auth: selfprivacy.sso.useKanidm_1_4

auth/auth.nix

@@ -1,4 +1,4 @@
-nixos-unstable: { config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   domain = config.selfprivacy.domain;
   subdomain = "auth";
@@ -82,17 +82,6 @@ let
   lua_path = "${lua_core_path};${lua_lrucache_path};";
 in
 lib.mkIf config.selfprivacy.sso.enable {
-  nixpkgs.overlays = [
-    (
-      _final: prev: {
-        inherit (nixos-unstable.legacyPackages.${prev.system})
-          kanidm
-          kanidm-provision
-          ;
-      }
-    )
-  ];
-
   networking.hosts = {
     # Allow the services to communicate with kanidm even if
     # there is no DNS record yet

auth/kanidm-provision.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  yq,
+  versionCheckHook,
+  nix-update-script,
+  nixosTests,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "kanidm-provision";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "oddlama";
+    repo = "kanidm-provision";
+    tag = "v${version}";
+    hash = "sha256-+NQJEAJ0DqKEV1cYZN7CLzGoBJNUL3SQAMmxRQG5DMI=";
+  };
+
+  postPatch = ''
+    tomlq -ti '.package.version = "${version}"' Cargo.toml
+  '';
+
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-uo/TGyfNChq/t6Dah0HhXhAwktyQk0V/wewezZuftNk=";
+
+  nativeBuildInputs = [
+    yq # for `tomlq`
+  ];
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  versionCheckProgramArg = "--version";
+  doInstallCheck = true;
+
+  passthru = {
+    tests = { inherit (nixosTests) kanidm-provisioning; };
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "A small utility to help with kanidm provisioning";
+    homepage = "https://github.com/oddlama/kanidm-provision";
+    license = with lib.licenses; [
+      asl20
+      mit
+    ];
+    maintainers = with lib.maintainers; [ oddlama ];
+    mainProgram = "kanidm-provision";
+  };
+}