commit 7e2992c01b3cc7cdbecdeae3feaed30469d3b40d

+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 341 341 342 342 - `service.borgmatic.settings.location` and `services.borgmatic.configurations.<name>.location` are deprecated, please move your options out of sections to the global scope. 343 343 344 + - `privacyidea` (and the corresponding `privacyidea-ldap-proxy`) has been removed from nixpkgs because it has severely outdated dependencies that became unmaintainable with nixpkgs' python package-set. 345 + 344 346 - `dagger` was removed because using a package called `dagger` and packaging it from source violates their trademark policy. 345 347 346 348 - `win-virtio` package was renamed to `virtio-win` to be consistent with the upstream package name.

-1

nixos/modules/module-list.nix

··· 1176 1176 ./services/security/opensnitch.nix 1177 1177 ./services/security/pass-secret-service.nix 1178 1178 ./services/security/physlock.nix 1179 - ./services/security/privacyidea.nix 1180 1179 ./services/security/shibboleth-sp.nix 1181 1180 ./services/security/sks.nix 1182 1181 ./services/security/sshguard.nix

-458

nixos/modules/services/security/privacyidea.nix

··· 1 - { config, lib, options, pkgs, ... }: 2 - 3 - with lib; 4 - 5 - let 6 - cfg = config.services.privacyidea; 7 - opt = options.services.privacyidea; 8 - 9 - uwsgi = pkgs.uwsgi.override { plugins = [ "python3" ]; python3 = pkgs.python310; }; 10 - python = uwsgi.python3; 11 - penv = python.withPackages (const [ pkgs.privacyidea ]); 12 - logCfg = pkgs.writeText "privacyidea-log.cfg" '' 13 - [formatters] 14 - keys=detail 15 - 16 - [handlers] 17 - keys=stream 18 - 19 - [formatter_detail] 20 - class=privacyidea.lib.log.SecureFormatter 21 - format=[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s 22 - 23 - [handler_stream] 24 - class=StreamHandler 25 - level=NOTSET 26 - formatter=detail 27 - args=(sys.stdout,) 28 - 29 - [loggers] 30 - keys=root,privacyidea 31 - 32 - [logger_privacyidea] 33 - handlers=stream 34 - qualname=privacyidea 35 - level=INFO 36 - 37 - [logger_root] 38 - handlers=stream 39 - level=ERROR 40 - ''; 41 - 42 - piCfgFile = pkgs.writeText "privacyidea.cfg" '' 43 - SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ] 44 - SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2:///privacyidea' 45 - SECRET_KEY = '${cfg.secretKey}' 46 - PI_PEPPER = '${cfg.pepper}' 47 - PI_ENCFILE = '${cfg.encFile}' 48 - PI_AUDIT_KEY_PRIVATE = '${cfg.auditKeyPrivate}' 49 - PI_AUDIT_KEY_PUBLIC = '${cfg.auditKeyPublic}' 50 - PI_LOGCONFIG = '${logCfg}' 51 - ${cfg.extraConfig} 52 - ''; 53 - 54 - renderValue = x: 55 - if isList x then concatMapStringsSep "," (x: ''"${x}"'') x 56 - else if isString x && hasInfix "," x then ''"${x}"'' 57 - else x; 58 - 59 - ldapProxyConfig = pkgs.writeText "ldap-proxy.ini" 60 - (generators.toINI {} 61 - (flip mapAttrs cfg.ldap-proxy.settings 62 - (const (mapAttrs (const renderValue))))); 63 - 64 - privacyidea-token-janitor = pkgs.writeShellScriptBin "privacyidea-token-janitor" '' 65 - exec -a privacyidea-token-janitor \ 66 - /run/wrappers/bin/sudo -u ${cfg.user} \ 67 - env PRIVACYIDEA_CONFIGFILE=${cfg.stateDir}/privacyidea.cfg \ 68 - ${penv}/bin/privacyidea-token-janitor $@ 69 - ''; 70 - in 71 - 72 - { 73 - options = { 74 - services.privacyidea = { 75 - enable = mkEnableOption (lib.mdDoc "PrivacyIDEA"); 76 - 77 - environmentFile = mkOption { 78 - type = types.nullOr types.path; 79 - default = null; 80 - example = "/root/privacyidea.env"; 81 - description = lib.mdDoc '' 82 - File to load as environment file. Environment variables 83 - from this file will be interpolated into the config file 84 - using `envsubst` which is helpful for specifying 85 - secrets: 86 - ``` 87 - { services.privacyidea.secretKey = "$SECRET"; } 88 - ``` 89 - 90 - The environment-file can now specify the actual secret key: 91 - ``` 92 - SECRET=veryverytopsecret 93 - ``` 94 - ''; 95 - }; 96 - 97 - stateDir = mkOption { 98 - type = types.str; 99 - default = "/var/lib/privacyidea"; 100 - description = lib.mdDoc '' 101 - Directory where all PrivacyIDEA files will be placed by default. 102 - ''; 103 - }; 104 - 105 - superuserRealm = mkOption { 106 - type = types.listOf types.str; 107 - default = [ "super" "administrators" ]; 108 - description = lib.mdDoc '' 109 - The realm where users are allowed to login as administrators. 110 - ''; 111 - }; 112 - 113 - secretKey = mkOption { 114 - type = types.str; 115 - example = "t0p s3cr3t"; 116 - description = lib.mdDoc '' 117 - This is used to encrypt the auth_token. 118 - ''; 119 - }; 120 - 121 - pepper = mkOption { 122 - type = types.str; 123 - example = "Never know..."; 124 - description = lib.mdDoc '' 125 - This is used to encrypt the admin passwords. 126 - ''; 127 - }; 128 - 129 - encFile = mkOption { 130 - type = types.str; 131 - default = "${cfg.stateDir}/enckey"; 132 - defaultText = literalExpression ''"''${config.${opt.stateDir}}/enckey"''; 133 - description = lib.mdDoc '' 134 - This is used to encrypt the token data and token passwords 135 - ''; 136 - }; 137 - 138 - auditKeyPrivate = mkOption { 139 - type = types.str; 140 - default = "${cfg.stateDir}/private.pem"; 141 - defaultText = literalExpression ''"''${config.${opt.stateDir}}/private.pem"''; 142 - description = lib.mdDoc '' 143 - Private Key for signing the audit log. 144 - ''; 145 - }; 146 - 147 - auditKeyPublic = mkOption { 148 - type = types.str; 149 - default = "${cfg.stateDir}/public.pem"; 150 - defaultText = literalExpression ''"''${config.${opt.stateDir}}/public.pem"''; 151 - description = lib.mdDoc '' 152 - Public key for checking signatures of the audit log. 153 - ''; 154 - }; 155 - 156 - adminPasswordFile = mkOption { 157 - type = types.path; 158 - description = lib.mdDoc "File containing password for the admin user"; 159 - }; 160 - 161 - adminEmail = mkOption { 162 - type = types.str; 163 - example = "admin@example.com"; 164 - description = lib.mdDoc "Mail address for the admin user"; 165 - }; 166 - 167 - extraConfig = mkOption { 168 - type = types.lines; 169 - default = ""; 170 - description = lib.mdDoc '' 171 - Extra configuration options for pi.cfg. 172 - ''; 173 - }; 174 - 175 - user = mkOption { 176 - type = types.str; 177 - default = "privacyidea"; 178 - description = lib.mdDoc "User account under which PrivacyIDEA runs."; 179 - }; 180 - 181 - group = mkOption { 182 - type = types.str; 183 - default = "privacyidea"; 184 - description = lib.mdDoc "Group account under which PrivacyIDEA runs."; 185 - }; 186 - 187 - tokenjanitor = { 188 - enable = mkEnableOption (lib.mdDoc "automatic runs of the token janitor"); 189 - interval = mkOption { 190 - default = "quarterly"; 191 - type = types.str; 192 - description = lib.mdDoc '' 193 - Interval in which the cleanup program is supposed to run. 194 - See {manpage}`systemd.time(7)` for further information. 195 - ''; 196 - }; 197 - action = mkOption { 198 - type = types.enum [ "delete" "mark" "disable" "unassign" ]; 199 - description = lib.mdDoc '' 200 - Which action to take for matching tokens. 201 - ''; 202 - }; 203 - unassigned = mkOption { 204 - default = false; 205 - type = types.bool; 206 - description = lib.mdDoc '' 207 - Whether to search for **unassigned** tokens 208 - and apply [](#opt-services.privacyidea.tokenjanitor.action) 209 - onto them. 210 - ''; 211 - }; 212 - orphaned = mkOption { 213 - default = true; 214 - type = types.bool; 215 - description = lib.mdDoc '' 216 - Whether to search for **orphaned** tokens 217 - and apply [](#opt-services.privacyidea.tokenjanitor.action) 218 - onto them. 219 - ''; 220 - }; 221 - }; 222 - 223 - ldap-proxy = { 224 - enable = mkEnableOption (lib.mdDoc "PrivacyIDEA LDAP Proxy"); 225 - 226 - configFile = mkOption { 227 - type = types.nullOr types.path; 228 - default = null; 229 - description = lib.mdDoc '' 230 - Path to PrivacyIDEA LDAP Proxy configuration (proxy.ini). 