Merge pull request #227916 from IndeedNotJames/lldap

lldap: init at 0.4.3; nixos/lldap: init; nixosTests.lldap: init
2023-04-29 15:24:12 -04:00 · 2023-04-29 15:24:12 -04:00 · f81a619c91
parent 54668c8ef7 5eb2e64d80
commit f81a619c91
9 changed files with 5172 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -117,6 +117,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable).

+- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable).
+
 - [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable).

 - [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -396,6 +396,7 @@
  ./services/databases/hbase-standalone.nix
  ./services/databases/influxdb.nix
  ./services/databases/influxdb2.nix
+  ./services/databases/lldap.nix
  ./services/databases/memcached.nix
  ./services/databases/monetdb.nix
  ./services/databases/mongodb.nix
--- a/nixos/modules/services/databases/lldap.nix
+++ b/nixos/modules/services/databases/lldap.nix
@ -0,0 +1,121 @@
+{ config, lib, pkgs, utils, ... }:
+
+let
+  cfg = config.services.lldap;
+  format = pkgs.formats.toml { };
+in
+{
+  options.services.lldap = with lib; {
+    enable = mkEnableOption (mdDoc "lldap");
+
+    package = mkPackageOptionMD pkgs "lldap" { };
+
+    environment = mkOption {
+      type = with types; attrsOf str;
+      default = { };
+      example = {
+        LLDAP_JWT_SECRET_FILE = "/run/lldap/jwt_secret";
+        LLDAP_LDAP_USER_PASS_FILE = "/run/lldap/user_password";
+      };
+      description = lib.mdDoc ''
+        Environment variables passed to the service.
+        Any config option name prefixed with `LLDAP_` takes priority over the one in the configuration file.
+      '';
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = lib.mdDoc ''
+        Environment file as defined in {manpage}`systemd.exec(5)` passed to the service.
+      '';
+    };
+
+    settings = mkOption {
+      description = mdDoc ''
+        Free-form settings written directly to the `lldap_config.toml` file.
+        Refer to <https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml> for supported values.
+      '';
+
+      default = { };
+
+      type = types.submodule {
+        freeformType = format.type;
+        options = {
+          ldap_host = mkOption {
+            type = types.str;
+            description = mdDoc "The host address that the LDAP server will be bound to.";
+            default = "::";
+          };
+
+          ldap_port = mkOption {
+            type = types.port;
+            description = mdDoc "The port on which to have the LDAP server.";
+            default = 3890;
+          };
+
+          http_host = mkOption {
+            type = types.str;
+            description = mdDoc "The host address that the HTTP server will be bound to.";
+            default = "::";
+          };
+
+          http_port = mkOption {
+            type = types.port;
+            description = mdDoc "The port on which to have the HTTP server, for user login and administration.";
+            default = 17170;
+          };
+
+          http_url = mkOption {
+            type = types.str;
+            description = mdDoc "The public URL of the server, for password reset links.";
+            default = "http://localhost";
+          };
+
+          ldap_base_dn = mkOption {
+            type = types.str;
+            description = mdDoc "Base DN for LDAP.";
+            example = "dc=example,dc=com";
+          };
+
+          ldap_user_dn = mkOption {
+            type = types.str;
+            description = mdDoc "Admin username";
+            default = "admin";
+          };
+
+          ldap_user_email = mkOption {
+            type = types.str;
+            description = mdDoc "Admin email.";
+            default = "admin@example.com";
+          };
+
+          database_url = mkOption {
+            type = types.str;
+            description = mdDoc "Database URL.";
+            default = "sqlite://./users.db?mode=rwc";
+            example = "postgres://postgres-user:password@postgres-server/my-database";
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.lldap = {
+      description = "Lightweight LDAP server (lldap)";
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}";
+        StateDirectory = "lldap";
+        WorkingDirectory = "%S/lldap";
+        User = "lldap";
+        Group = "lldap";
+        DynamicUser = true;
+        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
+      };
+      inherit (cfg) environment;
+    };
+  };
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -379,6 +379,7 @@ in {
  limesurvey = handleTest ./limesurvey.nix {};
  listmonk = handleTest ./listmonk.nix {};
  litestream = handleTest ./litestream.nix {};
+  lldap = handleTest ./lldap.nix {};
  locate = handleTest ./locate.nix {};
  login = handleTest ./login.nix {};
  logrotate = handleTest ./logrotate.nix {};
--- a/nixos/tests/lldap.nix
+++ b/nixos/tests/lldap.nix
@ -0,0 +1,26 @@
+import ./make-test-python.nix ({ ... }: {
+  name = "lldap";
+
+  nodes.machine = { pkgs, ... }: {
+    services.lldap = {
+      enable = true;
+      settings = {
+        verbose = true;
+        ldap_base_dn = "dc=example,dc=com";
