diff options
| author | Kerstin <kerstin@erictapen.name> | 2022-09-15 16:28:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-15 16:28:21 +0200 |
| commit | 1637945189070199494480264357738cc946c70c (patch) | |
| tree | b076ee826b4afc2d98432ef75f7ecbd4bb6e67b4 | |
| parent | fd745268a4f48d25875cc32b17abb0b32f45207e (diff) | |
| parent | fb3f7d70b438a729f4f10d2e31f546d24bfeb6b2 (diff) | |
Merge pull request #189975 from Tasqa/kanidm-cacerts-fix
nixos/kanidm: Add cacerts path to unixd service
| -rw-r--r-- | nixos/modules/services/security/kanidm.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/kanidm.nix | 12 |
2 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 53929761b86c0..788e06ffecf01 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -248,6 +248,8 @@ in "-/etc/localtime" "-/etc/kanidm" "-/etc/static/kanidm" + "-/etc/ssl" + "-/etc/static/ssl" ]; BindPaths = [ # To create the socket diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix index 852dc53e75d3f..7f8a4e501777e 100644 --- a/nixos/tests/kanidm.nix +++ b/nixos/tests/kanidm.nix @@ -44,6 +44,12 @@ import ./make-test-python.nix ({ pkgs, ... }: enableClient = true; clientSettings = { uri = "https://${serverDomain}"; + verify_ca = true; + verify_hostnames = true; + }; + enablePam = true; + unixSettings = { + pam_allowed_login_groups = [ "shell" ]; }; }; @@ -67,9 +73,11 @@ import ./make-test-python.nix ({ pkgs, ... }: start_all() server.wait_for_unit("kanidm.service") server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm") - server.wait_until_succeeds("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'") - client.wait_until_succeeds("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}") + server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'") + client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}") rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'") assert rv == 0 + client.wait_for_unit("kanidm-unixd.service") + client.succeed("kanidm_unixd_status | grep working!") ''; }) |