Skip to content

Conversation

ibizaman
Copy link
Contributor

@ibizaman ibizaman commented Jul 16, 2025

Provides first class support for secrets used by LLDAP: the admin password and the jwt secret. Also provides first class support for the option to replace the secrets on each service start.

This PR precedes PR #425923 which adds first class support for the LLDAP bootstrap script.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

Add a 👍 reaction to pull requests you find important.

@ibizaman ibizaman requested a review from emilylange July 16, 2025 20:57
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jul 16, 2025
@ibizaman ibizaman requested a review from bendlas July 16, 2025 21:19
@emilylange emilylange removed their request for review July 17, 2025 01:11
Copy link
Contributor

@bendlas bendlas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For adding logic on top of lldap settings, please just document the relevant settings key in the config.services.lldap.settings freeform type, instead of introducing top-level options.

@ibizaman ibizaman force-pushed the lldap-secrets branch 2 times, most recently from 0433dd2 to 8d75a60 Compare July 23, 2025 06:43
@ibizaman ibizaman requested a review from bendlas July 23, 2025 08:23
@ibizaman ibizaman changed the title lldap: add options to set important secrets lldap: document settings related to passwords and secrets Jul 23, 2025
@ibizaman ibizaman force-pushed the lldap-secrets branch 2 times, most recently from 081018c to d7b92a6 Compare July 23, 2025 09:03
@ibizaman
Copy link
Contributor Author

Btw in an ulterior version of LLDAP, this commit makes it mandatory to set the LLDAP password. I propose to leave this PR as-is and I'll make the ldap_user_pass_file setting required in the "bump" PR #425918 which I will also update to use version 0.6.2 when it's out.

@bendlas
Copy link
Contributor

bendlas commented Jul 23, 2025

I propose to leave this PR as-is and I'll make the ldap_user_pass_file setting required in the "bump" PR #425918 which I will also update to use version 0.6.2 when it's out.

sounds good to me. there are more warnings that might be good to have, like e.g. when using non - *_file versions of setting secrets, which will expose them in /nix/store, but this is in a good state now, afaict.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jul 23, 2025
@ibizaman
Copy link
Contributor Author

Has been merged as part of #425918

@ibizaman ibizaman closed this Aug 24, 2025
@ibizaman ibizaman deleted the lldap-secrets branch August 24, 2025 19:32
@ibizaman ibizaman restored the lldap-secrets branch August 24, 2025 19:34
@ibizaman ibizaman deleted the lldap-secrets branch August 24, 2025 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants