diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 002144888ecf..14927f439ca5 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -460,6 +460,17 @@ in apply = unique; default = [ ]; }; + + overwriteMembers = mkOption { + description = '' + Whether the member list should be overwritten each time (true) or appended + (false). Append mode allows interactive group management in addition to the + declared members. Also, future member removals cannot be reflected + automatically in append mode. + ''; + type = types.bool; + default = true; + }; }; config.members = concatLists ( flip mapAttrsToList cfg.provision.persons ( diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix index f38e0770388d..b04fb4d65e4a 100644 --- a/nixos/tests/kanidm-provisioning.nix +++ b/nixos/tests/kanidm-provisioning.nix @@ -73,6 +73,10 @@ in }; groups.testgroup1 = { }; + groups.imperative = { + overwriteMembers = false; + members = [ "testuser1" ]; + }; persons.testuser1 = { displayName = "Test User"; @@ -133,6 +137,11 @@ in }; groups.testgroup1 = { }; + groups.imperative = { + overwriteMembers = false; + # Will be retained: + # members = [ "testuser1" ]; + }; persons.testuser1 = { displayName = "Test User (changed)"; @@ -351,6 +360,10 @@ in out = provision.succeed("kanidm group get testgroup1") assert_contains(out, "name: testgroup1") + out = provision.succeed("kanidm group get imperative") + assert_contains(out, "name: imperative") + assert_contains(out, "member: testuser1") + out = provision.succeed("kanidm group get supergroup1") assert_contains(out, "name: supergroup1") assert_contains(out, "member: testgroup1") @@ -361,6 +374,7 @@ in assert_contains(out, "legalname: Jane Doe") assert_contains(out, "mail: jane.doe@example.com") assert_contains(out, "memberof: testgroup1") + assert_contains(out, "memberof: imperative") assert_contains(out, "memberof: service1-access") out = provision.succeed("kanidm person get testuser2") @@ -405,6 +419,10 @@ in out = provision.succeed("kanidm group get testgroup1") assert_contains(out, "name: testgroup1") + out = provision.succeed("kanidm group get imperative") + assert_contains(out, "name: imperative") + assert_contains(out, "member: testuser1") + out = provision.succeed("kanidm group get supergroup1") assert_contains(out, "name: supergroup1") assert_lacks(out, "member: testgroup1") @@ -416,6 +434,7 @@ in assert_contains(out, "mail: jane.doe@example.com") assert_contains(out, "mail: second.doe@example.com") assert_lacks(out, "memberof: testgroup1") + assert_contains(out, "memberof: imperative") assert_contains(out, "memberof: service1-access") out = provision.succeed("kanidm person get testuser2") diff --git a/pkgs/by-name/ka/kanidm-provision/package.nix b/pkgs/by-name/ka/kanidm-provision/package.nix index a96a6d5add71..318bbb09c0ab 100644 --- a/pkgs/by-name/ka/kanidm-provision/package.nix +++ b/pkgs/by-name/ka/kanidm-provision/package.nix @@ -2,7 +2,6 @@ lib, rustPlatform, fetchFromGitHub, - yq, versionCheckHook, nix-update-script, nixosTests, @@ -10,25 +9,17 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "kanidm-provision"; - version = "1.2.1"; + version = "1.3.0"; src = fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; tag = "v${finalAttrs.version}"; - hash = "sha256-kwxGrLz59Zk8PSsfQzPUeA/xWQZrV1NWlS5/yuqfIyI="; + hash = "sha256-m3bF4wFPVRc2E+E/pZc3js9T4rYbTejo/FFpysytWKw="; }; - postPatch = '' - tomlq -ti '.package.version = "${finalAttrs.version}"' Cargo.toml - ''; - useFetchCargoVendor = true; - cargoHash = "sha256-uo/TGyfNChq/t6Dah0HhXhAwktyQk0V/wewezZuftNk="; - - nativeBuildInputs = [ - yq # for `tomlq` - ]; + cargoHash = "sha256-dPTrIc/hTbMlFDXYMk/dTjqaNECazldfW43egDOwyLM="; nativeInstallCheckInputs = [ versionCheckHook ]; versionCheckProgramArg = "--version";