+      };
+    };
+    environment.systemPackages = [ pkgs.openldap ];
+  };
+
+  testScript = ''
+    machine.wait_for_unit("lldap.service")
+    machine.wait_for_open_port(3890)
+    machine.wait_for_open_port(17170)
+
+    machine.succeed("curl --location --fail http://localhost:17170/")
+
+    print(
+      machine.succeed('ldapsearch -H ldap://localhost:3890 -D uid=admin,ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w password')
+    )
+  '';
+})
--- a/pkgs/servers/ldap/lldap/Cargo.lock
+++ b/pkgs/servers/ldap/lldap/Cargo.lock
--- a/pkgs/servers/ldap/lldap/default.nix
+++ b/pkgs/servers/ldap/lldap/default.nix
@ -0,0 +1,68 @@
+{ fetchFromGitHub
+, fetchzip
+, lib
+, lldap
+, nixosTests
+, rustPlatform
+}:
+
+let
+  # We cannot build the wasm frontend from source, as the
+  # wasm32-unknown-unknown rustc target isn't available in nixpkgs yet.
+  # Tracking issue: https://github.com/NixOS/nixpkgs/issues/89426
+  frontend = fetchzip {
+    url = "https://github.com/lldap/lldap/releases/download/v${lldap.version}/amd64-lldap.tar.gz";
+    hash = "sha256-/Ml4L5Gxpnmt1pLSiLNuxtzQYjTCatsVe/hE+Btl8BI=";
+    name = "lldap-frontend-${lldap.version}";
+    postFetch = ''
+      mv $out $TMPDIR/extracted
+      mv $TMPDIR/extracted/app $out
+    '';
+  };
+in
+rustPlatform.buildRustPackage rec {
+  pname = "lldap";
+  version = "0.4.3";
+
+  src = fetchFromGitHub {
+    owner = "lldap";
+    repo = "lldap";
+    rev = "v${version}";
+    hash = "sha256-FAUTykFh2eGVpx6LrCjV9xWbBPH8pCgAJv3vOXFMFZ4=";
+  };
+
+  # `Cargo.lock` has git dependencies, meaning can't use `cargoHash`
+  cargoLock = {
+    # 0.4.3 has been tagged before the actual Cargo.lock bump, resulting in an inconsitent lock file.
+    # To work around this, the Cargo.lock below is from the commit right after the tag:
+    # https://github.com/lldap/lldap/commit/7b4188a376baabda48d88fdca3a10756da48adda
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "lber-0.4.1" = "sha256-2rGTpg8puIAXggX9rEbXPdirfetNOHWfFc80xqzPMT4=";
+      "opaque-ke-0.6.1" = "sha256-99gaDv7eIcYChmvOKQ4yXuaGVzo2Q6BcgSQOzsLF+fM=";
+      "yew_form-0.1.8" = "sha256-1n9C7NiFfTjbmc9B5bDEnz7ZpYJo9ZT8/dioRXJ65hc=";
+    };
+  };
+
+  patches = [
+    ./static-frontend-path.patch
+  ];
+
+  postPatch = ''
+    ln -s --force ${./Cargo.lock} Cargo.lock
+    substituteInPlace server/src/infra/tcp_server.rs --subst-var-by frontend '${frontend}'
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) lldap;
+  };
+
+  meta = with lib; {
+    description = "A lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication";
+    homepage = "https://github.com/lldap/lldap";
+    changelog = "https://github.com/lldap/lldap/blob/v${version}/CHANGELOG.md";
+    license = licenses.gpl3Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ indeednotjames ];
+  };
+}
--- a/pkgs/servers/ldap/lldap/static-frontend-path.patch
+++ b/pkgs/servers/ldap/lldap/static-frontend-path.patch
@ -0,0 +1,43 @@
+diff --git a/server/src/infra/tcp_server.rs b/server/src/infra/tcp_server.rs
+index 43f65ea..e289f2a 100644
+--- a/server/src/infra/tcp_server.rs
+++ b/server/src/infra/tcp_server.rs
+@@ -26,7 +26,7 @@ use std::sync::RwLock;
+ use tracing::info;
+ 
+ async fn index() -> actix_web::Result<NamedFile> {
+-    let path = PathBuf::from(r"app/index.html");
+    let path = PathBuf::from(r"@frontend@/index.html");
+     Ok(NamedFile::open(path)?)
+ }
+ 
+@@ -68,12 +68,12 @@ pub(crate) fn error_to_http_response(error: TcpError) -> HttpResponse {
+ }
+ 
+ async fn wasm_handler() -> actix_web::Result<impl Responder> {
+-    Ok(actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm").await?)
+    Ok(actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm").await?)
+ }
+ 
+ async fn wasm_handler_compressed() -> actix_web::Result<impl Responder> {
+     Ok(
+-        actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm.gz")
+        actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm.gz")
+             .await?
+             .customize()
+             .insert_header(header::ContentEncoding::Gzip)
+@@ -118,11 +118,11 @@ fn http_config<Backend>(
+     )
+     .service(web::resource("/pkg/lldap_app_bg.wasm").route(web::route().to(wasm_handler)))
+     // Serve the /pkg path with the compiled WASM app.
+-    .service(Files::new("/pkg", "./app/pkg"))
+    .service(Files::new("/pkg", "@frontend@/pkg"))
+     // Serve static files
+-    .service(Files::new("/static", "./app/static"))
+    .service(Files::new("/static", "@frontend@/static"))
+     // Serve static fonts
+-    .service(Files::new("/static/fonts", "./app/static/fonts"))
+    .service(Files::new("/static/fonts", "@frontend@/static/fonts"))
+     // Default to serve index.html for unknown routes, to support routing.
+     .default_service(web::route().guard(guard::Get()).to(index));
+ }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -25265,6 +25265,8 @@ with pkgs;

  livepeer = callPackage ../servers/livepeer { };

+  lldap = callPackage ../servers/ldap/lldap { };
+
  lwan = callPackage ../servers/http/lwan { };

  labelImg = callPackage ../applications/science/machine-learning/labelimg { };