Merge pull request #200354 from mweinelt/kanidm-1.1.0-alpha.10

2022-11-26 22:11:29 +01:00 · 2022-11-26 22:11:29 +01:00 · 35d7617d81
commit 35d7617d81
parent 46189b54a8 272ac9ec64
5 changed files with 27 additions and 18 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -709,6 +709,14 @@
          <literal>emacs-gtk</literal>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <literal>kanidm</literal> has been updated to 1.1.0-alpha.10
+          and now requires a tls certificate and key. It will always
+          start an https and – if enabled – an ldaps server and no http
+          and ldap server anymore.
+        </para>
+      </listitem>
      <listitem>
        <para>
          riak package removed along with
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -231,6 +231,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
 - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
  Users who still wish to remain using GTK can do so by using `emacs-gtk`.

+- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a tls certificate and key. It will always start an https and – if enabled – an ldaps server and no http and ldap server anymore.
+
 - riak package removed along with `services.riak` module, due to lack of maintainer to update the package.

 - ppd files in `pkgs.cups-drv-rastertosag-gdi` are now gzipped.  If you refer to such a ppd file with its path (e.g. via [hardware.printers.ensurePrinters](options.html#opt-hardware.printers.ensurePrinters)) you will need to append `.gz` to the path.
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@ -100,6 +100,14 @@ in
            readOnly = true;
            type = lib.types.path;
          };
+          tls_chain = lib.mkOption {
+            description = lib.mdDoc "TLS chain in pem format.";
+            type = lib.types.path;
+          };
+          tls_key = lib.mkOption {
+            description = lib.mdDoc "TLS key in pem format.";
+            type = lib.types.path;
+          };
          log_level = lib.mkOption {
            description = lib.mdDoc "Log level of the server.";
            default = "default";
--- a/nixos/tests/kanidm.nix
+++ b/nixos/tests/kanidm.nix
@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }:
        serverSettings = {
          origin = "https://${serverDomain}";
          domain = serverDomain;
-          bindaddress = "[::1]:8443";
+          bindaddress = "[::]:443";
          ldapbindaddress = "[::1]:636";
-        };
-      };
-
-      services.nginx = {
-        enable = true;
-        recommendedProxySettings = true;
-        virtualHosts."${serverDomain}" = {
-          forceSSL = true;
-          sslCertificate = certs."${serverDomain}".cert;
-          sslCertificateKey = certs."${serverDomain}".key;
-          locations."/".proxyPass = "http://[::1]:8443";
+          tls_chain = certs."${serverDomain}".cert;
+          tls_key = certs."${serverDomain}".key;
        };
      };

      security.pki.certificateFiles = [ certs.ca.cert ];

      networking.hosts."::1" = [ serverDomain ];
-      networking.firewall.allowedTCPPorts = [ 80 443 ];
+      networking.firewall.allowedTCPPorts = [ 443 ];

      users.users.kanidm.shell = pkgs.bashInteractive;

@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
        start_all()
        server.wait_for_unit("kanidm.service")
        server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
-        server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
+        server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
        client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
        rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
        assert rv == 0
--- a/pkgs/servers/kanidm/default.nix
+++ b/pkgs/servers/kanidm/default.nix
@ -17,16 +17,16 @@ let
 in
 rustPlatform.buildRustPackage rec {
  pname = "kanidm";
-  version = "1.1.0-alpha.9";
+  version = "1.1.0-alpha.10";

  src = fetchFromGitHub {
    owner = pname;
    repo = pname;
-    rev = "985462590b1c49b26a0b0ee01e24b1eb01942165";
-    hash = "sha256-JtoDuA3NCKmX+wDqav30VwrLeDALYat1iKFWpbYOO1s=";
+    rev = "fb76326234bffd9c9f3f24808d113f2c335c86fe";
+    hash = "sha256-nE3zyigorAbDp5mgXzoyXWGOG+GaFC//SS/7Z9zj1Ps=";
  };

-  cargoSha256 = "sha256-pkBkXIG2PF5YMeighQwHwhURWbJabfveyszRIdrQjcA=";
+  cargoSha256 = "sha256-/CcmKYPtBHNdhJnO0OmZtW/39HH58qmCE9hFbIiNsaE=";

  KANIDM_BUILD_PROFILE = "release_nixos_${arch}";