mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 15:03:28 +00:00
kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13
https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13 The kanidmd process now creates a unix socket, over which admin tasks can be done, without having to shut kanidm down first. The kanidm_unixd process now wants access to /etc/shadow and /etc/group, so it can rule out collisions with the host system.
This commit is contained in:
parent
b6fbd87328
commit
184d15cc06
@ -122,8 +122,8 @@ in
|
||||
};
|
||||
log_level = lib.mkOption {
|
||||
description = lib.mdDoc "Log level of the server.";
|
||||
default = "default";
|
||||
type = lib.types.enum [ "default" "verbose" "perfbasic" "perffull" ];
|
||||
default = "info";
|
||||
type = lib.types.enum [ "info" "debug" "trace" ];
|
||||
};
|
||||
role = lib.mkOption {
|
||||
description = lib.mdDoc "The role of this server. This affects the replication relationship and thereby available features.";
|
||||
@ -236,17 +236,23 @@ in
|
||||
{
|
||||
StateDirectory = "kanidm";
|
||||
StateDirectoryMode = "0700";
|
||||
RuntimeDirectory = "kanidmd";
|
||||
ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";
|
||||
User = "kanidm";
|
||||
Group = "kanidm";
|
||||
|
||||
BindPaths = [
|
||||
# To create the socket
|
||||
"/run/kanidmd:/run/kanidmd"
|
||||
];
|
||||
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
# This would otherwise override the CAP_NET_BIND_SERVICE capability.
|
||||
PrivateUsers = lib.mkForce false;
|
||||
# Port needs to be exposed to the host network
|
||||
PrivateNetwork = lib.mkForce false;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
TemporaryFileSystem = "/:ro";
|
||||
}
|
||||
];
|
||||
@ -273,6 +279,8 @@ in
|
||||
"-/etc/static/kanidm"
|
||||
"-/etc/ssl"
|
||||
"-/etc/static/ssl"
|
||||
"-/etc/passwd"
|
||||
"-/etc/group"
|
||||
];
|
||||
BindPaths = [
|
||||
# To create the socket
|
||||
@ -327,6 +335,9 @@ in
|
||||
|
||||
# These paths are hardcoded
|
||||
environment.etc = lib.mkMerge [
|
||||
(lib.mkIf cfg.enableServer {
|
||||
"kanidm/server.toml".source = serverConfigFile;
|
||||
})
|
||||
(lib.mkIf options.services.kanidm.clientSettings.isDefined {
|
||||
"kanidm/config".source = clientConfigFile;
|
||||
})
|
||||
|
@ -67,9 +67,10 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
||||
''
|
||||
start_all()
|
||||
server.wait_for_unit("kanidm.service")
|
||||
client.wait_for_unit("network-online.target")
|
||||
|
||||
with subtest("Test HTTP interface"):
|
||||
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
|
||||
server.wait_until_succeeds("curl -Lsf https://${serverDomain} | grep Kanidm")
|
||||
|
||||
with subtest("Test LDAP interface"):
|
||||
server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
|
||||
@ -80,15 +81,11 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
||||
client.succeed("kanidm logout")
|
||||
|
||||
with subtest("Recover idm_admin account"):
|
||||
# Must stop the server for account recovery or else kanidmd fails with
|
||||
# "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock".
|
||||
server.succeed("systemctl stop kanidm")
|
||||
idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'")
|
||||
server.succeed("systemctl start kanidm")
|
||||
|
||||
with subtest("Test unixd connection"):
|
||||
client.wait_for_unit("kanidm-unixd.service")
|
||||
# TODO: client.wait_for_file("/run/kanidm-unixd/sock")
|
||||
client.wait_for_file("/run/kanidm-unixd/sock")
|
||||
client.wait_until_succeeds("kanidm-unix status | grep working!")
