nixos/kanidm: add option and tests for imperative group management

2025-06-09 19:13:26 +03:00 · 2025-06-07 11:34:48 +02:00 · 2025-06-07 11:34:48 +02:00 · 5f833b1008
commit 5f833b1008
parent b7f5fce1ca
2 changed files with 30 additions and 0 deletions
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@ -460,6 +460,17 @@ in
                apply = unique;
                default = [ ];
              };
+
+              overwriteMembers = mkOption {
+                description = ''
+                  Whether the member list should be overwritten each time (true) or appended
+                  (false). Append mode allows interactive group management in addition to the
+                  declared members. Also, future member removals cannot be reflected
+                  automatically in append mode.
+                '';
+                type = types.bool;
+                default = true;
+              };
            };
            config.members = concatLists (
              flip mapAttrsToList cfg.provision.persons (
--- a/nixos/tests/kanidm-provisioning.nix
+++ b/nixos/tests/kanidm-provisioning.nix
@ -73,6 +73,10 @@ in
            };

            groups.testgroup1 = { };
+            groups.imperative = {
+              overwriteMembers = false;
+              members = [ "testuser1" ];
+            };

            persons.testuser1 = {
              displayName = "Test User";
@ -133,6 +137,11 @@ in
            };

            groups.testgroup1 = { };
+            groups.imperative = {
+              overwriteMembers = false;
+              # Will be retained:
+              # members = [ "testuser1" ];
+            };

            persons.testuser1 = {
              displayName = "Test User (changed)";
@ -351,6 +360,10 @@ in
          out = provision.succeed("kanidm group get testgroup1")
          assert_contains(out, "name: testgroup1")

+          out = provision.succeed("kanidm group get imperative")
+          assert_contains(out, "name: imperative")
+          assert_contains(out, "member: testuser1")
+
          out = provision.succeed("kanidm group get supergroup1")
          assert_contains(out, "name: supergroup1")
          assert_contains(out, "member: testgroup1")
@ -361,6 +374,7 @@ in
          assert_contains(out, "legalname: Jane Doe")
          assert_contains(out, "mail: jane.doe@example.com")
          assert_contains(out, "memberof: testgroup1")
+          assert_contains(out, "memberof: imperative")
          assert_contains(out, "memberof: service1-access")

          out = provision.succeed("kanidm person get testuser2")
@ -405,6 +419,10 @@ in
          out = provision.succeed("kanidm group get testgroup1")
          assert_contains(out, "name: testgroup1")

+          out = provision.succeed("kanidm group get imperative")
+          assert_contains(out, "name: imperative")
+          assert_contains(out, "member: testuser1")
+
          out = provision.succeed("kanidm group get supergroup1")
          assert_contains(out, "name: supergroup1")
          assert_lacks(out, "member: testgroup1")
@ -416,6 +434,7 @@ in
          assert_contains(out, "mail: jane.doe@example.com")
          assert_contains(out, "mail: second.doe@example.com")
          assert_lacks(out, "memberof: testgroup1")
+          assert_contains(out, "memberof: imperative")
          assert_contains(out, "memberof: service1-access")

          out = provision.succeed("kanidm person get testuser2")