From f2e9623d7fbb965c7567b10bac09496c343f1f2e Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@selfprivacy.org>
Date: Fri, 18 Apr 2025 21:06:18 +0400
Subject: [PATCH] auth: selfprivacy.sso.useKanidm_1_4

---
 auth/auth.nix             | 13 +---------
 auth/kanidm-provision.nix | 52 +++++++++++++++++++++++++++++++++++++++
 flake.lock                | 17 +++++++++++++
 flake.nix                 | 32 +++++++++++++++++++++---
 selfprivacy-module.nix    |  5 ++++
 5 files changed, 103 insertions(+), 16 deletions(-)
 create mode 100644 auth/kanidm-provision.nix

diff --git a/auth/auth.nix b/auth/auth.nix
index 296d81a..11f9a96 100644
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -1,4 +1,4 @@
-nixos-unstable: { config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   domain = config.selfprivacy.domain;
   subdomain = "auth";
@@ -82,17 +82,6 @@ let
   lua_path = "${lua_core_path};${lua_lrucache_path};";
 in
 lib.mkIf config.selfprivacy.sso.enable {
-  nixpkgs.overlays = [
-    (
-      _final: prev: {
-        inherit (nixos-unstable.legacyPackages.${prev.system})
-          kanidm
-          kanidm-provision
-          ;
-      }
-    )
-  ];
-
   networking.hosts = {
     # Allow the services to communicate with kanidm even if
     # there is no DNS record yet
diff --git a/auth/kanidm-provision.nix b/auth/kanidm-provision.nix
new file mode 100644
index 0000000..fe09d0e
--- /dev/null
+++ b/auth/kanidm-provision.nix
@@ -0,0 +1,52 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  yq,
+  versionCheckHook,
+  nix-update-script,
+  nixosTests,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "kanidm-provision";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "oddlama";
+    repo = "kanidm-provision";
+    tag = "v${version}";
+    hash = "sha256-+NQJEAJ0DqKEV1cYZN7CLzGoBJNUL3SQAMmxRQG5DMI=";
+  };
+
+  postPatch = ''
+    tomlq -ti '.package.version = "${version}"' Cargo.toml
+  '';
+
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-uo/TGyfNChq/t6Dah0HhXhAwktyQk0V/wewezZuftNk=";
+
+  nativeBuildInputs = [
+    yq # for `tomlq`
+  ];
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  versionCheckProgramArg = "--version";
+  doInstallCheck = true;
+
+  passthru = {
+    tests = { inherit (nixosTests) kanidm-provisioning; };
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "A small utility to help with kanidm provisioning";
+    homepage = "https://github.com/oddlama/kanidm-provision";
+    license = with lib.licenses; [
+      asl20
+      mit
+    ];
+    maintainers = with lib.maintainers; [ oddlama ];
+    mainProgram = "kanidm-provision";
+  };
+}
diff --git a/flake.lock b/flake.lock
index 8650115..17fba7e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -31,10 +31,27 @@
         "type": "github"
       }
     },
+    "nixpkgs-2411": {
+      "locked": {
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "nixos-unstable": "nixos-unstable",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-2411": "nixpkgs-2411",
         "selfprivacy-api": "selfprivacy-api"
       }
     },
diff --git a/flake.nix b/flake.nix
index 238d422..ff68281 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = github:nixos/nixpkgs;
+    nixpkgs-2411.url = github:nixos/nixpkgs/f6687779bf4c396250831aa5a32cbfeb85bb07a3;
     nixos-unstable.url = github:nixos/nixpkgs/nixos-unstable;
 
     selfprivacy-api.url =
@@ -11,7 +12,7 @@
     selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixos-unstable, selfprivacy-api }: {
+  outputs = { self, nixpkgs, nixpkgs-2411, nixos-unstable, selfprivacy-api }: {
     nixosConfigurations-fun =
       { hardware-configuration
       , deployment
@@ -25,11 +26,34 @@
             hardware-configuration
             deployment
             ./configuration.nix
-            (import ./auth/auth.nix nixos-unstable)
-            {
+            ./auth/auth.nix
+            ({ config, ... }: {
+              nixpkgs.overlays = [
+                (
+                  _final: prev:
+                    let
+                      pkgs2411 =
+                        nixpkgs-2411.legacyPackages.${prev.system};
+                      pkgs-unstable =
+                        nixos-unstable.legacyPackages.${prev.system};
+                    in
+                    if config.selfprivacy.sso.useKanidm_1_4 or false
+                    then
+                      {
+                        inherit (pkgs2411) kanidm;
+                        kanidm-provision =
+                          pkgs2411.callPackage ./auth/kanidm-provision.nix { };
+                      }
+                    else
+                      {
+                        inherit (pkgs-unstable) kanidm kanidm-provision;
+                      }
+                )
+              ];
+
               disabledModules = [ "services/security/kanidm.nix" ];
               imports = [ ./auth/kanidm.nix ];
-            }
+            })
             selfprivacy-api.nixosModules.default
             ({ pkgs, lib, ... }: {
               environment.etc = (lib.attrsets.mapAttrs'
diff --git a/selfprivacy-module.nix b/selfprivacy-module.nix
index a90435b..f670914 100644
--- a/selfprivacy-module.nix
+++ b/selfprivacy-module.nix
@@ -45,6 +45,11 @@ with lib;
         default = false;
         type = types.nullOr types.bool;
       };
+      useKanidm_1_4 = mkOption {
+        description = "Whether to use Kanidm v1.4 (instead of upstream).";
+        default = false;
+        type = types.bool;
+      };
     };
     stateVersion = mkOption {
       description = "State version of the server";