lua_lrucache_path};";
 in
 lib.mkIf config.selfprivacy.sso.enable {
-  nixpkgs.overlays = [
-    (
-      _final: prev: {
-        inherit (nixos-unstable.legacyPackages.${prev.system})
-          kanidm
-          kanidm-provision
-          ;
-      }
-    )
-  ];
-
  networking.hosts = {
    # Allow the services to communicate with kanidm even if
    # there is no DNS record yet
--- a/auth/kanidm-provision.nix
+++ b/auth/kanidm-provision.nix
@@ -0,0 +1,52 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  yq,
+  versionCheckHook,
+  nix-update-script,
+  nixosTests,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "kanidm-provision";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "oddlama";
+    repo = "kanidm-provision";
+    tag = "v${version}";
+    hash = "sha256-+NQJEAJ0DqKEV1cYZN7CLzGoBJNUL3SQAMmxRQG5DMI=";
+  };
+
+  postPatch = ''
+    tomlq -ti '.package.version = "${version}"' Cargo.toml
+  '';
+
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-uo/TGyfNChq/t6Dah0HhXhAwktyQk0V/wewezZuftNk=";
+
+  nativeBuildInputs = [
+    yq # for `tomlq`
+  ];
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  versionCheckProgramArg = "--version";
+  doInstallCheck = true;
+
+  passthru = {
+    tests = { inherit (nixosTests) kanidm-provisioning; };
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "A small utility to help with kanidm provisioning";
+    homepage = "https://github.com/oddlama/kanidm-provision";
+    license = with lib.licenses; [
+      asl20
+      mit
+    ];
+    maintainers = with lib.maintainers; [ oddlama ];
+    mainProgram = "kanidm-provision";
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@@ -31,10 +31,27 @@
        "type": "github"
      }
    },
+    "nixpkgs-2411": {
+      "locked": {
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "nixos-unstable": "nixos-unstable",
        "nixpkgs": "nixpkgs",
+        "nixpkgs-2411": "nixpkgs-2411",
        "selfprivacy-api": "selfprivacy-api"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,7 @@

  inputs = {
    nixpkgs.url = github:nixos/nixpkgs;
+    nixpkgs-2411.url = github:nixos/nixpkgs/f6687779bf4c396250831aa5a32cbfeb85bb07a3;
    nixos-unstable.url = github:nixos/nixpkgs/nixos-unstable;

    selfprivacy-api.url =
@@ -11,7 +12,7 @@
    selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, nixos-unstable, selfprivacy-api }: {
+  outputs = { self, nixpkgs, nixpkgs-2411, nixos-unstable, selfprivacy-api }: {
    nixosConfigurations-fun =
      { hardware-configuration
      , deployment
@@ -25,11 +26,34 @@
            hardware-configuration
            deployment
            ./configuration.nix
-            (import ./auth/auth.nix nixos-unstable)
-            {
+            ./auth/auth.nix
+            ({ config, ... }: {
+              nixpkgs.overlays = [
+                (
+                  _final: prev:
+                    let
+                      pkgs2411 =
+                        nixpkgs-2411.legacyPackages.${prev.system};
+                      pkgs-unstable =
+                        nixos-unstable.legacyPackages.${prev.system};
+                    in
+                    if config.selfprivacy.sso.useKanidm_1_4 or false
+                    then
+                      {
+                        inherit (pkgs2411) kanidm;
+                        kanidm-provision =
+                          pkgs2411.callPackage ./auth/kanidm-provision.nix { };
+                      }
+                    else
+                      {
+                        inherit (pkgs-unstable) kanidm kanidm-provision;
+                      }
+                )
+              ];
+
              disabledModules = [ "services/security/kanidm.nix" ];
              imports = [ ./auth/kanidm.nix ];
-            }
+            })
            selfprivacy-api.nixosModules.default
            ({ pkgs, lib, ... }: {
              environment.etc = (lib.attrsets.mapAttrs'
--- a/selfprivacy-module.nix
+++ b/selfprivacy-module.nix
@@ -45,6 +45,11 @@ with lib;
        default = false;
        type = types.nullOr types.bool;
      };
+      useKanidm_1_4 = mkOption {
+        description = "Whether to use Kanidm v1.4 (instead of upstream).";
+        default = false;
+        type = types.bool;
+      };
    };
    stateVersion = mkOption {
      description = "State version of the server";