pyrox.dev / nixpkgs
lol
fork atom

kanidm: BindMount certificate paths

Bind mount the base dirs of the tls key and chain into the service.

Make sure to bind every directory just once. The test failed on ofborg
when /nix/store and the certificate path in /nix/store/<some path> were
bound.

Flakebi 603e89ee f864e461

options
unified split
Changed files
+61 -45
nixos
modules
services
security
kanidm.nix
tests
kanidm.nix
+59 -43
nixos/modules/services/security/kanidm.nix 
···

       
7

       
7

       
 

       
  serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings);


     

       
8

       
8

       
 

       
  clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings);


     

       
9

       
9

       
 

       
  unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings);


     

       

       
10

       
+

       
  certPaths = builtins.map builtins.dirOf [ cfg.serverSettings.tls_chain cfg.serverSettings.tls_key ];


     

       

       
11

       
+

       



     

       

       
12

       
+

       
  # Merge bind mount paths and remove paths where a prefix is already mounted.


     

       

       
13

       
+

       
  # This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is alread in the mount


     

       

       
14

       
+

       
  # paths, no new bind mount is added. Adding subpaths caused problems on ofborg.


     

       

       
15

       
+

       
  hasPrefixInList = list: newPath: lib.any (path: lib.hasPrefix (builtins.toString path) (builtins.toString newPath)) list;


     

       

       
16

       
+

       
  mergePaths = lib.foldl' (merged: newPath: let


     

       

       
17

       
+

       
      # If the new path is a prefix to some existing path, we need to filter it out


     

       

       
18

       
+

       
      filteredPaths = lib.filter (p: !lib.hasPrefix (builtins.toString newPath) (builtins.toString p)) merged;


     

       

       
19

       
+

       
      # If a prefix of the new path is already in the list, do not add it


     

       

       
20

       
+

       
      filteredNew = if hasPrefixInList filteredPaths newPath then [] else [ newPath ];


     

       

       
21

       
+

       
    in filteredPaths ++ filteredNew) [];


     

       
10

       
22

       
 

       



     

       
11

       
23

       
 

       
  defaultServiceConfig = {


     

       
12

       
24

       
 

       
    BindReadOnlyPaths = [


     
···

       
16

       
28

       
 

       
      "-/etc/hosts"


     

       
17

       
29

       
 

       
      "-/etc/localtime"


     

       
18

       
30

       
 

       
    ];


     

       
19

       

       
-

       
    CapabilityBoundingSet = "";


     

       

       
31

       
+

       
    CapabilityBoundingSet = [];


     

       
20

       
32

       
 

       
    # ProtectClock= adds DeviceAllow=char-rtc r


     

       
21

       
33

       
 

       
    DeviceAllow = "";


     

       
22

       
34

       
 

       
    # Implies ProtectSystem=strict, which re-mounts all paths


     
···

       
216

       
228

       
 

       
      description = "kanidm identity management daemon";


     

       
217

       
229

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
218

       
230

       
 

       
      after = [ "network.target" ];


     

       
219

       

       
-

       
      serviceConfig = defaultServiceConfig // {


     

       
220

       

       
-

       
        StateDirectory = "kanidm";


     

       
221

       

       
-

       
        StateDirectoryMode = "0700";


     

       
222

       

       
-

       
        ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";


     

       
223

       

       
-

       
        User = "kanidm";


     

       
224

       

       
-

       
        Group = "kanidm";


     

       

       
231

       
+

       
      serviceConfig = lib.mkMerge [


     

       

       
232

       
+

       
        # Merge paths and ignore existing prefixes needs to sidestep mkMerge


     

       

       
233

       
+

       
        (defaultServiceConfig // {


     

       

       
234

       
+

       
          BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ certPaths);


     

       

       
235

       
+

       
        })


     

       

       
236

       
+

       
        {


     

       

       
237

       
+

       
          StateDirectory = "kanidm";


     

       

       
238

       
+

       
          StateDirectoryMode = "0700";


     

       

       
239

       
+

       
          ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";


     

       

       
240

       
+

       
          User = "kanidm";


     

       

       
241

       
+

       
          Group = "kanidm";


     

       
225

       
242

       
 

       



     

       
226

       

       
-

       
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];


     

       
227

       

       
-

       
        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];


     

       
228

       

       
-

       
        # This would otherwise override the CAP_NET_BIND_SERVICE capability.


     

       
229

       

       
-

       
        PrivateUsers = false;


     

       
230

       

       
-

       
        # Port needs to be exposed to the host network


     

       
231

       

       
-

       
        PrivateNetwork = false;


     

       
232

       

       
-

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       
233

       

       
-

       
        TemporaryFileSystem = "/:ro";


     

       
234

       

       
-

       
      };


     

       

       
243

       
+

       
          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];


     

       

       
244

       
+

       
          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];


     

       

       
245

       
+

       
          # This would otherwise override the CAP_NET_BIND_SERVICE capability.


     

       

       
246

       
+

       
          PrivateUsers = lib.mkForce false;


     

       

       
247

       
+

       
          # Port needs to be exposed to the host network


     

       

       
248

       
+

       
          PrivateNetwork = lib.mkForce false;


     

       

       
249

       
+

       
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       

       
250

       
+

       
          TemporaryFileSystem = "/:ro";


     

       

       
251

       
+

       
        }


     

       

       
252

       
+

       
      ];


     

       
235

       
253

       
 

       
      environment.RUST_LOG = "info";


     

       
236

       
254

       
 

       
    };


     

       
237

       
255

       
 

       



     
···

       
240

       
258

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
241

       
259

       
 

       
      after = [ "network.target" ];


     

       
242

       
260

       
 

       
      restartTriggers = [ unixConfigFile clientConfigFile ];


     

       
243

       

       
-

       
      serviceConfig = defaultServiceConfig // {


     

       
244

       

       
-

       
        CacheDirectory = "kanidm-unixd";


     

       
245

       

       
-

       
        CacheDirectoryMode = "0700";


     

       
246

       

       
-

       
        RuntimeDirectory = "kanidm-unixd";


     

       
247

       

       
-

       
        ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd";


     

       
248

       

       
-

       
        User = "kanidm-unixd";


     

       
249

       

       
-

       
        Group = "kanidm-unixd";


     

       

       
261

       
+

       
      serviceConfig = lib.mkMerge [


     

       

       
262

       
+

       
        defaultServiceConfig


     

       

       
263

       
+

       
        {


     

       

       
264

       
+

       
          CacheDirectory = "kanidm-unixd";


     

       

       
265

       
+

       
          CacheDirectoryMode = "0700";


     

       

       
266

       
+

       
          RuntimeDirectory = "kanidm-unixd";


     

       

       
267

       
+

       
          ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd";


     

       

       
268

       
+

       
          User = "kanidm-unixd";


     

       

       
269

       
+

       
          Group = "kanidm-unixd";


     

       
250

       
270

       
 

       



     

       
251

       

       
-

       
        BindReadOnlyPaths = [


     

       
252

       

       
-

       
          "/nix/store"


     

       
253

       

       
-

       
          "-/etc/resolv.conf"


     

       
254

       

       
-

       
          "-/etc/nsswitch.conf"


     

       
255

       

       
-

       
          "-/etc/hosts"


     

       
256

       

       
-

       
          "-/etc/localtime"


     

       
257

       

       
-

       
          "-/etc/kanidm"


     

       
258

       

       
-

       
          "-/etc/static/kanidm"


     

       
259

       

       
-

       
          "-/etc/ssl"


     

       
260

       

       
-

       
          "-/etc/static/ssl"


     

       
261

       

       
-

       
        ];


     

       
262

       

       
-

       
        BindPaths = [


     

       
263

       

       
-

       
          # To create the socket


     

       
264

       

       
-

       
          "/run/kanidm-unixd:/var/run/kanidm-unixd"


     

       
265

       

       
-

       
        ];


     

       
266

       

       
-

       
        # Needs to connect to kanidmd


     

       
267

       

       
-

       
        PrivateNetwork = false;


     

       
268

       

       
-

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];


     

       
269

       

       
-

       
        TemporaryFileSystem = "/:ro";


     

       
270

       

       
-

       
      };


     

       

       
271

       
+

       
          BindReadOnlyPaths = [


     

       

       
272

       
+

       
            "-/etc/kanidm"


     

       

       
273

       
+

       
            "-/etc/static/kanidm"


     

       

       
274

       
+

       
            "-/etc/ssl"


     

       

       
275

       
+

       
            "-/etc/static/ssl"


     

       

       
276

       
+

       
          ];


     

       

       
277

       
+

       
          BindPaths = [


     

       

       
278

       
+

       
            # To create the socket


     

       

       
279

       
+

       
            "/run/kanidm-unixd:/var/run/kanidm-unixd"


     

       

       
280

       
+

       
          ];


     

       

       
281

       
+

       
          # Needs to connect to kanidmd


     

       

       
282

       
+

       
          PrivateNetwork = lib.mkForce false;


     

       

       
283

       
+

       
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];


     

       

       
284

       
+

       
          TemporaryFileSystem = "/:ro";


     

       

       
285

       
+

       
        }


     

       

       
286

       
+

       
      ];


     

       
271

       
287

       
 

       
      environment.RUST_LOG = "info";


     

       
272

       
288

       
 

       
    };


     

       
273

       
289
+2 -2
nixos/tests/kanidm.nix 
···

       
44

       
44

       
 

       
        };


     

       
45

       
45

       
 

       
      };


     

       
46

       
46

       
 

       



     

       
47

       

       
-

       
      networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ];


     

       

       
47

       
+

       
      networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ];


     

       
48

       
48

       
 

       



     

       
49

       
49

       
 

       
      security.pki.certificateFiles = [ certs.ca.cert ];


     

       
50

       
50

       
 

       
    };


     
···

       
56

       
56

       
 

       
        # We need access to the config file in the test script.


     

       
57

       
57

       
 

       
        filteredConfig = pkgs.lib.converge


     

       
58

       
58

       
 

       
          (pkgs.lib.filterAttrsRecursive (_: v: v != null))


     

       
59

       

       
-

       
          nodes.server.config.services.kanidm.serverSettings;


     

       

       
59

       
+

       
          nodes.server.services.kanidm.serverSettings;


     

       
60

       
60

       
 

       
        serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;


     

       
61

       
61

       
 

       



     

       
62

       
62

       
 

       
      in