nixos/tests/kanidm.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / kanidm.nix
at 23.05-pre 2.9 kB view raw
 1import ./make-test-python.nix ({ pkgs, ... }:
 2  let
 3    certs = import ./common/acme/server/snakeoil-certs.nix;
 4    serverDomain = certs.domain;
 5  in
 6  {
 7    name = "kanidm";
 8    meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ];
 9
10    nodes.server = { config, pkgs, lib, ... }: {
11      services.kanidm = {
12        enableServer = true;
13        serverSettings = {
14          origin = "https://${serverDomain}";
15          domain = serverDomain;
16          bindaddress = "[::1]:8443";
17          ldapbindaddress = "[::1]:636";
18        };
19      };
20
21      services.nginx = {
22        enable = true;
23        recommendedProxySettings = true;
24        virtualHosts."${serverDomain}" = {
25          forceSSL = true;
26          sslCertificate = certs."${serverDomain}".cert;
27          sslCertificateKey = certs."${serverDomain}".key;
28          locations."/".proxyPass = "http://[::1]:8443";
29        };
30      };
31
32      security.pki.certificateFiles = [ certs.ca.cert ];
33
34      networking.hosts."::1" = [ serverDomain ];
35      networking.firewall.allowedTCPPorts = [ 80 443 ];
36
37      users.users.kanidm.shell = pkgs.bashInteractive;
38
39      environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
40    };
41
42    nodes.client = { pkgs, nodes, ... }: {
43      services.kanidm = {
44        enableClient = true;
45        clientSettings = {
46          uri = "https://${serverDomain}";
47          verify_ca = true;
48          verify_hostnames = true;
49        };
50        enablePam = true;
51        unixSettings = {
52          pam_allowed_login_groups = [ "shell" ];
53        };
54      };
55
56      networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ];
57
58      security.pki.certificateFiles = [ certs.ca.cert ];
59    };
60
61    testScript = { nodes, ... }:
62      let
63        ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));
64
65        # We need access to the config file in the test script.
66        filteredConfig = pkgs.lib.converge
67          (pkgs.lib.filterAttrsRecursive (_: v: v != null))
68          nodes.server.config.services.kanidm.serverSettings;
69        serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
70
71      in
72      ''
73        start_all()
74        server.wait_for_unit("kanidm.service")
75        server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
76        server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
77        client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
78        rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
79        assert rv == 0
80        client.wait_for_unit("kanidm-unixd.service")
81        client.succeed("kanidm_unixd_status | grep working!")
82      '';
83  })