fix(patches/kanidm-provision): feature has been upstreamed
Some checks failed
Check meta / check_meta (pull_request) Successful in 15s
Check meta / check_dns (pull_request) Successful in 24s
Run pre-commit on all files / pre-commit (push) Successful in 26s
Check workflows / check_workflows (pull_request) Successful in 26s
Run pre-commit on all files / pre-commit (pull_request) Successful in 30s
Build all the nodes / Jaccess01 (pull_request) Successful in 46s
Build all the nodes / netcore01 (pull_request) Successful in 25s
Build all the nodes / Jaccess04 (pull_request) Successful in 49s
Build all the nodes / netcore02 (pull_request) Successful in 25s
Build all the nodes / ap01 (pull_request) Successful in 1m0s
Build all the nodes / lab-router01 (pull_request) Successful in 48s
Build all the nodes / iso (pull_request) Successful in 1m16s
Build all the nodes / krz01 (pull_request) Successful in 1m54s
Build all the nodes / bridge01 (pull_request) Successful in 1m59s
Build all the nodes / rescue01 (pull_request) Successful in 1m34s
Build all the nodes / web02 (pull_request) Successful in 1m2s
Build all the nodes / vault01 (pull_request) Successful in 1m16s
Build the shell / build-shell (pull_request) Successful in 34s
Build all the nodes / hypervisor03 (pull_request) Successful in 2m41s
Build all the nodes / web03 (pull_request) Successful in 1m25s
Build all the nodes / hypervisor02 (pull_request) Successful in 2m43s
Build all the nodes / cof02 (pull_request) Successful in 2m43s
Build all the nodes / geo02 (pull_request) Successful in 2m42s
Build all the nodes / zulip01 (pull_request) Successful in 47s
Build all the nodes / storage01 (pull_request) Successful in 1m58s
Build all the nodes / web01 (pull_request) Successful in 1m43s
Build all the nodes / hypervisor01 (pull_request) Successful in 2m43s
Build all the nodes / tower01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 2m43s
Build all the nodes / build01 (pull_request) Successful in 2m52s
Build all the nodes / compute01 (pull_request) Failing after 3m27s
Some checks failed
Check meta / check_meta (pull_request) Successful in 15s
Check meta / check_dns (pull_request) Successful in 24s
Run pre-commit on all files / pre-commit (push) Successful in 26s
Check workflows / check_workflows (pull_request) Successful in 26s
Run pre-commit on all files / pre-commit (pull_request) Successful in 30s
Build all the nodes / Jaccess01 (pull_request) Successful in 46s
Build all the nodes / netcore01 (pull_request) Successful in 25s
Build all the nodes / Jaccess04 (pull_request) Successful in 49s
Build all the nodes / netcore02 (pull_request) Successful in 25s
Build all the nodes / ap01 (pull_request) Successful in 1m0s
Build all the nodes / lab-router01 (pull_request) Successful in 48s
Build all the nodes / iso (pull_request) Successful in 1m16s
Build all the nodes / krz01 (pull_request) Successful in 1m54s
Build all the nodes / bridge01 (pull_request) Successful in 1m59s
Build all the nodes / rescue01 (pull_request) Successful in 1m34s
Build all the nodes / web02 (pull_request) Successful in 1m2s
Build all the nodes / vault01 (pull_request) Successful in 1m16s
Build the shell / build-shell (pull_request) Successful in 34s
Build all the nodes / hypervisor03 (pull_request) Successful in 2m41s
Build all the nodes / web03 (pull_request) Successful in 1m25s
Build all the nodes / hypervisor02 (pull_request) Successful in 2m43s
Build all the nodes / cof02 (pull_request) Successful in 2m43s
Build all the nodes / geo02 (pull_request) Successful in 2m42s
Build all the nodes / zulip01 (pull_request) Successful in 47s
Build all the nodes / storage01 (pull_request) Successful in 1m58s
Build all the nodes / web01 (pull_request) Successful in 1m43s
Build all the nodes / hypervisor01 (pull_request) Successful in 2m43s
Build all the nodes / tower01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 2m43s
Build all the nodes / build01 (pull_request) Successful in 2m52s
Build all the nodes / compute01 (pull_request) Failing after 3m27s
This commit is contained in:
parent
c255e08761
commit
753071c9a1
GPG key ID:
CE3E645251AC63F3
4 changed files with 1 additions and 160 deletions
|
|
@ -83,7 +83,7 @@ in
|
||||||
groups =
|
groups =
|
||||||
{
|
{
|
||||||
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
||||||
grp-ext_cri.memberless = true;
|
grp-ext_cri.overwriteMembers = false;
|
||||||
}
|
}
|
||||||
// (mapAttrs' (
|
// (mapAttrs' (
|
||||||
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
||||||
|
|
|
||||||
|
|
@ -26,10 +26,6 @@ with {
|
||||||
|
|
||||||
# pretalx env file option
|
# pretalx env file option
|
||||||
(local ./nixpkgs/01-pretalx-environment-file.patch)
|
(local ./nixpkgs/01-pretalx-environment-file.patch)
|
||||||
|
|
||||||
# Kanidm memberless groups provisionning
|
|
||||||
(local ./nixpkgs/07-25.05-kanidm-groups-module.patch)
|
|
||||||
(local ./nixpkgs/08-25.05-kanidm-groups-pkgs.patch)
|
|
||||||
];
|
];
|
||||||
|
|
||||||
"nixos-24.11" = [
|
"nixos-24.11" = [
|
||||||
|
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
||||||
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
|
|
||||||
index ab85eed34eea..48722af7332a 100644
|
|
||||||
--- a/nixos/modules/services/security/kanidm.nix
|
|
||||||
+++ b/nixos/modules/services/security/kanidm.nix
|
|
||||||
@@ -140,6 +140,9 @@ let
|
|
||||||
|
|
||||||
filterPresent = filterAttrs (_: v: v.present);
|
|
||||||
|
|
||||||
+ filterMemberless = filterAttrs (_: v: v.present && v.memberless);
|
|
||||||
+ filterMemberful = filterAttrs (_: v: v.present && !v.memberless);
|
|
||||||
+
|
|
||||||
provisionStateJson = pkgs.writeText "provision-state.json" (
|
|
||||||
builtins.toJSON { inherit (cfg.provision) groups persons systems; }
|
|
||||||
);
|
|
||||||
@@ -465,6 +468,12 @@ in
|
|
||||||
apply = unique;
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
+
|
|
||||||
+ memberless = mkOption {
|
|
||||||
+ description = "Whether this group is considered memberless, i.e. the list of members is managed imperatively.";
|
|
||||||
+ type = types.bool;
|
|
||||||
+ default = false;
|
|
||||||
+ };
|
|
||||||
};
|
|
||||||
config.members = concatLists (
|
|
||||||
flip mapAttrsToList cfg.provision.persons (
|
|
||||||
@@ -791,12 +800,22 @@ in
|
|
||||||
person: personCfg:
|
|
||||||
assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups
|
|
||||||
))
|
|
||||||
++ (optionals (cfg.provision.extraJsonFile == null) (
|
|
||||||
- flip mapAttrsToList (filterPresent cfg.provision.groups) (
|
|
||||||
+ flip mapAttrsToList (filterMemberful cfg.provision.groups) (
|
|
||||||
group: groupCfg:
|
|
||||||
assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members
|
|
||||||
)
|
|
||||||
))
|
|
||||||
+ ++ (optionals (cfg.provision.extraJsonFile == null) (
|
|
||||||
+ flip lib.mapAttrsToList (filterMemberless cfg.provision.groups) (
|
|
||||||
+ group: groupCfg: {
|
|
||||||
+ assertion = cfg.provision.enable -> groupCfg.members == [ ];
|
|
||||||
+ message = ''
|
|
||||||
+ services.kanidm.groups.${group} is declared as memberless but contains members: ${toString groupCfg.members}
|
|
||||||
+ '';
|
|
||||||
+ }
|
|
||||||
+ )
|
|
||||||
+ ))
|
|
||||||
++ concatLists (
|
|
||||||
flip mapAttrsToList (filterPresent cfg.provision.systems.oauth2) (
|
|
||||||
oauth2: oauth2Cfg:
|
|
||||||
|
|
@ -1,104 +0,0 @@
|
||||||
diff --git a/pkgs/by-name/ka/kanidm-provision/01-memberless.patch b/pkgs/by-name/ka/kanidm-provision/01-memberless.patch
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000000..b501a3f16828
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pkgs/by-name/ka/kanidm-provision/01-memberless.patch
|
|
||||||
@@ -0,0 +1,85 @@
|
|
||||||
+From ab3fa7d59b76658ba98ccf50c2910329896dab6f Mon Sep 17 00:00:00 2001
|
|
||||||
+From: Tom Hubrecht <tom@hubrecht.ovh>
|
|
||||||
+Date: Tue, 4 Feb 2025 14:32:43 +0100
|
|
||||||
+Subject: [PATCH] feat: Allow declaring memberless groups
|
|
||||||
+
|
|
||||||
+When a group is "memberless", then the list of members is left intact,
|
|
||||||
+which allows managing it imperatively.
