New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
freeipa: init at 4.4.3 #22789
freeipa: init at 4.4.3 #22789
Conversation
pkgs/top-level/python-packages.nix
Outdated
|
||
preBuild = '' | ||
cd base/common/python | ||
unset SOURCE_DATE_EPOCH |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are you unsetting this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm surprised to see you actually need to unset it yourself.
tests of |
c2da7f3
to
74e66a4
Compare
I've addressed all of the issues you pointed out, @FRidh. |
74e66a4
to
421f6a5
Compare
Ping @FRidh |
We have a local freeipa server. I hope I can get around to test this soon. Thanks for your work on this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been open for a quite a while. My apologies for not replying any sooner.
@e-user If there's tests requiring network we disable those.
Will this lead to allowing NixOS being a freeipa server as well? |
I think not (from first post):
|
@ts468 I've only reviewed the Python expressions for which only minor changes are needed. Eventually separate commits are needed as well. |
(triage) @e-user, are you still willing to push this forward? :) |
Actually, I am interested again, @Ekleog. I'll look into this again over the next days. |
I, too, am interested here. Anything I can assist with? |
I'm installing NixOS into a VM right now and will pick it up again, for real. |
421f6a5
to
3e9abf2
Compare
So yeah, what's left to do? All issues had already been resolved before master moved on, again. I will happily resolve the conflicts, but I would appreciate if that could resolve in an actual merge. Alternatively, if anyone (@poelzi?) would prefer to run a real-life test against an actual server, I'll gladly provide guidance on how to do this, if so desired. |
I'm open to test this if you resolve the conflicts. |
Apart from the merge conflicts, is there anything that is keeping this from being merged @infinisil ? |
ping ^^ |
@FRidh I hope I am not asking for too much, but since you seem to have merge rights and are already familiar with the pull request, would it be possible that you coordinate the inclusion of this package? There hasn't been any activity on this pull request since half a year and it seems as if there are no missing required changes, apart from the conflicts of course |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have a bunch of nit-picky review comments. Happy to test this further if you rebase/polish/upgrade it. If no one else objects once that's done I'll merge it in.
let | ||
name = "libverto-${version}"; | ||
version = "0.2.6"; | ||
in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can replace this whole thing by just using pname
below.
async api which allows the library to expose asynchronous interfaces and | ||
offload the choice of the main loop to the application. | ||
''; | ||
homepage = https://github.com/latchset/libverto/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
homepage = https://github.com/latchset/libverto/; | |
homepage = "https://github.com/latchset/libverto/"; |
inherit (stdenv.lib) concatStringsSep replaceStrings; | ||
in | ||
buildPythonPackage rec { | ||
name = "nss-${version}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name = "nss-${version}"; | |
pname = "nss"; |
|
||
meta = with stdenv.lib; { | ||
description = "Python binding for NSS"; | ||
homepage = https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
homepage = https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS; | |
homepage = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS"; |
six }: | ||
|
||
buildPythonPackage rec { | ||
name = "pki-core-${version}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name = "pki-core-${version}"; | |
pname = "pki-core"; |
This makes things much nicer for users pinning this to a different version in an overlay, and matches the general coding standards.
prefix = "/"; | ||
|
||
# Building and installing the server fails with silent Rhino errors, skipping | ||
# for now. Need a newer Rhino version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have this how, or still the case?
features for further integration with Linux based clients (SUDO, automount) | ||
and integration with Active Directory based infrastructures (Trusts). | ||
''; | ||
homepage = https://www.freeipa.org/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
homepage = https://www.freeipa.org/; | |
homepage = "https://www.freeipa.org/"; |
@@ -0,0 +1,5 @@ | |||
#!/bin/sh | |||
|
|||
echo "ipa-client-install is not available on NixOS. Please see services.ipa.client, instead." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo "ipa-client-install is not available on NixOS. Please see services.ipa.client, instead." | |
echo "ipa-client-install is not available on NixOS. Please see services.ipa.client instead." |
@@ -3,10 +3,12 @@ | |||
, libcap, libtool, libxml2, openssl | |||
, enablePython ? config.bind.enablePython or false, python3 ? null | |||
, enableSeccomp ? false, libseccomp ? null, buildPackages | |||
, enableGSSAPI ? true, kerberos ? null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice 👍
dns_lookup_realm = false | ||
dns_lookup_kdc = true | ||
rdns = false | ||
ticket_lifetime = 24h |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be nice to make this one configurable.
|
||
meta = with stdenv.lib; { | ||
description = "Python LESS Compiler"; | ||
homepage = https://github.com/lesscpy/lesscpy; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
homepage = https://github.com/lesscpy/lesscpy; | |
homepage = "https://github.com/lesscpy/lesscpy"; |
{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, glib, libev, libevent, tevent, talloc }: | ||
|
||
let | ||
name = "libverto-${version}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name = "libverto-${version}"; | |
pname = "libverto"; |
Closing since author did not respond in the last months. If this is still important to you please reopen the discussion here. |
Still important to me. |
Yeah sorry guys. I don't even have a NixOS installation anymore, at all, so I can't really work on it. If anyone needs help finishing this, let me know. |
I'm vaguely considering picking this up. Before I dive in, does anyone know if there has been other related work that would significantly affect this one? |
Almost two years. Just suppose that no one knows. |
I kinda need this, and it appears that @outergod did some impressive work... I may take this up and bump to the latest version of freeipa. Is there interest? |
This is a package database. It will always be interesting to include a package to it. |
According to NixOS#22789 (comment), the maintainer doesn't use NixOS anymore.
I'm picking this up. I will open a new PR once I get things working... |
Please see #207115 which supersedes this. |
libverto: init at 0.2.6
pythonPackages.nss: init at 1.0.0
pythonPackages.pki: init at 10.3.5
pythonPackages.lesscpy: init at 0.12.0
pythonPackages.python-yubico: init at 1.3.2
Changed bind to optionally build with Kerberos support.
Changed krb5 to build with system libverto by default.
Motivation for this change
This changeset contains all packages and other changes to turn NixOS into a fully capable, well-behaving FreeIPA client and domain member. While only the client portion of FreeIPA is fully implemented, some of the work for building the server component has also been done to actually make the client build succeed.
FreeIPA needs several packages to be build with MIT Kerberos, which in turn needs to use a newer version of libverto than the one bundled with krb5. Because of transitive dependencies, Samba 4 also needs to be build with that same version of MIT Kerberos. The changeset takes a stance that krb5 should much rather always be built with system libverto, which will trigger a mass-rebuild but save time and space in the long run because no duplicate versions of krb5 dependents are needed.
Building with libverto is explicitly switched off for
fetchurl
's curl derivation to prevent a circular dependency.The usual way to join a host to IPA is via
freeipa-client-install
, which normally modifies and backs up many different files in/etc
, which is not possible on NixOS, for obvious reasons. Therefore, I created a nix module that does the same job idiomatically. The only manual steps for a user is to prefetch the certificate from the server and specify the resulting hash in the configuration, as seen below. After activating the configuration, they need to join the domain and obtain the keytab file manually, for which multiple different methods exist, with the most common one presented in the build output.A typical, a valid set of FreeIPA configuration looks like this:
The easiest way to test this is to create and set up a FreeIPA instance in a Fedora VM or docker container and build a NixOS version via
nixos-container
, bind-mounting nixpkgs like so:I'm well aware this is not a trivial change but I believe the benefit makes up for it and I'm grateful for reviewers who feel like they could tackle this.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)