|
||||
|
||||
with subtest("Test user creation"):
|
||||
|
5427
pkgs/servers/kanidm/Cargo.lock
generated
5427
pkgs/servers/kanidm/Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@ -4,13 +4,13 @@
|
||||
, nixosTests
|
||||
, rustPlatform
|
||||
, fetchFromGitHub
|
||||
, fetchpatch
|
||||
, installShellFiles
|
||||
, pkg-config
|
||||
, udev
|
||||
, openssl
|
||||
, sqlite
|
||||
, pam
|
||||
, bashInteractive
|
||||
}:
|
||||
|
||||
let
|
||||
@ -18,45 +18,35 @@ let
|
||||
in
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "kanidm";
|
||||
version = "1.1.0-alpha.12";
|
||||
version = "1.1.0-beta.13";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = pname;
|
||||
repo = pname;
|
||||
rev = "f5924443f08e462067937a5dd0e2c19e5e1255da";
|
||||
hash = "sha256-kJUxVrGpczIdOqKQbgRp1xERfKP6C0SDQgWdjtSuvZ8=";
|
||||
# Latest 1.1.0-beta.13 tip
|
||||
rev = "5d1e2f90e6901017ab3ef9b5fbc10e25a5451fd2";
|
||||
hash = "sha256-70yeHVOrCuC+H96UC84kly3CCQ+y1RGzF5K/2FIag/o=";
|
||||
};
|
||||
|
||||
cargoLock = {
|
||||
lockFile = ./Cargo.lock;
|
||||
outputHashes = {
|
||||
"tracing-forest-0.1.5" = "sha256-L6auSKB4DCnZBZpx7spiikhSOD6i1W3erc3zjn+26Ao=";
|
||||
};
|
||||
};
|
||||
cargoHash = "sha256-Qdc+E5+k9NNE4s6eAnpkam56pc2JJPahkuT4lB328cY=";
|
||||
|
||||
KANIDM_BUILD_PROFILE = "release_nixos_${arch}";
|
||||
|
||||
patches = [
|
||||
(fetchpatch {
|
||||
# Bring back x86_64-v1 microarchitecture level
|
||||
name = "cpu-opt-level.patch";
|
||||
url = "https://github.com/kanidm/kanidm/commit/59c6723f7dfb2266eae45c3b2ddd377872a7a113.patch";
|
||||
hash = "sha256-8rVEYitxvdVduQ/+AD/UG3v+mgT/VxkLoxNIXczUfCQ=";
|
||||
})
|
||||
];
|
||||
|
||||
postPatch =
|
||||
let
|
||||
format = (formats.toml { }).generate "${KANIDM_BUILD_PROFILE}.toml";
|
||||
profile = {
|
||||
web_ui_pkg_path = "@web_ui_pkg_path@";
|
||||
admin_bind_path = "/run/kanidmd/sock";
|
||||
cpu_flags = if stdenv.isx86_64 then "x86_64_legacy" else "none";
|
||||
default_config_path = "/etc/kanidm/server.toml";
|
||||
default_unix_shell_path = "${lib.getBin bashInteractive}/bin/bash";
|
||||
web_ui_pkg_path = "@web_ui_pkg_path@";
|
||||
};
|
||||
in
|
||||
''
|
||||
cp ${format profile} libs/profiles/${KANIDM_BUILD_PROFILE}.toml
|
||||
substituteInPlace libs/profiles/${KANIDM_BUILD_PROFILE}.toml \
|
||||
--replace '@web_ui_pkg_path@' "$out/ui"
|
||||
--replace '@web_ui_pkg_path@' "${placeholder "out"}/ui"
|
||||
'';
|
||||
|
||||
nativeBuildInputs = [
|
||||
@ -92,6 +82,7 @@ rustPlatform.buildRustPackage rec {
|
||||
passthru.tests = { inherit (nixosTests) kanidm; };
|
||||
|
||||
meta = with lib; {
|
||||
changelog = "https://github.com/kanidm/kanidm/releases/tag/v${version}";
|
||||
description = "A simple, secure and fast identity management platform";
|
||||
homepage = "https://github.com/kanidm/kanidm";
|
||||
license = licenses.mpl20;
|
||||
|
Loading…
Reference in New Issue
Block a user