231 - ''; 232 - }; 233 - 234 - user = mkOption { 235 - type = types.str; 236 - default = "pi-ldap-proxy"; 237 - description = lib.mdDoc "User account under which PrivacyIDEA LDAP proxy runs."; 238 - }; 239 - 240 - group = mkOption { 241 - type = types.str; 242 - default = "pi-ldap-proxy"; 243 - description = lib.mdDoc "Group account under which PrivacyIDEA LDAP proxy runs."; 244 - }; 245 - 246 - settings = mkOption { 247 - type = with types; attrsOf (attrsOf (oneOf [ str bool int (listOf str) ])); 248 - default = {}; 249 - description = lib.mdDoc '' 250 - Attribute-set containing the settings for `privacyidea-ldap-proxy`. 251 - It's possible to pass secrets using env-vars as substitutes and 252 - use the option [](#opt-services.privacyidea.ldap-proxy.environmentFile) 253 - to inject them via `envsubst`. 254 - ''; 255 - }; 256 - 257 - environmentFile = mkOption { 258 - default = null; 259 - type = types.nullOr types.str; 260 - description = lib.mdDoc '' 261 - Environment file containing secrets to be substituted into 262 - [](#opt-services.privacyidea.ldap-proxy.settings). 263 - ''; 264 - }; 265 - }; 266 - }; 267 - }; 268 - 269 - config = mkMerge [ 270 - 271 - (mkIf cfg.enable { 272 - 273 - assertions = [ 274 - { 275 - assertion = cfg.tokenjanitor.enable -> (cfg.tokenjanitor.orphaned || cfg.tokenjanitor.unassigned); 276 - message = '' 277 - privacyidea-token-janitor has no effect if neither orphaned nor unassigned tokens 278 - are to be searched. 279 - ''; 280 - } 281 - ]; 282 - 283 - environment.systemPackages = [ pkgs.privacyidea (hiPrio privacyidea-token-janitor) ]; 284 - 285 - services.postgresql.enable = mkDefault true; 286 - 287 - systemd.services.privacyidea-tokenjanitor = mkIf cfg.tokenjanitor.enable { 288 - environment.PRIVACYIDEA_CONFIGFILE = "${cfg.stateDir}/privacyidea.cfg"; 289 - path = [ penv ]; 290 - serviceConfig = { 291 - CapabilityBoundingSet = [ "" ]; 292 - ExecStart = "${pkgs.writeShellScript "pi-token-janitor" '' 293 - ${optionalString cfg.tokenjanitor.orphaned '' 294 - echo >&2 "Removing orphaned tokens..." 295 - privacyidea-token-janitor find \ 296 - --orphaned true \ 297 - --action ${cfg.tokenjanitor.action} 298 - ''} 299 - ${optionalString cfg.tokenjanitor.unassigned '' 300 - echo >&2 "Removing unassigned tokens..." 301 - privacyidea-token-janitor find \ 302 - --assigned false \ 303 - --action ${cfg.tokenjanitor.action} 304 - ''} 305 - ''}"; 306 - Group = cfg.group; 307 - LockPersonality = true; 308 - MemoryDenyWriteExecute = true; 309 - ProtectHome = true; 310 - ProtectHostname = true; 311 - ProtectKernelLogs = true; 312 - ProtectKernelModules = true; 313 - ProtectKernelTunables = true; 314 - ProtectSystem = "strict"; 315 - ReadWritePaths = cfg.stateDir; 316 - Type = "oneshot"; 317 - User = cfg.user; 318 - WorkingDirectory = cfg.stateDir; 319 - }; 320 - }; 321 - systemd.timers.privacyidea-tokenjanitor = mkIf cfg.tokenjanitor.enable { 322 - wantedBy = [ "timers.target" ]; 323 - timerConfig.OnCalendar = cfg.tokenjanitor.interval; 324 - timerConfig.Persistent = true; 325 - }; 326 - 327 - systemd.services.privacyidea = let 328 - piuwsgi = pkgs.writeText "uwsgi.json" (builtins.toJSON { 329 - uwsgi = { 330 - buffer-size = 8192; 331 - plugins = [ "python3" ]; 332 - pythonpath = "${penv}/${uwsgi.python3.sitePackages}"; 333 - socket = "/run/privacyidea/socket"; 334 - uid = cfg.user; 335 - gid = cfg.group; 336 - chmod-socket = 770; 337 - chown-socket = "${cfg.user}:nginx"; 338 - chdir = cfg.stateDir; 339 - wsgi-file = "${penv}/etc/privacyidea/privacyideaapp.wsgi"; 340 - processes = 4; 341 - harakiri = 60; 342 - reload-mercy = 8; 343 - stats = "/run/privacyidea/stats.socket"; 344 - max-requests = 2000; 345 - limit-as = 1024; 346 - reload-on-as = 512; 347 - reload-on-rss = 256; 348 - no-orphans = true; 349 - vacuum = true; 350 - }; 351 - }); 352 - in { 353 - wantedBy = [ "multi-user.target" ]; 354 - after = [ "postgresql.service" ]; 355 - path = with pkgs; [ openssl ]; 356 - environment.PRIVACYIDEA_CONFIGFILE = "${cfg.stateDir}/privacyidea.cfg"; 357 - preStart = let 358 - pi-manage = "${config.security.sudo.package}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage"; 359 - pgsu = config.services.postgresql.superUser; 360 - psql = config.services.postgresql.package; 361 - in '' 362 - mkdir -p ${cfg.stateDir} /run/privacyidea 363 - chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea 364 - umask 077 365 - ${lib.getBin pkgs.envsubst}/bin/envsubst -o ${cfg.stateDir}/privacyidea.cfg \ 366 - -i "${piCfgFile}" 367 - chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/privacyidea.cfg 368 - if ! test -e "${cfg.stateDir}/db-created"; then 369 - ${config.security.sudo.package}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} 370 - ${config.security.sudo.package}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea 371 - ${pi-manage} create_enckey 372 - ${pi-manage} create_audit_keys 373 - ${pi-manage} createdb 374 - ${pi-manage} admin add admin -e ${cfg.adminEmail} -p "$(cat ${cfg.adminPasswordFile})" 375 - ${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations 376 - touch "${cfg.stateDir}/db-created" 377 - chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem" 378 - fi 379 - ${pi-manage} db upgrade -d ${penv}/lib/privacyidea/migrations 380 - ''; 381 - serviceConfig = { 382 - Type = "notify"; 383 - ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}"; 384 - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 385 - EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; 386 - ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; 387 - NotifyAccess = "main"; 388 - KillSignal = "SIGQUIT"; 389 - }; 390 - }; 391 - 392 - users.users.privacyidea = mkIf (cfg.user == "privacyidea") { 393 - group = cfg.group; 394 - isSystemUser = true; 395 - }; 396 - 397 - users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {}; 398 - }) 399 - 400 - (mkIf cfg.ldap-proxy.enable { 401 - 402 - assertions = [ 403 - { assertion = let 404 - xor = a: b: a && !b || !a && b; 405 - in xor (cfg.ldap-proxy.settings == {}) (cfg.ldap-proxy.configFile == null); 406 - message = "configFile & settings are mutually exclusive for services.privacyidea.ldap-proxy!"; 407 - } 408 - ]; 409 - 410 - warnings = mkIf (cfg.ldap-proxy.configFile != null) [ 411 - "Using services.privacyidea.ldap-proxy.configFile is deprecated! Use the RFC42-style settings option instead!" 412 - ]; 413 - 414 - systemd.services.privacyidea-ldap-proxy = let 415 - ldap-proxy-env = pkgs.python3.withPackages (ps: [ ps.privacyidea-ldap-proxy ]); 416 - in { 417 - description = "privacyIDEA LDAP proxy"; 418 - wantedBy = [ "multi-user.target" ]; 419 - serviceConfig = { 420 - User = cfg.ldap-proxy.user; 421 - Group = cfg.ldap-proxy.group; 422 - StateDirectory = "privacyidea-ldap-proxy"; 423 - EnvironmentFile = mkIf (cfg.ldap-proxy.environmentFile != null) 424 - [ cfg.ldap-proxy.environmentFile ]; 425 - ExecStartPre = 426 - "${pkgs.writeShellScript "substitute-secrets-ldap-proxy" '' 427 - umask 0077 428 - ${pkgs.envsubst}/bin/envsubst \ 429 - -i ${ldapProxyConfig} \ 430 - -o $STATE_DIRECTORY/ldap-proxy.ini 431 - ''}"; 432 - ExecStart = let 433 - configPath = if cfg.ldap-proxy.settings != {} 434 - then "%S/privacyidea-ldap-proxy/ldap-proxy.ini" 435 - else cfg.ldap-proxy.configFile; 436 - in '' 437 - ${ldap-proxy-env}/bin/twistd \ 438 - --nodaemon \ 439 - --pidfile= \ 440 - -u ${cfg.ldap-proxy.user} \ 441 - -g ${cfg.ldap-proxy.group} \ 442 - ldap-proxy \ 443 - -c ${configPath} 444 - ''; 445 - Restart = "always"; 446 - }; 447 - }; 448 - 449 - users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { 450 - group = cfg.ldap-proxy.group; 451 - isSystemUser = true; 452 - }; 453 - 454 - users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; 455 - }) 456 - ]; 457 - 458 - }

-1

nixos/tests/all-tests.nix

··· 685 685 predictable-interface-names = handleTest ./predictable-interface-names.nix {}; 686 686 printing-socket = handleTest ./printing.nix { socket = true; }; 687 687 printing-service = handleTest ./printing.nix { socket = false; }; 688 - privacyidea = handleTest ./privacyidea.nix {}; 689 688 privoxy = handleTest ./privoxy.nix {}; 690 689 prometheus = handleTest ./prometheus.nix {}; 691 690 prometheus-exporters = handleTest ./prometheus-exporters.nix {};

-43

nixos/tests/privacyidea.nix

··· 1 - # Miscellaneous small tests that don't warrant their own VM run. 2 - 3 - import ./make-test-python.nix ({ pkgs, ...} : rec { 4 - name = "privacyidea"; 5 - meta = with pkgs.lib.maintainers; { 6 - maintainers = [ ]; 7 - }; 8 - 9 - nodes.machine = { ... }: { 10 - virtualisation.cores = 2; 11 - 12 - services.privacyidea = { 13 - enable = true; 14 - secretKey = "$SECRET_KEY"; 15 - pepper = "$PEPPER"; 16 - adminPasswordFile = pkgs.writeText "admin-password" "testing"; 17 - adminEmail = "root@localhost"; 18 - 19 - # Don't try this at home! 20 - environmentFile = pkgs.writeText "pi-secrets.env" '' 21 - SECRET_KEY=testing 22 - PEPPER=testing 23 - ''; 24 - }; 25 - services.nginx = { 26 - enable = true; 27 - virtualHosts."_".locations."/".extraConfig = '' 28 - uwsgi_pass unix:/run/privacyidea/socket; 29 - ''; 30 - }; 31 - }; 32 - 33 - testScript = '' 34 - machine.start() 35 - machine.wait_for_unit("multi-user.target") 36 - machine.succeed("curl --fail http://localhost | grep privacyIDEA") 37 - machine.succeed("grep \"SECRET_KEY = 'testing'\" /var/lib/privacyidea/privacyidea.cfg") 38 - machine.succeed("grep \"PI_PEPPER = 'testing'\" /var/lib/privacyidea/privacyidea.cfg") 39 - machine.succeed( 40 - "curl --fail http://localhost/auth -F username=admin -F password=testing | grep token" 41 - ) 42 - ''; 43 - })