|
|
||||||
+---
|
|
||||||
+ src/main.rs | 2 +-
|
|
||||||
+ src/state.rs | 2 ++
|
|
||||||
+ tests/kanidm.nix | 18 +++++++++++++++++-
|
|
||||||
+ 3 files changed, 20 insertions(+), 2 deletions(-)
|
|
||||||
+
|
|
||||||
+diff --git a/src/main.rs b/src/main.rs
|
|
||||||
+index 206a86a..6e48f59 100644
|
|
||||||
+--- a/src/main.rs
|
|
||||||
++++ b/src/main.rs
|
|
||||||
+@@ -406,7 +406,7 @@ fn main() -> Result<()> {
|
|
||||||
+ // Sync group members
|
|
||||||
+ log_status("Syncing group members");
|
|
||||||
+ for (name, group) in &state.groups {
|
|
||||||
+- if group.present {
|
|
||||||
++ if group.present && !group.memberless {
|
|
||||||
+ update_attrs!(kanidm_client, ENDPOINT_GROUP, &existing_groups, &name, [
|
|
||||||
+ "member": group.members.clone(),
|
|
||||||
+ ]);
|
|
||||||
+diff --git a/src/state.rs b/src/state.rs
|
|
||||||
+index 206c6f4..a8bfba2 100644
|
|
||||||
+--- a/src/state.rs
|
|
||||||
++++ b/src/state.rs
|
|
||||||
+@@ -10,6 +10,8 @@ pub struct Group {
|
|
||||||
+ #[serde(default = "default_true")]
|
|
||||||
+ pub present: bool,
|
|
||||||
+ pub members: Vec<String>,
|
|
||||||
++ #[serde(default = "default_false")]
|
|
||||||
++ pub memberless: bool,
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ #[derive(Debug, Deserialize)]
|
|
||||||
+diff --git a/tests/kanidm.nix b/tests/kanidm.nix
|
|
||||||
+index a28beae..cb20257 100644
|
|
||||||
+--- a/tests/kanidm.nix
|
|
||||||
++++ b/tests/kanidm.nix
|
|
||||||
+@@ -91,6 +91,8 @@ let
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ filterPresent = lib.filterAttrs (_: v: v.present);
|
|
||||||
++ filterMemberless = lib.filterAttrs (_: v: v.present && v.memberless);
|
|
||||||
++ filterMemberful = lib.filterAttrs (_: v: v.present && !v.memberless);
|
|
||||||
+
|
|
||||||
+ provisionStateJson = pkgs.writeText "provision-state.json" (
|
|
||||||
+ builtins.toJSON { inherit (cfg.provision) groups persons systems; }
|
|
||||||
+@@ -391,6 +393,12 @@ in
|
|
||||||
+ apply = lib.unique;
|
|
||||||
+ default = [ ];
|
|
||||||
+ };
|
|
||||||
++
|
|
||||||
++ memberless = lib.mkOption {
|
|
||||||
++ description = "Whether this group is considered memberless, i.e. the list of members is managed imperatively.";
|
|
||||||
++ type = lib.types.bool;
|
|
||||||
++ default = false;
|
|
||||||
++ };
|
|
||||||
+ };
|
|
||||||
+ config.members = lib.concatLists (
|
|
||||||
+ lib.flip lib.mapAttrsToList cfg.provision.persons (
|
|
||||||
+@@ -708,10 +716,18 @@ in
|
|
||||||
+ person: personCfg:
|
|
||||||
+ assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups
|
|
||||||
+ )
|
|
||||||
+- ++ lib.flip lib.mapAttrsToList (filterPresent cfg.provision.groups) (
|
|
||||||
++ ++ lib.flip lib.mapAttrsToList (filterMemberful cfg.provision.groups) (
|
|
||||||
+ group: groupCfg:
|
|
||||||
+ assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members
|
|
||||||
+ )
|
|
||||||
++ ++ lib.flip lib.mapAttrsToList (filterMemberless cfg.provision.groups) (
|
|
||||||
++ group: groupCfg: {
|
|
||||||
++ assertion = cfg.provision.enable -> groupCfg.members == [ ];
|
|
||||||
++ message = ''
|
|
||||||
++ services.kanidm.groups.${group} is declared as memberless but contains members: ${toString groupCfg.members}
|
|
||||||
++ '';
|
|
||||||
++ }
|
|
||||||
++ )
|
|
||||||
+ ++ lib.concatLists (
|
|
||||||
+ lib.flip lib.mapAttrsToList (filterPresent cfg.provision.systems.oauth2) (
|
|
||||||
+ oauth2: oauth2Cfg:
|
|
||||||
diff --git a/pkgs/by-name/ka/kanidm-provision/package.nix b/pkgs/by-name/ka/kanidm-provision/package.nix
|
|
||||||
index 63d7e85ba8a8..5ebd69cb91ee 100644
|
|
||||||
--- a/pkgs/by-name/ka/kanidm-provision/package.nix
|
|
||||||
+++ b/pkgs/by-name/ka/kanidm-provision/package.nix
|
|
||||||
@@ -18,4 +18,8 @@ rustPlatform.buildRustPackage rec {
|
|
||||||
hash = "sha256-m3bF4wFPVRc2E+E/pZc3js9T4rYbTejo/FFpysytWKw=";
|
|
||||||
};
|
|
||||||
|
|
||||||
+ patches = [
|
|
||||||
+ ./01-memberless.patch
|
|
||||||
+ ];
|
|
||||||
+
|
|
||||||
useFetchCargoVendor = true;
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue