lldap: update patches
This commit is contained in:
parent
ee93203a08
commit
7e8fc8cd56
5 changed files with 104 additions and 575 deletions
|
|
@ -16,10 +16,7 @@
|
|||
originPkgs = nixpkgs.legacyPackages.${system};
|
||||
shbPatches = originPkgs.lib.optionals (system == "x86_64-linux") [
|
||||
# Get rid of lldap patches when https://github.com/NixOS/nixpkgs/pull/425923 is merged.
|
||||
./patches/0001-lldap-add-options-to-set-important-secrets.patch
|
||||
./patches/0002-lldap-lldap-0.6.1-0.6.2.patch
|
||||
./patches/0003-lldap-bootstrap-init-0.6.2.patch
|
||||
./patches/0004-lldap-add-ensure-options.patch
|
||||
./patches/lldap.patch
|
||||
|
||||
# Leaving commented out as an example.
|
||||
# (originPkgs.fetchpatch {
|
||||
|
|
|
|||
|
|
@ -1,197 +0,0 @@
|
|||
From 3b7d45e30f3dbf329abfb6ba659d10357761e2ab Mon Sep 17 00:00:00 2001
|
||||
From: ibizaman <ibizaman@tiserbox.com>
|
||||
Date: Wed, 16 Jul 2025 03:04:44 +0200
|
||||
Subject: [PATCH 1/4] lldap: add options to set important secrets
|
||||
|
||||
---
|
||||
nixos/modules/services/databases/lldap.nix | 71 +++++++++++++++++++++
|
||||
nixos/tests/lldap.nix | 72 +++++++++++++++++++---
|
||||
2 files changed, 134 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix
|
||||
index a9fbe8f7e11a..1607754d7d9c 100644
|
||||
--- a/nixos/modules/services/databases/lldap.nix
|
||||
+++ b/nixos/modules/services/databases/lldap.nix
|
||||
@@ -102,12 +102,83 @@ in
|
||||
default = "sqlite://./users.db?mode=rwc";
|
||||
example = "postgres://postgres-user:password@postgres-server/my-database";
|
||||
};
|
||||
+
|
||||
+ ldap_user_pass_file = mkOption {
|
||||
+ type = types.nullOr types.str;
|
||||
+ default = null;
|
||||
+ description = ''
|
||||
+ Path to a file containing the default admin password.
|
||||
+
|
||||
+ If you want to update the default admin password through this setting,
|
||||
+ you must set `force_ldap_user_pass_reset` to `true`.
|
||||
+ Otherwise changing this setting will have no effect
|
||||
+ unless this is the very first time LLDAP is started and its database is still empty.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ force_ldap_user_pass_reset = mkOption {
|
||||
+ type = types.oneOf [
|
||||
+ types.bool
|
||||
+ (types.enum [ "always" ])
|
||||
+ ];
|
||||
+ default = false;
|
||||
+ description = ''
|
||||
+ Force reset of the admin password.
|
||||
+
|
||||
+ Set this setting to `"always"` to update the admin password when `ldap_user_pass_file` changes.
|
||||
+ Setting to `"always"` also means any password update in the UI will be overwritten next time the service restarts.
|
||||
+
|
||||
+ The difference between `true` and `"always"` is the former is intended for a one time fix
|
||||
+ while the latter is intended for a declarative workflow. In practice, the result
|
||||
+ is the same: the password gets reset. The only practical difference is the former
|
||||
+ outputs a warning message while the latter outputs an info message.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ jwt_secret_file = mkOption {
|
||||
+ type = types.nullOr types.str;
|
||||
+ default = null;
|
||||
+ description = ''
|
||||
+ Path to a file containing the JWT secret.
|
||||
+ '';
|
||||
+ };
|
||||
};
|
||||
};
|
||||
+
|
||||
+ # TOML does not allow null values, so we use null to omit those fields
|
||||
+ apply = lib.filterAttrsRecursive (_: v: v != null);
|
||||
+ };
|
||||
+
|
||||
+ silenceForceUserPassResetWarning = mkOption {
|
||||
+ type = types.bool;
|
||||
+ default = false;
|
||||
+ description = ''
|
||||
+ Disable warning when the admin password is set declaratively with the `ldap_user_pass_file` setting
|
||||
+ but the `force_ldap_user_pass_reset` is set to `false`.
|
||||
+
|
||||
+ This can lead to the admin password to drift from the one given declaratively.
|
||||
+ If that is okay for you and you want to silence the warning, set this option to `true`.
|
||||
+ '';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
+ warnings =
|
||||
+ lib.optionals
|
||||
+ (
|
||||
+ (cfg.settings.ldap_user_pass_file or null) != null
|
||||
+ && cfg.settings.force_ldap_user_pass_reset == false
|
||||
+ && cfg.silenceForceUserPassResetWarning == false
|
||||
+ )
|
||||
+ [
|
||||
+ ''
|
||||
+ lldap: The default admin password is declared with the setting `ldap_user_pass_file`, but `force_ldap_user_pass_reset` is set to `false`.
|
||||
+ This means the admin password can be changed through the UI and will drift from the one defined in your nix config.
|
||||
+ It also means changing the setting `ldap_user_pass_file` will have no effect on the admin password.
|
||||
+ Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
|
||||
+ ''
|
||||
+ ];
|
||||
+
|
||||
systemd.services.lldap = {
|
||||
description = "Lightweight LDAP server (lldap)";
|
||||
wants = [ "network-online.target" ];
|
||||
diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix
|
||||
index c2e48525a5f3..aea6b2058727 100644
|
||||
--- a/nixos/tests/lldap.nix
|
||||
+++ b/nixos/tests/lldap.nix
|
||||
@@ -1,4 +1,7 @@
|
||||
{ ... }:
|
||||
+let
|
||||
+ adminPassword = "mySecretPassword";
|
||||
+in
|
||||
{
|
||||
name = "lldap";
|
||||
|
||||
@@ -7,23 +10,74 @@
|
||||
{
|
||||
services.lldap = {
|
||||
enable = true;
|
||||
+
|
||||
settings = {
|
||||
verbose = true;
|
||||
ldap_base_dn = "dc=example,dc=com";
|
||||
};
|
||||
};
|
||||
environment.systemPackages = [ pkgs.openldap ];
|
||||
+
|
||||
+ specialisation = {
|
||||
+ differentAdminPassword.configuration =
|
||||
+ { ... }:
|
||||
+ {
|
||||
+ services.lldap.settings = {
|
||||
+ ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" adminPassword);
|
||||
+ force_ldap_user_pass_reset = "always";
|
||||
+ };
|
||||
+ };
|
||||
+
|
||||
+ changeAdminPassword.configuration =
|
||||
+ { ... }:
|
||||
+ {
|
||||
+ services.lldap.settings = {
|
||||
+ ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" "password");
|
||||
+ force_ldap_user_pass_reset = false;
|
||||
+ };
|
||||
+ };
|
||||
+ };
|
||||
};
|
||||
|
||||
- testScript = ''
|
||||
- machine.wait_for_unit("lldap.service")
|
||||
- machine.wait_for_open_port(3890)
|
||||
- machine.wait_for_open_port(17170)
|
||||
+ testScript =
|
||||
+ { nodes, ... }:
|
||||
+ let
|
||||
+ specializations = "${nodes.machine.system.build.toplevel}/specialisation";
|
||||
+ in
|
||||
+ ''
|
||||
+ machine.wait_for_unit("lldap.service")
|
||||
+ machine.wait_for_open_port(3890)
|
||||
+ machine.wait_for_open_port(17170)
|
||||
+
|
||||
+ machine.succeed("curl --location --fail http://localhost:17170/")
|
||||
+
|
||||
+ adminPassword="${adminPassword}"
|
||||
+
|
||||
+ def try_login(user, password, expect_success=True):
|
||||
+ cmd = f'ldapsearch -H ldap://localhost:3890 -D uid={user},ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w {password}'
|
||||
+ code, response = machine.execute(cmd)
|
||||
+ print(cmd)
|
||||
+ print(response)
|
||||
+ if expect_success:
|
||||
+ if code != 0:
|
||||
+ raise Exception(f"Expected success, had failure {code}")
|
||||
+ else:
|
||||
+ if code == 0:
|
||||
+ raise Exception("Expected failure, had success")
|
||||
+ return response
|
||||
+
|
||||
+ with subtest("default admin password"):
|
||||
+ try_login("admin", "password", expect_success=True)
|
||||
+ try_login("admin", adminPassword, expect_success=False)
|
||||
|
||||
- machine.succeed("curl --location --fail http://localhost:17170/")
|
||||
+ with subtest("different admin password"):
|
||||
+ machine.succeed('${specializations}/differentAdminPassword/bin/switch-to-configuration test')
|
||||
+ try_login("admin", "password", expect_success=False)
|
||||
+ try_login("admin", adminPassword, expect_success=True)
|
||||
|
||||
- print(
|
||||
- machine.succeed('ldapsearch -H ldap://localhost:3890 -D uid=admin,ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w password')
|
||||
- )
|
||||
- '';
|
||||
+ with subtest("change admin password has no effect"):
|
||||
+ machine.succeed('${specializations}/differentAdminPassword/bin/switch-to-configuration test')
|
||||
+ try_login("admin", "password", expect_success=False)
|
||||
+ try_login("admin", adminPassword, expect_success=True)
|
||||
+ '';
|
||||
}
|
||||
--
|
||||
2.49.0
|
||||
|
||||
|
|
@ -1,276 +0,0 @@
|
|||
From 995413b11fb7a453ecf1a0c30a64b4a550f1aca3 Mon Sep 17 00:00:00 2001
|
||||
From: ibizaman <ibizaman@tiserbox.com>
|
||||
Date: Tue, 15 Jul 2025 18:42:42 +0200
|
||||
Subject: [PATCH 2/4] lldap: lldap 0.6.1 -> 0.6.2
|
||||
|
||||
---
|
||||
nixos/modules/services/databases/lldap.nix | 43 ++++++++++---
|
||||
nixos/tests/lldap.nix | 8 ++-
|
||||
.../0001-parameterize-frontend-location.patch | 64 -------------------
|
||||
pkgs/by-name/ll/lldap/package.nix | 31 +++++----
|
||||
4 files changed, 56 insertions(+), 90 deletions(-)
|
||||
delete mode 100644 pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch
|
||||
|
||||
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix
|
||||
index 1607754d7d9c..1095021b3f35 100644
|
||||
--- a/nixos/modules/services/databases/lldap.nix
|
||||
+++ b/nixos/modules/services/databases/lldap.nix
|
||||
@@ -2,7 +2,6 @@
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
- utils,
|
||||
...
|
||||
}:
|
||||
|
||||
@@ -103,6 +102,16 @@ in
|
||||
example = "postgres://postgres-user:password@postgres-server/my-database";
|
||||
};
|
||||
|
||||
+ ldap_user_pass = mkOption {
|
||||
+ type = types.nullOr types.str;
|
||||
+ default = null;
|
||||
+ description = ''
|
||||
+ Password for default admin password.
|
||||
+
|
||||
+ Unsecure: Use `ldap_user_pass_file` settings instead.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
ldap_user_pass_file = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
@@ -163,18 +172,32 @@ in
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
+ assertions = [
|
||||
+ {
|
||||
+ assertion =
|
||||
+ (cfg.settings.ldap_user_pass_file or null) != null || (cfg.settings.ldap_user_pass or null) != null;
|
||||
+ message = "lldap: Default admin user password must be set. Please set the `ldap_user_pass` or better the `ldap_user_pass_file` setting.";
|
||||
+ }
|
||||
+ {
|
||||
+ assertion =
|
||||
+ (cfg.settings.ldap_user_pass_file or null) == null || (cfg.settings.ldap_user_pass or null) == null;
|
||||
+ message = "lldap: Both `ldap_user_pass` and `ldap_user_pass_file` settings should not be set at the same time. Set one to `null`.";
|
||||
+ }
|
||||
+ ];
|
||||
+
|
||||
warnings =
|
||||
- lib.optionals
|
||||
- (
|
||||
- (cfg.settings.ldap_user_pass_file or null) != null
|
||||
- && cfg.settings.force_ldap_user_pass_reset == false
|
||||
- && cfg.silenceForceUserPassResetWarning == false
|
||||
- )
|
||||
+ lib.optionals (cfg.settings.ldap_user_pass or null != null) [
|
||||
+ ''
|
||||
+ lldap: Unsecure `ldap_user_pass` setting is used. Prefer `ldap_user_pass_file` instead.
|
||||
+ ''
|
||||
+ ]
|
||||
+ ++ lib.optionals
|
||||
+ (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
|
||||
[
|
||||
''
|
||||
- lldap: The default admin password is declared with the setting `ldap_user_pass_file`, but `force_ldap_user_pass_reset` is set to `false`.
|
||||
- This means the admin password can be changed through the UI and will drift from the one defined in your nix config.
|
||||
- It also means changing the setting `ldap_user_pass_file` will have no effect on the admin password.
|
||||
+ lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means
|
||||
+ the admin password can be changed through the UI and will drift from the one defined in your nix config.
|
||||
+ It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
|
||||
Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
|
||||
''
|
||||
];
|
||||
diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix
|
||||
index aea6b2058727..8e38d4bdefa3 100644
|
||||
--- a/nixos/tests/lldap.nix
|
||||
+++ b/nixos/tests/lldap.nix
|
||||
@@ -6,7 +6,7 @@ in
|
||||
name = "lldap";
|
||||
|
||||
nodes.machine =
|
||||
- { pkgs, ... }:
|
||||
+ { pkgs, lib, ... }:
|
||||
{
|
||||
services.lldap = {
|
||||
enable = true;
|
||||
@@ -14,6 +14,8 @@ in
|
||||
settings = {
|
||||
verbose = true;
|
||||
ldap_base_dn = "dc=example,dc=com";
|
||||
+
|
||||
+ ldap_user_pass = "password";
|
||||
};
|
||||
};
|
||||
environment.systemPackages = [ pkgs.openldap ];
|
||||
@@ -23,7 +25,8 @@ in
|
||||
{ ... }:
|
||||
{
|
||||
services.lldap.settings = {
|
||||
- ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" adminPassword);
|
||||
+ ldap_user_pass = lib.mkForce null;
|
||||
+ ldap_user_pass_file = lib.mkForce (toString (pkgs.writeText "adminPasswordFile" adminPassword));
|
||||
force_ldap_user_pass_reset = "always";
|
||||
};
|
||||
};
|
||||
@@ -32,6 +35,7 @@ in
|
||||
{ ... }:
|
||||
{
|
||||
services.lldap.settings = {
|
||||
+ ldap_user_pass = lib.mkForce null;
|
||||
ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" "password");
|
||||
force_ldap_user_pass_reset = false;
|
||||
};
|
||||
diff --git a/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch b/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch
|
||||
deleted file mode 100644
|
||||
index c33f5a7afa10..000000000000
|
||||
--- a/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch
|
||||
+++ /dev/null
|
||||
@@ -1,64 +0,0 @@
|
||||
-From a09babb0cd9dd532ad2de920a2a35aa03d740dc6 Mon Sep 17 00:00:00 2001
|
||||
-From: Herwig Hochleitner <herwig@bendlas.net>
|
||||
-Date: Thu, 8 Aug 2024 00:29:14 +0200
|
||||
-Subject: [PATCH] parameterize frontend location
|
||||
-
|
||||
----
|
||||
- server/src/infra/tcp_server.rs | 14 +++++++-------
|
||||
- 1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
-
|
||||
-diff --git a/server/src/infra/tcp_server.rs b/server/src/infra/tcp_server.rs
|
||||
-index fa5f11f..16e64c5 100644
|
||||
---- a/server/src/infra/tcp_server.rs
|
||||
-+++ b/server/src/infra/tcp_server.rs
|
||||
-@@ -25,7 +25,7 @@ use std::sync::RwLock;
|
||||
- use tracing::info;
|
||||
-
|
||||
- async fn index<Backend>(data: web::Data<AppState<Backend>>) -> actix_web::Result<impl Responder> {
|
||||
-- let mut file = std::fs::read_to_string(r"./app/index.html")?;
|
||||
-+ let mut file = std::fs::read_to_string(r"@frontend@/index.html")?;
|
||||
-
|
||||
- if data.server_url.path() != "/" {
|
||||
- file = file.replace(
|
||||
-@@ -80,7 +80,7 @@ pub(crate) fn error_to_http_response(error: TcpError) -> HttpResponse {
|
||||
- async fn main_js_handler<Backend>(
|
||||
- data: web::Data<AppState<Backend>>,
|
||||
- ) -> actix_web::Result<impl Responder> {
|
||||
-- let mut file = std::fs::read_to_string(r"./app/static/main.js")?;
|
||||
-+ let mut file = std::fs::read_to_string(r"@frontend@/static/main.js")?;
|
||||
-
|
||||
- if data.server_url.path() != "/" {
|
||||
- file = file.replace("/pkg/", format!("{}/pkg/", data.server_url.path()).as_str());
|
||||
-@@ -92,12 +92,12 @@ async fn main_js_handler<Backend>(
|
||||
- }
|
||||
-
|
||||
- async fn wasm_handler() -> actix_web::Result<impl Responder> {
|
||||
-- Ok(actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm").await?)
|
||||
-+ Ok(actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm").await?)
|
||||
- }
|
||||
-
|
||||
- async fn wasm_handler_compressed() -> actix_web::Result<impl Responder> {
|
||||
- Ok(
|
||||
-- actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm.gz")
|
||||
-+ actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm.gz")
|
||||
- .await?
|
||||
- .customize()
|
||||
- .insert_header(header::ContentEncoding::Gzip)
|
||||
-@@ -143,11 +143,11 @@ fn http_config<Backend>(
|
||||
- .service(web::resource("/pkg/lldap_app_bg.wasm").route(web::route().to(wasm_handler)))
|
||||
- .service(web::resource("/static/main.js").route(web::route().to(main_js_handler::<Backend>)))
|
||||
- // Serve the /pkg path with the compiled WASM app.
|
||||
-- .service(Files::new("/pkg", "./app/pkg"))
|
||||
-+ .service(Files::new("/pkg", "@frontend@/pkg"))
|
||||
- // Serve static files
|
||||
-- .service(Files::new("/static", "./app/static"))
|
||||
-+ .service(Files::new("/static", "@frontend@/static"))
|
||||
- // Serve static fonts
|
||||
-- .service(Files::new("/static/fonts", "./app/static/fonts"))
|
||||
-+ .service(Files::new("/static/fonts", "@frontend@/static/fonts"))
|
||||
- // Default to serve index.html for unknown routes, to support routing.
|
||||
- .default_service(web::route().guard(guard::Get()).to(index::<Backend>));
|
||||
- }
|
||||
---
|
||||
-2.45.2
|
||||
-
|
||||
diff --git a/pkgs/by-name/ll/lldap/package.nix b/pkgs/by-name/ll/lldap/package.nix
|
||||
index c335ffa727bf..11f14fdab871 100644
|
||||
--- a/pkgs/by-name/ll/lldap/package.nix
|
||||
+++ b/pkgs/by-name/ll/lldap/package.nix
|
||||
@@ -3,29 +3,30 @@
|
||||
fetchFromGitHub,
|
||||
lib,
|
||||
lldap,
|
||||
+ makeWrapper,
|
||||
nixosTests,
|
||||
rustPlatform,
|
||||
rustc,
|
||||
- wasm-bindgen-cli_0_2_95,
|
||||
+ wasm-bindgen-cli_0_2_100,
|
||||
wasm-pack,
|
||||
which,
|
||||
}:
|
||||
|
||||
let
|
||||
+ version = "0.6.2";
|
||||
|
||||
- commonDerivationAttrs = rec {
|
||||
+ commonDerivationAttrs = {
|
||||
pname = "lldap";
|
||||
- version = "0.6.1";
|
||||
+ inherit version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "lldap";
|
||||
repo = "lldap";
|
||||
rev = "v${version}";
|
||||
- hash = "sha256-iQ+Vv9kx/pWHoa/WZChBK+FD2r1avzWWz57bnnzRjUg=";
|
||||
+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y=";
|
||||
};
|
||||
|
||||
- cargoHash = "sha256-qXYgr9uRswuo9hwVROUX9KUKpkzR0VEcXImbdyOgxsY=";
|
||||
-
|
||||
+ cargoHash = "sha256-SO7+HiiXNB/KF3fjzSMeiTPjRQq/unEfsnplx4kZv9c=";
|
||||
};
|
||||
|
||||
frontend = rustPlatform.buildRustPackage (
|
||||
@@ -35,7 +37,7 @@ let
|
||||
|
||||
nativeBuildInputs = [
|
||||
wasm-pack
|
||||
- wasm-bindgen-cli_0_2_95
|
||||
+ wasm-bindgen-cli_0_2_100
|
||||
binaryen
|
||||
which
|
||||
rustc
|
||||
@@ -68,12 +70,10 @@ rustPlatform.buildRustPackage (
|
||||
"lldap_set_password"
|
||||
];
|
||||
|
||||
- patches = [
|
||||
- ./0001-parameterize-frontend-location.patch
|
||||
- ];
|
||||
-
|
||||
- postPatch = ''
|
||||
- substituteInPlace server/src/infra/tcp_server.rs --subst-var-by frontend '${frontend}'
|
||||
+ nativeBuildInputs = [ makeWrapper ];
|
||||
+ postInstall = ''
|
||||
+ wrapProgram $out/bin/lldap \
|
||||
+ --set LLDAP_ASSETS_PATH ${frontend}
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
@@ -89,7 +89,10 @@ rustPlatform.buildRustPackage (
|
||||
changelog = "https://github.com/lldap/lldap/blob/v${lldap.version}/CHANGELOG.md";
|
||||
license = licenses.gpl3Only;
|
||||
platforms = platforms.linux;
|
||||
- maintainers = with maintainers; [ bendlas ];
|
||||
+ maintainers = with maintainers; [
|
||||
+ bendlas
|
||||
+ ibizaman
|
||||
+ ];
|
||||
mainProgram = "lldap";
|
||||
};
|
||||
}
|
||||
--
|
||||
2.49.0
|
||||
|
||||
|
|
@ -1,76 +0,0 @@
|
|||
From f22a61651199cc6030b0e3ede64fd52996bbe3eb Mon Sep 17 00:00:00 2001
|
||||
From: ibizaman <ibizaman@tiserbox.com>
|
||||
Date: Wed, 13 Aug 2025 08:14:38 +0200
|
||||
Subject: [PATCH 3/4] lldap-bootstrap: init 0.6.2
|
||||
|
||||
---
|
||||
pkgs/by-name/ll/lldap-bootstrap/package.nix | 57 +++++++++++++++++++++
|
||||
1 file changed, 57 insertions(+)
|
||||
create mode 100644 pkgs/by-name/ll/lldap-bootstrap/package.nix
|
||||
|
||||
diff --git a/pkgs/by-name/ll/lldap-bootstrap/package.nix b/pkgs/by-name/ll/lldap-bootstrap/package.nix
|
||||
new file mode 100644
|
||||
index 000000000000..b48099c10e84
|
||||
--- /dev/null
|
||||
+++ b/pkgs/by-name/ll/lldap-bootstrap/package.nix
|
||||
@@ -0,0 +1,57 @@
|
||||
+{
|
||||
+ curl,
|
||||
+ fetchFromGitHub,
|
||||
+ jq,
|
||||
+ jo,
|
||||
+ lib,
|
||||
+ lldap,
|
||||
+ lldap-bootstrap,
|
||||
+ makeWrapper,
|
||||
+ stdenv,
|
||||
+}:
|
||||
+let
|
||||
+ version = "0.6.2";
|
||||
+in
|
||||
+stdenv.mkDerivation {
|
||||
+ pname = "lldap-bootstrap";
|
||||
+ inherit version;
|
||||
+
|
||||
+ src = fetchFromGitHub {
|
||||
+ owner = "lldap";
|
||||
+ repo = "lldap";
|
||||
+ rev = "v${version}";
|
||||
+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y=";
|
||||
+ };
|
||||
+
|
||||
+ dontBuild = true;
|
||||
+
|
||||
+ nativeBuildInputs = [ makeWrapper ];
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ mkdir -p $out/bin
|
||||
+ cp ./scripts/bootstrap.sh $out/bin/lldap-bootstrap
|
||||
+
|
||||
+ wrapProgram $out/bin/lldap-bootstrap \
|
||||
+ --set LLDAP_SET_PASSWORD_PATH ${lldap}/bin/lldap_set_password \
|
||||
+ --prefix PATH : ${
|
||||
+ lib.makeBinPath [
|
||||
+ curl
|
||||
+ jq
|
||||
+ jo
|
||||
+ ]
|
||||
+ }
|
||||
+ '';
|
||||
+
|
||||
+ meta = {
|
||||
+ description = "Bootstrap script for LLDAP";
|
||||
+ homepage = "https://github.com/lldap/lldap";
|
||||
+ changelog = "https://github.com/lldap/lldap/blob/v${lldap-bootstrap.version}/CHANGELOG.md";
|
||||
+ license = lib.licenses.gpl3Only;
|
||||
+ platforms = lib.platforms.linux;
|
||||
+ maintainers = with lib.maintainers; [
|
||||
+ bendlas
|
||||
+ ibizaman
|
||||
+ ];
|
||||
+ mainProgram = "lldap-bootstrap";
|
||||
+ };
|
||||
+}
|
||||
--
|
||||
2.49.0
|
||||
|
||||
|
|
@ -1,15 +1,89 @@
|
|||
From 714063011540d5ea5f172475cc7db2a4e1c25fa6 Mon Sep 17 00:00:00 2001
|
||||
From 75d2190cde1df122027496bbfcb9eda7d5aab102 Mon Sep 17 00:00:00 2001
|
||||
From: ibizaman <ibizaman@tiserbox.com>
|
||||
Date: Wed, 13 Aug 2025 08:15:12 +0200
|
||||
Subject: [PATCH 4/4] lldap: add ensure options
|
||||
Date: Wed, 13 Aug 2025 08:14:38 +0200
|
||||
Subject: [PATCH 1/2] lldap-bootstrap: init 0.6.2
|
||||
|
||||
---
|
||||
nixos/modules/services/databases/lldap.nix | 355 ++++++++++++++++++++-
|
||||
nixos/tests/lldap.nix | 143 ++++++++-
|
||||
2 files changed, 490 insertions(+), 8 deletions(-)
|
||||
pkgs/by-name/ll/lldap-bootstrap/package.nix | 57 +++++++++++++++++++++
|
||||
1 file changed, 57 insertions(+)
|
||||
create mode 100644 pkgs/by-name/ll/lldap-bootstrap/package.nix
|
||||
|
||||
diff --git a/pkgs/by-name/ll/lldap-bootstrap/package.nix b/pkgs/by-name/ll/lldap-bootstrap/package.nix
|
||||
new file mode 100644
|
||||
index 00000000000000..8b9a915b18f4d9
|
||||
--- /dev/null
|
||||
+++ b/pkgs/by-name/ll/lldap-bootstrap/package.nix
|
||||
@@ -0,0 +1,57 @@
|
||||
+{
|
||||
+ curl,
|
||||
+ fetchFromGitHub,
|
||||
+ jq,
|
||||
+ jo,
|
||||
+ lib,
|
||||
+ lldap,
|
||||
+ lldap-bootstrap,
|
||||
+ makeWrapper,
|
||||
+ stdenv,
|
||||
+}:
|
||||
+let
|
||||
+ version = "0.6.2";
|
||||
+in
|
||||
+stdenv.mkDerivation {
|
||||
+ pname = "lldap-bootstrap";
|
||||
+ inherit version;
|
||||
+
|
||||
+ src = fetchFromGitHub {
|
||||
+ owner = "lldap";
|
||||
+ repo = "lldap";
|
||||
+ rev = "v${version}";
|
||||
+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y=";
|
||||
+ };
|
||||
+
|
||||
+ dontBuild = true;
|
||||
+
|
||||
+ nativeBuildInputs = [ makeWrapper ];
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ mkdir -p $out/bin
|
||||
+ cp ./scripts/bootstrap.sh $out/bin/lldap-bootstrap
|
||||
+
|
||||
+ wrapProgram $out/bin/lldap-bootstrap \
|
||||
+ --set LLDAP_SET_PASSWORD_PATH ${lldap}/bin/lldap_set_password \
|
||||
+ --prefix PATH : ${
|
||||
+ lib.makeBinPath [
|
||||
+ curl
|
||||
+ jq
|
||||
+ jo
|
||||
+ ]
|
||||
+ }
|
||||
+ '';
|
||||
+
|
||||
+ meta = {
|
||||
+ description = "Bootstrap script for LLDAP";
|
||||
+ homepage = "https://github.com/lldap/lldap";
|
||||
+ changelog = "https://github.com/lldap/lldap/blob/v${lldap-bootstrap.version}/CHANGELOG.md";
|
||||
+ license = lib.licenses.gpl3Only;
|
||||
+ platforms = lib.platforms.linux;
|
||||
+ maintainers = with lib.maintainers; [
|
||||
+ bendlas
|
||||
+ ibizaman
|
||||
+ ];
|
||||
+ mainProgram = "lldap-bootstrap";
|
||||
+ };
|
||||
+}
|
||||
|
||||
From 6d55fbc42a2d71b6d7ad29c84c1c0774971f9f6a Mon Sep 17 00:00:00 2001
|
||||
From: ibizaman <ibizaman@tiserbox.com>
|
||||
Date: Wed, 13 Aug 2025 08:15:12 +0200
|
||||
Subject: [PATCH 2/2] lldap: add ensure options
|
||||
|
||||
---
|
||||
nixos/modules/services/databases/lldap.nix | 372 ++++++++++++++++++++-
|
||||
nixos/tests/lldap.nix | 143 +++++++-
|
||||
2 files changed, 498 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix
|
||||
index 1095021b3f35..6b5d2be44f43 100644
|
||||
index 3738dba506a707..6b5d2be44f4373 100644
|
||||
--- a/nixos/modules/services/databases/lldap.nix
|
||||
+++ b/nixos/modules/services/databases/lldap.nix
|
||||
@@ -8,6 +8,84 @@
|
||||
|
|
@ -305,7 +379,7 @@ index 1095021b3f35..6b5d2be44f43 100644
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
@@ -183,15 +455,60 @@ in
|
||||
@@ -183,25 +455,77 @@ in
|
||||
(cfg.settings.ldap_user_pass_file or null) == null || (cfg.settings.ldap_user_pass or null) == null;
|
||||
message = "lldap: Both `ldap_user_pass` and `ldap_user_pass_file` settings should not be set at the same time. Set one to `null`.";
|
||||
}
|
||||
|
|
@ -363,17 +437,27 @@ index 1095021b3f35..6b5d2be44f43 100644
|
|||
lldap: Unsecure `ldap_user_pass` setting is used. Prefer `ldap_user_pass_file` instead.
|
||||
''
|
||||
- ]
|
||||
- ++ lib.optionals
|
||||
- ++
|
||||
- lib.optionals
|
||||
- (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
|
||||
- [
|
||||
- ''
|
||||
- lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means
|
||||
- the admin password can be changed through the UI and will drift from the one defined in your nix config.
|
||||
- It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
|
||||
- Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
|
||||
- ''
|
||||
- ];
|
||||
+ ])
|
||||
+ ++ (lib.optionals
|
||||
(cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
|
||||
[
|
||||
''
|
||||
@@ -200,7 +517,15 @@ in
|
||||
It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
|
||||
Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
|
||||
''
|
||||
- ];
|
||||
+ (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
|
||||
+ [
|
||||
+ ''
|
||||
+ lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means
|
||||
+ the admin password can be changed through the UI and will drift from the one defined in your nix config.
|
||||
+ It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
|
||||
+ Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
|
||||
+ ''
|
||||
+ ]
|
||||
+ )
|
||||
+ ++ (lib.optionals (!cfg.enforceUserMemberships && someUsersBelongToNonEnsuredGroup) [
|
||||
|
|
@ -386,7 +470,7 @@ index 1095021b3f35..6b5d2be44f43 100644
|
|||
|
||||
systemd.services.lldap = {
|
||||
description = "Lightweight LDAP server (lldap)";
|
||||
@@ -223,6 +548,28 @@ in
|
||||
@@ -224,6 +548,28 @@ in
|
||||
+ ''
|
||||
${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}
|
||||
'';
|
||||
|
|
@ -416,7 +500,7 @@ index 1095021b3f35..6b5d2be44f43 100644
|
|||
StateDirectory = "lldap";
|
||||
StateDirectoryMode = "0750";
|
||||
diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix
|
||||
index 8e38d4bdefa3..47d32c7a2a7b 100644
|
||||
index 8e38d4bdefa31d..47d32c7a2a7bbc 100644
|
||||
--- a/nixos/tests/lldap.nix
|
||||
+++ b/nixos/tests/lldap.nix
|
||||
@@ -1,6 +1,9 @@
|
||||
|
|
@ -613,6 +697,3 @@ index 8e38d4bdefa3..47d32c7a2a7b 100644
|
|||
+ raise Exception(f'Unexpected value for attribute "mygroupattribute": {othergroup.get('mygroupattribute')}')
|
||||
'';
|
||||
}
|
||||
--
|
||||
2.49.0
|
||||
|
||||
Loading…
Reference in a new issue