-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/kanidm: add basic provisioning #251598
base: master
Are you sure you want to change the base?
Conversation
This is really cool. Looking forward to it! |
7a586c2
to
e229065
Compare
e229065
to
d87dd01
Compare
I've pushed some updates to this since kanidm is steadily approaching a stable release by now, and so I though this might be a good time to revisit this. Changes:
I've chosen to go with person, group and oauth2 provisioning for now, which suffices for classical homelab SSO and OIDC use cases. In theory we can also have unix user/group stuff, ssh key and radius provisioning in the future, but cut the scope here for now. The NixOS tests for provisioning are not as exhaustive as I'd like them to be, so I'll address this tomorrow. Feel free to leave your suggestions here :) |
d87dd01
to
aaa9c9d
Compare
Alright, I've added extensive tests now, this should be good to go. One thing I noticed is that orphaned claim maps cannot be reliably removed right now, since the required output has only been recently added to kanidm (2 weeks ago). So we need to wait for v1.1.0-rc.17 for that to work, but it doesn't impact any other functionality. I put a comment in the testing code so we can enable the test case once the next version is released. |
aaa9c9d
to
f0e6b50
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran the test and tested locally, both works as expected.
Thanks, this is great!
This got some merge conflicts due to treewide doc changes |
b194b21
to
45eaa10
Compare
Thanks for the info, i've rebased it on top of the latest master. |
My 5¢ here are that I'm highly skeptical of adding this kind of database provisioning to NixOS, especially with this requiring so many patches as upstream doesn't want to cover provisioning as a use case. IMO this would work better as a separate Flake. |
Thanks for the rebase! I have been using the user/group/oauth provisioning (without the patches) in the last month and I’m quite happy with how much easier everything got. |
@Flakebi Oh I'm fine with bringing this forward as is, iff people are enthusiastic about it. Just wanted to voice my skepticism. |
@oddlama love the work About the patches rn can't be upstream as I've read already the issue that u made on the kanidm's repo. Personally i think downstreaming those wouldn't be so much of a problem, tho improving clarity (using the description), warning about the fact that those patches are not associated with the kanidm project and any related issue about provisioning and patches to be reported to your repo for example. @erictapen @Flakebi tell me what you think about it. |
45eaa10
to
848b752
Compare
Updated to support kanidm 1.2.0. Beware that the tests can currently not run correctly because the CLI logout command is broken in kanidm 1.2.0 (refer to their bug tracker for more information). I've locally verified that the tests still work when executed manually. This should fix itself by waiting i guess. |
848b752
to
63be99a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the lib changes necessary? They add a lot of churn to this PR just shifting things around.
That's just how I usually structure modules when they use a lot of lib, of course it's not necessary :) Another thing: I'm not quite sure yet on how to handle is the update process for kanidm after this change. I would like this PR to not block the regular updating process for the unpatched kanidm in any way. But the patches are currently living in nixpkgs and the nixos tests will test both the unpatched and the patched variant. If a future update to kanidm comes along, the tests cannot succeed until the patches are updated. Does anyone have an idea on how we can decouple the tests into kanidm tests and "patched" kanidm tests that can run independently? |
63be99a
to
6daa137
Compare
6daa137
to
3bfd526
Compare
Re-added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating. Looks good to me, except for two unused options.
3bfd526
to
ab6628b
Compare
Any opinions on this? |
Description of changes
This PR adds provisioning of persons, groups and oauth2 systems to kanidm, and allows declarative provisioning of oauth2 basic secrets and admin/idm_admin account credentials.
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)