freeipa: init at 4.4.3 #22789
freeipa: init at 4.4.3 #22789
Conversation
pkgs/top-level/python-packages.nix
Outdated
|
|
||
| preBuild = '' | ||
| cd base/common/python | ||
| unset SOURCE_DATE_EPOCH |
There was a problem hiding this comment.
There was a problem hiding this comment.
I'm surprised to see you actually need to unset it yourself.
|
tests of |
outergod
force-pushed
the
pkgs/freeipa-4.4.3
branch
from
c2da7f3
to
74e66a4
Compare
|
I've addressed all of the issues you pointed out, @FRidh. |
outergod
force-pushed
the
pkgs/freeipa-4.4.3
branch
from
74e66a4
to
421f6a5
Compare
|
Ping @FRidh |
|
We have a local freeipa server. I hope I can get around to test this soon. Thanks for your work on this! |
|
Will this lead to allowing NixOS being a freeipa server as well? |
|
I think not (from first post): |
|
@ts468 I've only reviewed the Python expressions for which only minor changes are needed. Eventually separate commits are needed as well. |
|
(triage) @e-user, are you still willing to push this forward? :) |
|
Actually, I am interested again, @Ekleog. I'll look into this again over the next days. |
|
I, too, am interested here. Anything I can assist with? |
|
I'm installing NixOS into a VM right now and will pick it up again, for real. |
outergod
force-pushed
the
pkgs/freeipa-4.4.3
branch
from
421f6a5
to
3e9abf2
Compare
|
So yeah, what's left to do? All issues had already been resolved before master moved on, again. I will happily resolve the conflicts, but I would appreciate if that could resolve in an actual merge. Alternatively, if anyone (@poelzi?) would prefer to run a real-life test against an actual server, I'll gladly provide guidance on how to do this, if so desired. |
|
I'm open to test this if you resolve the conflicts. |
|
Apart from the merge conflicts, is there anything that is keeping this from being merged @infinisil ? |
|
ping ^^ |
|
@FRidh I hope I am not asking for too much, but since you seem to have merge rights and are already familiar with the pull request, would it be possible that you coordinate the inclusion of this package? There hasn't been any activity on this pull request since half a year and it seems as if there are no missing required changes, apart from the conflicts of course |
| let | ||
| name = "libverto-${version}"; | ||
| version = "0.2.6"; | ||
| in |
There was a problem hiding this comment.
You can replace this whole thing by just using pname below.
| async api which allows the library to expose asynchronous interfaces and | ||
| offload the choice of the main loop to the application. | ||
| ''; | ||
| homepage = https://github.com/latchset/libverto/; |
There was a problem hiding this comment.
| homepage = https://github.com/latchset/libverto/; | |
| homepage = "https://github.com/latchset/libverto/"; |
| inherit (stdenv.lib) concatStringsSep replaceStrings; | ||
| in | ||
| buildPythonPackage rec { | ||
| name = "nss-${version}"; |
There was a problem hiding this comment.
| name = "nss-${version}"; | |
| pname = "nss"; |
|
|
||
| meta = with stdenv.lib; { | ||
| description = "Python binding for NSS"; | ||
| homepage = https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS; |
There was a problem hiding this comment.
| homepage = https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS; | |
| homepage = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS"; |
| six }: | ||
|
|
||
| buildPythonPackage rec { | ||
| name = "pki-core-${version}"; |
There was a problem hiding this comment.
| name = "pki-core-${version}"; | |
| pname = "pki-core"; |
This makes things much nicer for users pinning this to a different version in an overlay, and matches the general coding standards.
| prefix = "/"; | ||
|
|
||
| # Building and installing the server fails with silent Rhino errors, skipping | ||
| # for now. Need a newer Rhino version. |
There was a problem hiding this comment.
