From 7e8fc8cd56d6bbe24020b538853d74b8cca82dc4 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sun, 31 Aug 2025 21:48:26 +0200 Subject: [PATCH] lldap: update patches --- flake.nix | 5 +- ...add-options-to-set-important-secrets.patch | 197 ------------- patches/0002-lldap-lldap-0.6.1-0.6.2.patch | 276 ------------------ patches/0003-lldap-bootstrap-init-0.6.2.patch | 76 ----- ...p-add-ensure-options.patch => lldap.patch} | 125 ++++++-- 5 files changed, 104 insertions(+), 575 deletions(-) delete mode 100644 patches/0001-lldap-add-options-to-set-important-secrets.patch delete mode 100644 patches/0002-lldap-lldap-0.6.1-0.6.2.patch delete mode 100644 patches/0003-lldap-bootstrap-init-0.6.2.patch rename patches/{0004-lldap-add-ensure-options.patch => lldap.patch} (86%) diff --git a/flake.nix b/flake.nix index 0d5398f..e44c82e 100644 --- a/flake.nix +++ b/flake.nix @@ -16,10 +16,7 @@ originPkgs = nixpkgs.legacyPackages.${system}; shbPatches = originPkgs.lib.optionals (system == "x86_64-linux") [ # Get rid of lldap patches when https://github.com/NixOS/nixpkgs/pull/425923 is merged. - ./patches/0001-lldap-add-options-to-set-important-secrets.patch - ./patches/0002-lldap-lldap-0.6.1-0.6.2.patch - ./patches/0003-lldap-bootstrap-init-0.6.2.patch - ./patches/0004-lldap-add-ensure-options.patch + ./patches/lldap.patch # Leaving commented out as an example. # (originPkgs.fetchpatch { diff --git a/patches/0001-lldap-add-options-to-set-important-secrets.patch b/patches/0001-lldap-add-options-to-set-important-secrets.patch deleted file mode 100644 index cd7c847..0000000 --- a/patches/0001-lldap-add-options-to-set-important-secrets.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 3b7d45e30f3dbf329abfb6ba659d10357761e2ab Mon Sep 17 00:00:00 2001 -From: ibizaman -Date: Wed, 16 Jul 2025 03:04:44 +0200 -Subject: [PATCH 1/4] lldap: add options to set important secrets - ---- - nixos/modules/services/databases/lldap.nix | 71 +++++++++++++++++++++ - nixos/tests/lldap.nix | 72 +++++++++++++++++++--- - 2 files changed, 134 insertions(+), 9 deletions(-) - -diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix -index a9fbe8f7e11a..1607754d7d9c 100644 ---- a/nixos/modules/services/databases/lldap.nix -+++ b/nixos/modules/services/databases/lldap.nix -@@ -102,12 +102,83 @@ in - default = "sqlite://./users.db?mode=rwc"; - example = "postgres://postgres-user:password@postgres-server/my-database"; - }; -+ -+ ldap_user_pass_file = mkOption { -+ type = types.nullOr types.str; -+ default = null; -+ description = '' -+ Path to a file containing the default admin password. -+ -+ If you want to update the default admin password through this setting, -+ you must set `force_ldap_user_pass_reset` to `true`. -+ Otherwise changing this setting will have no effect -+ unless this is the very first time LLDAP is started and its database is still empty. -+ ''; -+ }; -+ -+ force_ldap_user_pass_reset = mkOption { -+ type = types.oneOf [ -+ types.bool -+ (types.enum [ "always" ]) -+ ]; -+ default = false; -+ description = '' -+ Force reset of the admin password. -+ -+ Set this setting to `"always"` to update the admin password when `ldap_user_pass_file` changes. -+ Setting to `"always"` also means any password update in the UI will be overwritten next time the service restarts. -+ -+ The difference between `true` and `"always"` is the former is intended for a one time fix -+ while the latter is intended for a declarative workflow. In practice, the result -+ is the same: the password gets reset. The only practical difference is the former -+ outputs a warning message while the latter outputs an info message. -+ ''; -+ }; -+ -+ jwt_secret_file = mkOption { -+ type = types.nullOr types.str; -+ default = null; -+ description = '' -+ Path to a file containing the JWT secret. -+ ''; -+ }; - }; - }; -+ -+ # TOML does not allow null values, so we use null to omit those fields -+ apply = lib.filterAttrsRecursive (_: v: v != null); -+ }; -+ -+ silenceForceUserPassResetWarning = mkOption { -+ type = types.bool; -+ default = false; -+ description = '' -+ Disable warning when the admin password is set declaratively with the `ldap_user_pass_file` setting -+ but the `force_ldap_user_pass_reset` is set to `false`. -+ -+ This can lead to the admin password to drift from the one given declaratively. -+ If that is okay for you and you want to silence the warning, set this option to `true`. -+ ''; - }; - }; - - config = lib.mkIf cfg.enable { -+ warnings = -+ lib.optionals -+ ( -+ (cfg.settings.ldap_user_pass_file or null) != null -+ && cfg.settings.force_ldap_user_pass_reset == false -+ && cfg.silenceForceUserPassResetWarning == false -+ ) -+ [ -+ '' -+ lldap: The default admin password is declared with the setting `ldap_user_pass_file`, but `force_ldap_user_pass_reset` is set to `false`. -+ This means the admin password can be changed through the UI and will drift from the one defined in your nix config. -+ It also means changing the setting `ldap_user_pass_file` will have no effect on the admin password. -+ Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`. -+ '' -+ ]; -+ - systemd.services.lldap = { - description = "Lightweight LDAP server (lldap)"; - wants = [ "network-online.target" ]; -diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix -index c2e48525a5f3..aea6b2058727 100644 ---- a/nixos/tests/lldap.nix -+++ b/nixos/tests/lldap.nix -@@ -1,4 +1,7 @@ - { ... }: -+let -+ adminPassword = "mySecretPassword"; -+in - { - name = "lldap"; - -@@ -7,23 +10,74 @@ - { - services.lldap = { - enable = true; -+ - settings = { - verbose = true; - ldap_base_dn = "dc=example,dc=com"; - }; - }; - environment.systemPackages = [ pkgs.openldap ]; -+ -+ specialisation = { -+ differentAdminPassword.configuration = -+ { ... }: -+ { -+ services.lldap.settings = { -+ ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" adminPassword); -+ force_ldap_user_pass_reset = "always"; -+ }; -+ }; -+ -+ changeAdminPassword.configuration = -+ { ... }: -+ { -+ services.lldap.settings = { -+ ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" "password"); -+ force_ldap_user_pass_reset = false; -+ }; -+ }; -+ }; - }; - -- testScript = '' -- machine.wait_for_unit("lldap.service") -- machine.wait_for_open_port(3890) -- machine.wait_for_open_port(17170) -+ testScript = -+ { nodes, ... }: -+ let -+ specializations = "${nodes.machine.system.build.toplevel}/specialisation"; -+ in -+ '' -+ machine.wait_for_unit("lldap.service") -+ machine.wait_for_open_port(3890) -+ machine.wait_for_open_port(17170) -+ -+ machine.succeed("curl --location --fail http://localhost:17170/") -+ -+ adminPassword="${adminPassword}" -+ -+ def try_login(user, password, expect_success=True): -+ cmd = f'ldapsearch -H ldap://localhost:3890 -D uid={user},ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w {password}' -+ code, response = machine.execute(cmd) -+ print(cmd) -+ print(response) -+ if expect_success: -+ if code != 0: -+ raise Exception(f"Expected success, had failure {code}") -+ else: -+ if code == 0: -+ raise Exception("Expected failure, had success") -+ return response -+ -+ with subtest("default admin password"): -+ try_login("admin", "password", expect_success=True) -+ try_login("admin", adminPassword, expect_success=False) - -- machine.succeed("curl --location --fail http://localhost:17170/") -+ with subtest("different admin password"): -+ machine.succeed('${specializations}/differentAdminPassword/bin/switch-to-configuration test') -+ try_login("admin", "password", expect_success=False) -+ try_login("admin", adminPassword, expect_success=True) - -- print( -- machine.succeed('ldapsearch -H ldap://localhost:3890 -D uid=admin,ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w password') -- ) -- ''; -+ with subtest("change admin password has no effect"): -+ machine.succeed('${specializations}/differentAdminPassword/bin/switch-to-configuration test') -+ try_login("admin", "password", expect_success=False) -+ try_login("admin", adminPassword, expect_success=True) -+ ''; - } --- -2.49.0 - diff --git a/patches/0002-lldap-lldap-0.6.1-0.6.2.patch b/patches/0002-lldap-lldap-0.6.1-0.6.2.patch deleted file mode 100644 index 7d1b57d..0000000 --- a/patches/0002-lldap-lldap-0.6.1-0.6.2.patch +++ /dev/null @@ -1,276 +0,0 @@ -From 995413b11fb7a453ecf1a0c30a64b4a550f1aca3 Mon Sep 17 00:00:00 2001 -From: ibizaman -Date: Tue, 15 Jul 2025 18:42:42 +0200 -Subject: [PATCH 2/4] lldap: lldap 0.6.1 -> 0.6.2 - ---- - nixos/modules/services/databases/lldap.nix | 43 ++++++++++--- - nixos/tests/lldap.nix | 8 ++- - .../0001-parameterize-frontend-location.patch | 64 ------------------- - pkgs/by-name/ll/lldap/package.nix | 31 +++++---- - 4 files changed, 56 insertions(+), 90 deletions(-) - delete mode 100644 pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch - -diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix -index 1607754d7d9c..1095021b3f35 100644 ---- a/nixos/modules/services/databases/lldap.nix -+++ b/nixos/modules/services/databases/lldap.nix -@@ -2,7 +2,6 @@ - config, - lib, - pkgs, -- utils, - ... - }: - -@@ -103,6 +102,16 @@ in - example = "postgres://postgres-user:password@postgres-server/my-database"; - }; - -+ ldap_user_pass = mkOption { -+ type = types.nullOr types.str; -+ default = null; -+ description = '' -+ Password for default admin password. -+ -+ Unsecure: Use `ldap_user_pass_file` settings instead. -+ ''; -+ }; -+ - ldap_user_pass_file = mkOption { - type = types.nullOr types.str; - default = null; -@@ -163,18 +172,32 @@ in - }; - - config = lib.mkIf cfg.enable { -+ assertions = [ -+ { -+ assertion = -+ (cfg.settings.ldap_user_pass_file or null) != null || (cfg.settings.ldap_user_pass or null) != null; -+ message = "lldap: Default admin user password must be set. Please set the `ldap_user_pass` or better the `ldap_user_pass_file` setting."; -+ } -+ { -+ assertion = -+ (cfg.settings.ldap_user_pass_file or null) == null || (cfg.settings.ldap_user_pass or null) == null; -+ message = "lldap: Both `ldap_user_pass` and `ldap_user_pass_file` settings should not be set at the same time. Set one to `null`."; -+ } -+ ]; -+ - warnings = -- lib.optionals -- ( -- (cfg.settings.ldap_user_pass_file or null) != null -- && cfg.settings.force_ldap_user_pass_reset == false -- && cfg.silenceForceUserPassResetWarning == false -- ) -+ lib.optionals (cfg.settings.ldap_user_pass or null != null) [ -+ '' -+ lldap: Unsecure `ldap_user_pass` setting is used. Prefer `ldap_user_pass_file` instead. -+ '' -+ ] -+ ++ lib.optionals -+ (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false) - [ - '' -- lldap: The default admin password is declared with the setting `ldap_user_pass_file`, but `force_ldap_user_pass_reset` is set to `false`. -- This means the admin password can be changed through the UI and will drift from the one defined in your nix config. -- It also means changing the setting `ldap_user_pass_file` will have no effect on the admin password. -+ lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means -+ the admin password can be changed through the UI and will drift from the one defined in your nix config. -+ It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password. - Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`. - '' - ]; -diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix -index aea6b2058727..8e38d4bdefa3 100644 ---- a/nixos/tests/lldap.nix -+++ b/nixos/tests/lldap.nix -@@ -6,7 +6,7 @@ in - name = "lldap"; - - nodes.machine = -- { pkgs, ... }: -+ { pkgs, lib, ... }: - { - services.lldap = { - enable = true; -@@ -14,6 +14,8 @@ in - settings = { - verbose = true; - ldap_base_dn = "dc=example,dc=com"; -+ -+ ldap_user_pass = "password"; - }; - }; - environment.systemPackages = [ pkgs.openldap ]; -@@ -23,7 +25,8 @@ in - { ... }: - { - services.lldap.settings = { -- ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" adminPassword); -+ ldap_user_pass = lib.mkForce null; -+ ldap_user_pass_file = lib.mkForce (toString (pkgs.writeText "adminPasswordFile" adminPassword)); - force_ldap_user_pass_reset = "always"; - }; - }; -@@ -32,6 +35,7 @@ in - { ... }: - { - services.lldap.settings = { -+ ldap_user_pass = lib.mkForce null; - ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" "password"); - force_ldap_user_pass_reset = false; - }; -diff --git a/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch b/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch -deleted file mode 100644 -index c33f5a7afa10..000000000000 ---- a/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch -+++ /dev/null -@@ -1,64 +0,0 @@ --From a09babb0cd9dd532ad2de920a2a35aa03d740dc6 Mon Sep 17 00:00:00 2001 --From: Herwig Hochleitner --Date: Thu, 8 Aug 2024 00:29:14 +0200 --Subject: [PATCH] parameterize frontend location -- ----- -- server/src/infra/tcp_server.rs | 14 +++++++------- -- 1 file changed, 7 insertions(+), 7 deletions(-) -- --diff --git a/server/src/infra/tcp_server.rs b/server/src/infra/tcp_server.rs --index fa5f11f..16e64c5 100644 ----- a/server/src/infra/tcp_server.rs --+++ b/server/src/infra/tcp_server.rs --@@ -25,7 +25,7 @@ use std::sync::RwLock; -- use tracing::info; -- -- async fn index(data: web::Data>) -> actix_web::Result { --- let mut file = std::fs::read_to_string(r"./app/index.html")?; --+ let mut file = std::fs::read_to_string(r"@frontend@/index.html")?; -- -- if data.server_url.path() != "/" { -- file = file.replace( --@@ -80,7 +80,7 @@ pub(crate) fn error_to_http_response(error: TcpError) -> HttpResponse { -- async fn main_js_handler( -- data: web::Data>, -- ) -> actix_web::Result { --- let mut file = std::fs::read_to_string(r"./app/static/main.js")?; --+ let mut file = std::fs::read_to_string(r"@frontend@/static/main.js")?; -- -- if data.server_url.path() != "/" { -- file = file.replace("/pkg/", format!