nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 00:12:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Backport release-24.11] nixos/kanidm: add provisioning secret directories to BindReadOnlyPaths (#357915)

Browse Source
This commit is contained in:
Adam C. Stephens 2024-11-21 11:48:55 -05:00 committed by GitHub
commit 48d0b9dd10
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/services/security/kanidm.nix
View File

@ -31,6 +31,7 @@ let
mkOption
mkPackageOption
optional
optionals
optionalString
splitString
subtractLists
@ -45,10 +46,22 @@ let
serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings);
clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings);
unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings);
certPaths = builtins.map builtins.dirOf [
cfg.serverSettings.tls_chain
cfg.serverSettings.tls_key
];
provisionSecretFiles = filter (x: x != null) (
[
cfg.provision.idmAdminPasswordFile
cfg.provision.adminPasswordFile
]
++ mapAttrsToList (_: x: x.basicSecretFile) cfg.provision.systems.oauth2
);
secretDirectories = unique (
map builtins.dirOf (
[
cfg.serverSettings.tls_chain
cfg.serverSettings.tls_key
]
++ optionals cfg.provision.enable provisionSecretFiles
)
);
# Merge bind mount paths and remove paths where a prefix is already mounted.
# This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is already in the mount
@ -817,7 +830,7 @@ in
(
defaultServiceConfig
// {
BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ certPaths);
BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretDirectories);
}
)
{