diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index bb8291d1a6a0..ae118e4c82bf 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -709,6 +709,14 @@
emacs-gtk.
+
+
+ kanidm has been updated to 1.1.0-alpha.10
+ and now requires a tls certificate and key. It will always
+ start an https and – if enabled – an ldaps server and no http
+ and ldap server anymore.
+
+
riak package removed along with
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index 071351939f65..72d54f8f43e6 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -231,6 +231,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
Users who still wish to remain using GTK can do so by using `emacs-gtk`.
+- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a tls certificate and key. It will always start an https and – if enabled – an ldaps server and no http and ldap server anymore.
+
- riak package removed along with `services.riak` module, due to lack of maintainer to update the package.
- ppd files in `pkgs.cups-drv-rastertosag-gdi` are now gzipped. If you refer to such a ppd file with its path (e.g. via [hardware.printers.ensurePrinters](options.html#opt-hardware.printers.ensurePrinters)) you will need to append `.gz` to the path.
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
index 788e06ffecf0..55120799c993 100644
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@@ -100,6 +100,14 @@ in
readOnly = true;
type = lib.types.path;
};
+ tls_chain = lib.mkOption {
+ description = lib.mdDoc "TLS chain in pem format.";
+ type = lib.types.path;
+ };
+ tls_key = lib.mkOption {
+ description = lib.mdDoc "TLS key in pem format.";
+ type = lib.types.path;
+ };
log_level = lib.mkOption {
description = lib.mdDoc "Log level of the server.";
default = "default";
diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix
index 7f8a4e501777..33c65026b9b1 100644
--- a/nixos/tests/kanidm.nix
+++ b/nixos/tests/kanidm.nix
@@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }:
serverSettings = {
origin = "https://${serverDomain}";
domain = serverDomain;
- bindaddress = "[::1]:8443";
+ bindaddress = "[::]:443";
ldapbindaddress = "[::1]:636";
- };
- };
-
- services.nginx = {
- enable = true;
- recommendedProxySettings = true;
- virtualHosts."${serverDomain}" = {
- forceSSL = true;
- sslCertificate = certs."${serverDomain}".cert;
- sslCertificateKey = certs."${serverDomain}".key;
- locations."/".proxyPass = "http://[::1]:8443";
+ tls_chain = certs."${serverDomain}".cert;
+ tls_key = certs."${serverDomain}".key;
};
};
security.pki.certificateFiles = [ certs.ca.cert ];
networking.hosts."::1" = [ serverDomain ];
- networking.firewall.allowedTCPPorts = [ 80 443 ];
+ networking.firewall.allowedTCPPorts = [ 443 ];
users.users.kanidm.shell = pkgs.bashInteractive;
@@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
start_all()
server.wait_for_unit("kanidm.service")
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
- server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
+ server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
assert rv == 0
diff --git a/pkgs/servers/kanidm/default.nix b/pkgs/servers/kanidm/default.nix
index 0984a622330c..8941a5c7c6cd 100644
--- a/pkgs/servers/kanidm/default.nix
+++ b/pkgs/servers/kanidm/default.nix
@@ -17,16 +17,16 @@ let
in
rustPlatform.buildRustPackage rec {
pname = "kanidm";
- version = "1.1.0-alpha.9";
+ version = "1.1.0-alpha.10";
src = fetchFromGitHub {
owner = pname;
repo = pname;
- rev = "985462590b1c49b26a0b0ee01e24b1eb01942165";
- hash = "sha256-JtoDuA3NCKmX+wDqav30VwrLeDALYat1iKFWpbYOO1s=";
+ rev = "fb76326234bffd9c9f3f24808d113f2c335c86fe";
+ hash = "sha256-nE3zyigorAbDp5mgXzoyXWGOG+GaFC//SS/7Z9zj1Ps=";
};
- cargoSha256 = "sha256-pkBkXIG2PF5YMeighQwHwhURWbJabfveyszRIdrQjcA=";
+ cargoSha256 = "sha256-/CcmKYPtBHNdhJnO0OmZtW/39HH58qmCE9hFbIiNsaE=";
KANIDM_BUILD_PROFILE = "release_nixos_${arch}";