Loading maintainers/maintainer-list.nix +6 −0 Original line number Diff line number Diff line Loading @@ -12667,6 +12667,12 @@ fingerprint = "3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE"; }]; }; qjoly = { email = "github@thoughtless.eu"; github = "qjoly"; githubId = 82603435; name = "Quentin JOLY"; }; qknight = { email = "js@lastlog.de"; github = "qknight"; Loading nixos/modules/services/development/lorri.nix +1 −1 Original line number Diff line number Diff line Loading @@ -50,6 +50,6 @@ in { }; }; environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package pkgs.direnv ]; }; } nixos/modules/services/security/kanidm.nix +59 −43 Original line number Diff line number Diff line Loading @@ -7,6 +7,18 @@ let serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings); clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings); unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings); certPaths = builtins.map builtins.dirOf [ cfg.serverSettings.tls_chain cfg.serverSettings.tls_key ]; # Merge bind mount paths and remove paths where a prefix is already mounted. # This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is alread in the mount # paths, no new bind mount is added. Adding subpaths caused problems on ofborg. hasPrefixInList = list: newPath: lib.any (path: lib.hasPrefix (builtins.toString path) (builtins.toString newPath)) list; mergePaths = lib.foldl' (merged: newPath: let # If the new path is a prefix to some existing path, we need to filter it out filteredPaths = lib.filter (p: !lib.hasPrefix (builtins.toString newPath) (builtins.toString p)) merged; # If a prefix of the new path is already in the list, do not add it filteredNew = if hasPrefixInList filteredPaths newPath then [] else [ newPath ]; in filteredPaths ++ filteredNew) []; defaultServiceConfig = { BindReadOnlyPaths = [ Loading @@ -16,7 +28,7 @@ let "-/etc/hosts" "-/etc/localtime" ]; CapabilityBoundingSet = ""; CapabilityBoundingSet = []; # ProtectClock= adds DeviceAllow=char-rtc r DeviceAllow = ""; # Implies ProtectSystem=strict, which re-mounts all paths Loading Loading @@ -216,7 +228,12 @@ in description = "kanidm identity management daemon"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = defaultServiceConfig // { serviceConfig = lib.mkMerge [ # Merge paths and ignore existing prefixes needs to sidestep mkMerge (defaultServiceConfig // { BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ certPaths); }) { StateDirectory = "kanidm"; StateDirectoryMode = "0700"; ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}"; Loading @@ -226,12 +243,13 @@ in AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; # This would otherwise override the CAP_NET_BIND_SERVICE capability. PrivateUsers = false; PrivateUsers = lib.mkForce false; # Port needs to be exposed to the host network PrivateNetwork = false; PrivateNetwork = lib.mkForce false; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; TemporaryFileSystem = "/:ro"; }; } ]; environment.RUST_LOG = "info"; }; Loading @@ -240,7 +258,9 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; restartTriggers = [ unixConfigFile clientConfigFile ]; serviceConfig = defaultServiceConfig // { serviceConfig = lib.mkMerge [ defaultServiceConfig { CacheDirectory = "kanidm-unixd"; CacheDirectoryMode = "0700"; RuntimeDirectory = "kanidm-unixd"; Loading @@ -249,11 +269,6 @@ in Group = "kanidm-unixd"; BindReadOnlyPaths = [ "/nix/store" "-/etc/resolv.conf" "-/etc/nsswitch.conf" "-/etc/hosts" "-/etc/localtime" "-/etc/kanidm" "-/etc/static/kanidm" "-/etc/ssl" Loading @@ -264,10 +279,11 @@ in "/run/kanidm-unixd:/var/run/kanidm-unixd" ]; # Needs to connect to kanidmd PrivateNetwork = false; PrivateNetwork = lib.mkForce false; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; TemporaryFileSystem = "/:ro"; }; } ]; environment.RUST_LOG = "info"; }; Loading nixos/modules/services/x11/desktop-managers/plasma5.nix +2 −1 Original line number Diff line number Diff line Loading @@ -429,7 +429,8 @@ in dolphin-plugins ffmpegthumbs kdegraphics-thumbnailers pkgs.kio-admin kde-inotify-survey kio-admin kio-extras ]; optionalPackages = [ Loading nixos/tests/kanidm.nix +2 −2 Original line number Diff line number Diff line Loading @@ -44,7 +44,7 @@ import ./make-test-python.nix ({ pkgs, ... }: }; }; networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ]; networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ]; security.pki.certificateFiles = [ certs.ca.cert ]; }; Loading @@ -56,7 +56,7 @@ import ./make-test-python.nix ({ pkgs, ... }: # We need access to the config file in the test script. filteredConfig = pkgs.lib.converge (pkgs.lib.filterAttrsRecursive (_: v: v != null)) nodes.server.config.services.kanidm.serverSettings; nodes.server.services.kanidm.serverSettings; serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig; in Loading Loading