("{}/pkg/", data.server_url.path()).as_str()); --@@ -92,12 +92,12 @@ async fn main_js_handler( -- } -- -- async fn wasm_handler() -> actix_web::Result { --- Ok(actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm").await?) --+ Ok(actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm").await?) -- } -- -- async fn wasm_handler_compressed() -> actix_web::Result { -- Ok( --- actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm.gz") --+ actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm.gz") -- .await? -- .customize() -- .insert_header(header::ContentEncoding::Gzip) --@@ -143,11 +143,11 @@ fn http_config( -- .service(web::resource("/pkg/lldap_app_bg.wasm").route(web::route().to(wasm_handler))) -- .service(web::resource("/static/main.js").route(web::route().to(main_js_handler::))) -- // Serve the /pkg path with the compiled WASM app. --- .service(Files::new("/pkg", "./app/pkg")) --+ .service(Files::new("/pkg", "@frontend@/pkg")) -- // Serve static files --- .service(Files::new("/static", "./app/static")) --+ .service(Files::new("/static", "@frontend@/static")) -- // Serve static fonts --- .service(Files::new("/static/fonts", "./app/static/fonts")) --+ .service(Files::new("/static/fonts", "@frontend@/static/fonts")) -- // Default to serve index.html for unknown routes, to support routing. -- .default_service(web::route().guard(guard::Get()).to(index::)); -- } ---- --2.45.2 -- -diff --git a/pkgs/by-name/ll/lldap/package.nix b/pkgs/by-name/ll/lldap/package.nix -index c335ffa727bf..11f14fdab871 100644 ---- a/pkgs/by-name/ll/lldap/package.nix -+++ b/pkgs/by-name/ll/lldap/package.nix -@@ -3,29 +3,30 @@ - fetchFromGitHub, - lib, - lldap, -+ makeWrapper, - nixosTests, - rustPlatform, - rustc, -- wasm-bindgen-cli_0_2_95, -+ wasm-bindgen-cli_0_2_100, - wasm-pack, - which, - }: - - let -+ version = "0.6.2"; - -- commonDerivationAttrs = rec { -+ commonDerivationAttrs = { - pname = "lldap"; -- version = "0.6.1"; -+ inherit version; - - src = fetchFromGitHub { - owner = "lldap"; - repo = "lldap"; - rev = "v${version}"; -- hash = "sha256-iQ+Vv9kx/pWHoa/WZChBK+FD2r1avzWWz57bnnzRjUg="; -+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y="; - }; - -- cargoHash = "sha256-qXYgr9uRswuo9hwVROUX9KUKpkzR0VEcXImbdyOgxsY="; -- -+ cargoHash = "sha256-SO7+HiiXNB/KF3fjzSMeiTPjRQq/unEfsnplx4kZv9c="; - }; - - frontend = rustPlatform.buildRustPackage ( -@@ -35,7 +37,7 @@ let - - nativeBuildInputs = [ - wasm-pack -- wasm-bindgen-cli_0_2_95 -+ wasm-bindgen-cli_0_2_100 - binaryen - which - rustc -@@ -68,12 +70,10 @@ rustPlatform.buildRustPackage ( - "lldap_set_password" - ]; - -- patches = [ -- ./0001-parameterize-frontend-location.patch -- ]; -- -- postPatch = '' -- substituteInPlace server/src/infra/tcp_server.rs --subst-var-by frontend '${frontend}' -+ nativeBuildInputs = [ makeWrapper ]; -+ postInstall = '' -+ wrapProgram $out/bin/lldap \ -+ --set LLDAP_ASSETS_PATH ${frontend} - ''; - - passthru = { -@@ -89,7 +89,10 @@ rustPlatform.buildRustPackage ( - changelog = "https://github.com/lldap/lldap/blob/v${lldap.version}/CHANGELOG.md"; - license = licenses.gpl3Only; - platforms = platforms.linux; -- maintainers = with maintainers; [ bendlas ]; -+ maintainers = with maintainers; [ -+ bendlas -+ ibizaman -+ ]; - mainProgram = "lldap"; - }; - } --- -2.49.0 - diff --git a/patches/0003-lldap-bootstrap-init-0.6.2.patch b/patches/0003-lldap-bootstrap-init-0.6.2.patch deleted file mode 100644 index c177909..0000000 --- a/patches/0003-lldap-bootstrap-init-0.6.2.patch +++ /dev/null @@ -1,76 +0,0 @@ -From f22a61651199cc6030b0e3ede64fd52996bbe3eb Mon Sep 17 00:00:00 2001 -From: ibizaman -Date: Wed, 13 Aug 2025 08:14:38 +0200 -Subject: [PATCH 3/4] lldap-bootstrap: init 0.6.2 - ---- - pkgs/by-name/ll/lldap-bootstrap/package.nix | 57 +++++++++++++++++++++ - 1 file changed, 57 insertions(+) - create mode 100644 pkgs/by-name/ll/lldap-bootstrap/package.nix - -diff --git a/pkgs/by-name/ll/lldap-bootstrap/package.nix b/pkgs/by-name/ll/lldap-bootstrap/package.nix -new file mode 100644 -index 000000000000..b48099c10e84 ---- /dev/null -+++ b/pkgs/by-name/ll/lldap-bootstrap/package.nix -@@ -0,0 +1,57 @@ -+{ -+ curl, -+ fetchFromGitHub, -+ jq, -+ jo, -+ lib, -+ lldap, -+ lldap-bootstrap, -+ makeWrapper, -+ stdenv, -+}: -+let -+ version = "0.6.2"; -+in -+stdenv.mkDerivation { -+ pname = "lldap-bootstrap"; -+ inherit version; -+ -+ src = fetchFromGitHub { -+ owner = "lldap"; -+ repo = "lldap"; -+ rev = "v${version}"; -+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y="; -+ }; -+ -+ dontBuild = true; -+ -+ nativeBuildInputs = [ makeWrapper ]; -+ -+ installPhase = '' -+ mkdir -p $out/bin -+ cp ./scripts/bootstrap.sh $out/bin/lldap-bootstrap -+ -+ wrapProgram $out/bin/lldap-bootstrap \ -+ --set LLDAP_SET_PASSWORD_PATH ${lldap}/bin/lldap_set_password \ -+ --prefix PATH : ${ -+ lib.makeBinPath [ -+ curl -+ jq -+ jo -+ ] -+ } -+ ''; -+ -+ meta = { -+ description = "Bootstrap script for LLDAP"; -+ homepage = "https://github.com/lldap/lldap"; -+ changelog = "https://github.com/lldap/lldap/blob/v${lldap-bootstrap.version}/CHANGELOG.md"; -+ license = lib.licenses.gpl3Only; -+ platforms = lib.platforms.linux; -+ maintainers = with lib.maintainers; [ -+ bendlas -+ ibizaman -+ ]; -+ mainProgram = "lldap-bootstrap"; -+ }; -+} --- -2.49.0 - diff --git a/patches/0004-lldap-add-ensure-options.patch b/patches/lldap.patch similarity index 86% rename from patches/0004-lldap-add-ensure-options.patch rename to patches/lldap.patch index 7332644..e9c36c8 100644 --- a/patches/0004-lldap-add-ensure-options.patch +++ b/patches/lldap.patch @@ -1,15 +1,89 @@ -From 714063011540d5ea5f172475cc7db2a4e1c25fa6 Mon Sep 17 00:00:00 2001 +From 75d2190cde1df122027496bbfcb9eda7d5aab102 Mon Sep 17 00:00:00 2001 From: ibizaman -Date: Wed, 13 Aug 2025 08:15:12 +0200 -Subject: [PATCH 4/4] lldap: add ensure options +Date: Wed, 13 Aug 2025 08:14:38 +0200 +Subject: [PATCH 1/2] lldap-bootstrap: init 0.6.2 --- - nixos/modules/services/databases/lldap.nix | 355 ++++++++++++++++++++- - nixos/tests/lldap.nix | 143 ++++++++- - 2 files changed, 490 insertions(+), 8 deletions(-) + pkgs/by-name/ll/lldap-bootstrap/package.nix | 57 +++++++++++++++++++++ + 1 file changed, 57 insertions(+) + create mode 100644 pkgs/by-name/ll/lldap-bootstrap/package.nix + +diff --git a/pkgs/by-name/ll/lldap-bootstrap/package.nix b/pkgs/by-name/ll/lldap-bootstrap/package.nix +new file mode 100644 +index 00000000000000..8b9a915b18f4d9 +--- /dev/null ++++ b/pkgs/by-name/ll/lldap-bootstrap/package.nix +@@ -0,0 +1,57 @@ ++{ ++ curl, ++ fetchFromGitHub, ++ jq, ++ jo, ++ lib, ++ lldap, ++ lldap-bootstrap, ++ makeWrapper, ++ stdenv, ++}: ++let ++ version = "0.6.2"; ++in ++stdenv.mkDerivation { ++ pname = "lldap-bootstrap"; ++ inherit version; ++ ++ src = fetchFromGitHub { ++ owner = "lldap"; ++ repo = "lldap"; ++ rev = "v${version}"; ++ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y="; ++ }; ++ ++ dontBuild = true; ++ ++ nativeBuildInputs = [ makeWrapper ]; ++ ++ installPhase = '' ++ mkdir -p $out/bin ++ cp ./scripts/bootstrap.sh $out/bin/lldap-bootstrap ++ ++ wrapProgram $out/bin/lldap-bootstrap \ ++ --set LLDAP_SET_PASSWORD_PATH ${lldap}/bin/lldap_set_password \ ++ --prefix PATH : ${ ++ lib.makeBinPath [ ++ curl ++ jq ++ jo ++ ] ++ } ++ ''; ++ ++ meta = { ++ description = "Bootstrap script for LLDAP"; ++ homepage = "https://github.com/lldap/lldap"; ++ changelog = "https://github.com/lldap/lldap/blob/v${lldap-bootstrap.version}/CHANGELOG.md"; ++ license = lib.licenses.gpl3Only; ++ platforms = lib.platforms.linux; ++ maintainers = with lib.maintainers; [ ++ bendlas ++ ibizaman ++ ]; ++ mainProgram = "lldap-bootstrap"; ++ }; ++} + +From 6d55fbc42a2d71b6d7ad29c84c1c0774971f9f6a Mon Sep 17 00:00:00 2001 +From: ibizaman +Date: Wed, 13 Aug 2025 08:15:12 +0200 +Subject: [PATCH 2/2] lldap: add ensure options + +--- + nixos/modules/services/databases/lldap.nix | 372 ++++++++++++++++++++- + nixos/tests/lldap.nix | 143 +++++++- + 2 files changed, 498 insertions(+), 17 deletions(-) diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix -index 1095021b3f35..6b5d2be44f43 100644 +index 3738dba506a707..6b5d2be44f4373 100644 --- a/nixos/modules/services/databases/lldap.nix +++ b/nixos/modules/services/databases/lldap.nix @@ -8,6 +8,84 @@ @@ -305,7 +379,7 @@ index 1095021b3f35..6b5d2be44f43 100644 }; config = lib.mkIf cfg.enable { -@@ -183,15 +455,60 @@ in +@@ -183,25 +455,77 @@ in (cfg.settings.ldap_user_pass_file or null) == null || (cfg.settings.ldap_user_pass or null) == null; message = "lldap: Both `ldap_user_pass` and `ldap_user_pass_file` settings should not be set at the same time. Set one to `null`."; } @@ -363,17 +437,27 @@ index 1095021b3f35..6b5d2be44f43 100644 lldap: Unsecure `ldap_user_pass` setting is used. Prefer `ldap_user_pass_file` instead. '' - ] -- ++ lib.optionals +- ++ +- lib.optionals +- (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false) +- [ +- '' +- lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means +- the admin password can be changed through the UI and will drift from the one defined in your nix config. +- It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password. +- Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`. +- '' +- ]; + ]) + ++ (lib.optionals - (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false) - [ - '' -@@ -200,7 +517,15 @@ in - It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password. - Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`. - '' -- ]; ++ (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false) ++ [ ++ '' ++ lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means ++ the admin password can be changed through the UI and will drift from the one defined in your nix config. ++ It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password. ++ Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`. ++ '' + ] + ) + ++ (lib.optionals (!cfg.enforceUserMemberships && someUsersBelongToNonEnsuredGroup) [ @@ -386,7 +470,7 @@ index 1095021b3f35..6b5d2be44f43 100644 systemd.services.lldap = { description = "Lightweight LDAP server (lldap)"; -@@ -223,6 +548,28 @@ in +@@ -224,6 +548,28 @@ in + '' ${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings} ''; @@ -416,7 +500,7 @@ index 1095021b3f35..6b5d2be44f43 100644 StateDirectory = "lldap"; StateDirectoryMode = "0750"; diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix -index 8e38d4bdefa3..47d32c7a2a7b 100644 +index 8e38d4bdefa31d..47d32c7a2a7bbc 100644 --- a/nixos/tests/lldap.nix +++ b/nixos/tests/lldap.nix @@ -1,6 +1,9 @@ @@ -613,6 +697,3 @@ index 8e38d4bdefa3..47d32c7a2a7b 100644 + raise Exception(f'Unexpected value for attribute "mygroupattribute": {othergroup.get('mygroupattribute')}') ''; } --- -2.49.0 -