47 lines
2 KiB
Diff
47 lines
2 KiB
Diff
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
|
|
index ab85eed34eea..48722af7332a 100644
|
|
--- a/nixos/modules/services/security/kanidm.nix
|
|
+++ b/nixos/modules/services/security/kanidm.nix
|
|
@@ -139,6 +139,9 @@ let
|
|
|
|
filterPresent = filterAttrs (_: v: v.present);
|
|
|
|
+ filterMemberless = filterAttrs (_: v: v.present && v.memberless);
|
|
+ filterMemberful = filterAttrs (_: v: v.present && !v.memberless);
|
|
+
|
|
provisionStateJson = pkgs.writeText "provision-state.json" (
|
|
builtins.toJSON { inherit (cfg.provision) groups persons systems; }
|
|
);
|
|
@@ -442,6 +445,12 @@ in
|
|
apply = unique;
|
|
default = [ ];
|
|
};
|
|
+
|
|
+ memberless = mkOption {
|
|
+ description = "Whether this group is considered memberless, i.e. the list of members is managed imperatively.";
|
|
+ type = types.bool;
|
|
+ default = false;
|
|
+ };
|
|
};
|
|
config.members = concatLists (
|
|
flip mapAttrsToList cfg.provision.persons (
|
|
@@ -757,10 +766,18 @@ in
|
|
person: personCfg:
|
|
assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups
|
|
)
|
|
- ++ flip mapAttrsToList (filterPresent cfg.provision.groups) (
|
|
+ ++ flip mapAttrsToList (filterMemberful cfg.provision.groups) (
|
|
group: groupCfg:
|
|
assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members
|
|
)
|
|
+ ++ lib.flip lib.mapAttrsToList (filterMemberless cfg.provision.groups) (
|
|
+ group: groupCfg: {
|
|
+ assertion = cfg.provision.enable -> groupCfg.members == [ ];
|
|
+ message = ''
|
|
+ services.kanidm.groups.${group} is declared as memberless but contains members: ${toString groupCfg.members}
|
|
+ '';
|
|
+ }
|
|
+ )
|
|
++ concatLists (
|
|
flip mapAttrsToList (filterPresent cfg.provision.systems.oauth2) (
|
|
oauth2: oauth2Cfg:
|