maintainers/maintainer-list.nix +6 −0 Original line number Diff line number Diff line Loading @@ -12667,6 +12667,12 @@ fingerprint = "3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE"; }]; }; qjoly = { email = "github@thoughtless.eu"; github = "qjoly"; githubId = 82603435; name = "Quentin JOLY"; }; qknight = { email = "js@lastlog.de"; github = "qknight"; Loading
nixos/modules/services/development/lorri.nix +1 −1 Original line number Diff line number Diff line Loading @@ -50,6 +50,6 @@ in { }; }; environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package pkgs.direnv ]; }; }
nixos/modules/services/security/kanidm.nix +59 −43 Original line number Diff line number Diff line Loading @@ -7,6 +7,18 @@ let serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings); clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings); unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings); certPaths = builtins.map builtins.dirOf [ cfg.serverSettings.tls_chain cfg.serverSettings.tls_key ]; # Merge bind mount paths and remove paths where a prefix is already mounted. # This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is alread in the mount # paths, no new bind mount is added. Adding subpaths caused problems on ofborg. hasPrefixInList = list: newPath: lib.any (path: lib.hasPrefix (builtins.toString path) (builtins.toString newPath)) list; mergePaths = lib.foldl' (merged: newPath: let # If the new path is a prefix to some existing path, we need to filter it out filteredPaths = lib.filter (p: !lib.hasPrefix (builtins.toString newPath) (builtins.toString p)) merged; # If a prefix of the new path is already in the list, do not add it filteredNew = if hasPrefixInList filteredPaths newPath then [] else [ newPath ]; in filteredPaths ++ filteredNew) []; defaultServiceConfig = { BindReadOnlyPaths = [ Loading @@ -16,7 +28,7 @@ let "-/etc/hosts" "-/etc/localtime" ]; CapabilityBoundingSet = ""; CapabilityBoundingSet = []; # ProtectClock= adds DeviceAllow=char-rtc r DeviceAllow = ""; # Implies ProtectSystem=strict, which re-mounts all paths Loading Loading @@ -216,7 +228,12 @@ in description = "kanidm identity management daemon"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = defaultServiceConfig // { serviceConfig = lib.mkMerge [ # Merge paths and ignore existing prefixes needs to sidestep mkMerge (defaultServiceConfig // { BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ certPaths); }) { StateDirectory = "kanidm"; StateDirectoryMode = "0700"; ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}"; Loading @@ -226,12 +243,13 @@ in AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; # This would otherwise override the CAP_NET_BIND_SERVICE capability. PrivateUsers = false; PrivateUsers = lib.mkForce false; # Port needs to be exposed to the host network PrivateNetwork = false; PrivateNetwork = lib.mkForce false; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; TemporaryFileSystem = "/:ro"; }; } ]; environment.RUST_LOG = "info"; }; Loading @@ -240,7 +258,9 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; restartTriggers = [ unixConfigFile clientConfigFile ]; serviceConfig = defaultServiceConfig // { serviceConfig = lib.mkMerge [ defaultServiceConfig { CacheDirectory = "kanidm-unixd"; CacheDirectoryMode = "0700"; RuntimeDirectory = "kanidm-unixd"; Loading @@ -249,11 +269,6 @@ in Group = "kanidm-unixd"; BindReadOnlyPaths = [ "/nix/store" "-/etc/resolv.conf" "-/etc/nsswitch.conf" "-/etc/hosts" "-/etc/localtime" "-/etc/kanidm" "-/etc/static/kanidm" "-/etc/ssl" Loading @@ -264,10 +279,11 @@ in "/run/kanidm-unixd:/var/run/kanidm-unixd" ]; # Needs to connect to kanidmd PrivateNetwork = false; PrivateNetwork = lib.mkForce false; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; TemporaryFileSystem = "/:ro"; }; } ]; environment.RUST_LOG = "info"; }; Loading
nixos/modules/services/x11/desktop-managers/plasma5.nix +2 −1 Original line number Diff line number Diff line Loading @@ -429,7 +429,8 @@ in dolphin-plugins ffmpegthumbs kdegraphics-thumbnailers pkgs.kio-admin kde-inotify-survey kio-admin kio-extras ]; optionalPackages = [ Loading
nixos/tests/kanidm.nix +2 −2 Original line number Diff line number Diff line Loading @@ -44,7 +44,7 @@ import ./make-test-python.nix ({ pkgs, ... }: }; }; networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ]; networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ]; security.pki.certificateFiles = [ certs.ca.cert ]; }; Loading @@ -56,7 +56,7 @@ import ./make-test-python.nix ({ pkgs, ... }: # We need access to the config file in the test script. filteredConfig = pkgs.lib.converge (pkgs.lib.filterAttrsRecursive (_: v: v != null)) nodes.server.config.services.kanidm.serverSettings; nodes.server.services.kanidm.serverSettings; serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig; in Loading