Do we have this how, or still the case?
| features for further integration with Linux based clients (SUDO, automount) | ||
| and integration with Active Directory based infrastructures (Trusts). | ||
| ''; | ||
| homepage = https://www.freeipa.org/; |
There was a problem hiding this comment.
| homepage = https://www.freeipa.org/; | |
| homepage = "https://www.freeipa.org/"; |
| @@ -0,0 +1,5 @@ | |||
| #!/bin/sh | |||
|
|
|||
| echo "ipa-client-install is not available on NixOS. Please see services.ipa.client, instead." | |||
There was a problem hiding this comment.
| echo "ipa-client-install is not available on NixOS. Please see services.ipa.client, instead." | |
| echo "ipa-client-install is not available on NixOS. Please see services.ipa.client instead." |
| @@ -3,10 +3,12 @@ | |||
| , libcap, libtool, libxml2, openssl | |||
| , enablePython ? config.bind.enablePython or false, python3 ? null | |||
| , enableSeccomp ? false, libseccomp ? null, buildPackages | |||
| , enableGSSAPI ? true, kerberos ? null | |||
| dns_lookup_realm = false | ||
| dns_lookup_kdc = true | ||
| rdns = false | ||
| ticket_lifetime = 24h |
There was a problem hiding this comment.
Might be nice to make this one configurable.
|
|
||
| meta = with stdenv.lib; { | ||
| description = "Python LESS Compiler"; | ||
| homepage = https://github.com/lesscpy/lesscpy; |
There was a problem hiding this comment.
| homepage = https://github.com/lesscpy/lesscpy; | |
| homepage = "https://github.com/lesscpy/lesscpy"; |
| { stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, glib, libev, libevent, tevent, talloc }: | ||
|
|
||
| let | ||
| name = "libverto-${version}"; |
There was a problem hiding this comment.
| name = "libverto-${version}"; | |
| pname = "libverto"; |
|
Closing since author did not respond in the last months. If this is still important to you please reopen the discussion here. |
|
Still important to me. |
|
Yeah sorry guys. I don't even have a NixOS installation anymore, at all, so I can't really work on it. If anyone needs help finishing this, let me know. |
|
I'm vaguely considering picking this up. Before I dive in, does anyone know if there has been other related work that would significantly affect this one? |
|
Almost two years. Just suppose that no one knows. |
|
I kinda need this, and it appears that @outergod did some impressive work... I may take this up and bump to the latest version of freeipa. Is there interest? |
|
This is a package database. It will always be interesting to include a package to it. |
According to NixOS#22789 (comment), the maintainer doesn't use NixOS anymore.
|
I'm picking this up. I will open a new PR once I get things working... |
|
Please see #207115 which supersedes this. |
libverto: init at 0.2.6
pythonPackages.nss: init at 1.0.0
pythonPackages.pki: init at 10.3.5
pythonPackages.lesscpy: init at 0.12.0
pythonPackages.python-yubico: init at 1.3.2
Changed bind to optionally build with Kerberos support.
Changed krb5 to build with system libverto by default.
Motivation for this change
This changeset contains all packages and other changes to turn NixOS into a fully capable, well-behaving FreeIPA client and domain member. While only the client portion of FreeIPA is fully implemented, some of the work for building the server component has also been done to actually make the client build succeed.
FreeIPA needs several packages to be build with MIT Kerberos, which in turn needs to use a newer version of libverto than the one bundled with krb5. Because of transitive dependencies, Samba 4 also needs to be build with that same version of MIT Kerberos. The changeset takes a stance that krb5 should much rather always be built with system libverto, which will trigger a mass-rebuild but save time and space in the long run because no duplicate versions of krb5 dependents are needed.
Building with libverto is explicitly switched off for
fetchurl's curl derivation to prevent a circular dependency.The usual way to join a host to IPA is via
freeipa-client-install, which normally modifies and backs up many different files in/etc, which is not possible on NixOS, for obvious reasons. Therefore, I created a nix module that does the same job idiomatically. The only manual steps for a user is to prefetch the certificate from the server and specify the resulting hash in the configuration, as seen below. After activating the configuration, they need to join the domain and obtain the keytab file manually, for which multiple different methods exist, with the most common one presented in the build output.A typical, a valid set of FreeIPA configuration looks like this:
The easiest way to test this is to create and set up a FreeIPA instance in a Fedora VM or docker container and build a NixOS version via
nixos-container, bind-mounting nixpkgs like so:I'm well aware this is not a trivial change but I believe the benefit makes up for it and I'm grateful for reviewers who feel like they could tackle this.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)