-263

pkgs/applications/misc/privacyidea/default.nix

··· 1 - { lib, fetchFromGitHub, cacert, openssl, nixosTests 2 - , python310, fetchPypi, fetchpatch 3 - }: 4 - 5 - let 6 - dropDocOutput = { outputs, ... }: { 7 - outputs = lib.filter (x: x != "doc") outputs; 8 - }; 9 - 10 - # Follow issue below for Python 3.11 support 11 - # https://github.com/privacyidea/privacyidea/issues/3593 12 - python3' = python310.override { 13 - packageOverrides = self: super: { 14 - django = super.django_3; 15 - 16 - sqlalchemy = super.sqlalchemy.overridePythonAttrs (oldAttrs: rec { 17 - version = "1.3.24"; 18 - src = fetchPypi { 19 - inherit (oldAttrs) pname; 20 - inherit version; 21 - hash = "sha256-67t3fL+TEjWbiXv4G6ANrg9ctp+6KhgmXcwYpvXvdRk="; 22 - }; 23 - doCheck = false; 24 - }); 25 - # version 3.3.0+ does not support SQLAlchemy 1.3 26 - factory-boy = super.factory-boy.overridePythonAttrs (oldAttrs: rec { 27 - version = "3.2.1"; 28 - src = oldAttrs.src.override { 29 - inherit version; 30 - hash = "sha256-qY0newwEfHXrbkq4UIp/gfsD0sshmG9ieRNUbveipV4="; 31 - }; 32 - postPatch = ""; 33 - }); 34 - # fails with `no tests ran in 1.75s` 35 - alembic = super.alembic.overridePythonAttrs (lib.const { 36 - doCheck = false; 37 - }); 38 - flask-migrate = super.flask-migrate.overridePythonAttrs (oldAttrs: rec { 39 - version = "2.7.0"; 40 - src = fetchPypi { 41 - pname = "Flask-Migrate"; 42 - inherit version; 43 - hash = "sha256-ri8FZxWIdi3YOiHYsYxR/jVehng+JFlJlf+Nc4Df/jg="; 44 - }; 45 - }); 46 - flask-sqlalchemy = super.flask-sqlalchemy.overridePythonAttrs (old: rec { 47 - version = "2.5.1"; 48 - format = "setuptools"; 49 - src = fetchPypi { 50 - pname = "Flask-SQLAlchemy"; 51 - inherit version; 52 - hash = "sha256:2bda44b43e7cacb15d4e05ff3cc1f8bc97936cc464623424102bfc2c35e95912"; 53 - }; 54 - }); 55 - # Taken from by https://github.com/NixOS/nixpkgs/pull/173090/commits/d2c0c7eb4cc91beb0a1adbaf13abc0a526a21708 56 - werkzeug = super.werkzeug.overridePythonAttrs (old: rec { 57 - version = "1.0.1"; 58 - src = old.src.override { 59 - inherit version; 60 - hash = "sha256-bICx5a02ZSkOo5MguR4b4eDV9gZSuWSjBwIW3oPS5Hw="; 61 - }; 62 - nativeCheckInputs = old.nativeCheckInputs ++ (with self; [ 63 - requests 64 - ]); 65 - doCheck = false; 66 - }); 67 - # Required by flask-1.1 68 - jinja2 = super.jinja2.overridePythonAttrs (old: rec { 69 - version = "2.11.3"; 70 - src = old.src.override { 71 - inherit version; 72 - hash = "sha256-ptWEM94K6AA0fKsfowQ867q+i6qdKeZo8cdoy4ejM8Y="; 73 - }; 74 - patches = [ 75 - # python 3.10 compat fixes. In later upstream releases, but these 76 - # are not compatible with flask 1 which we need here :( 77 - (fetchpatch { 78 - url = "https://github.com/thmo/jinja/commit/1efb4cc918b4f3d097c376596da101de9f76585a.patch"; 79 - hash = "sha256-GFaSvYxgzOEFmnnDIfcf0ImScNTh1lR4lxt2Uz1DYdU="; 80 - }) 81 - (fetchpatch { 82 - url = "https://github.com/mkrizek/jinja/commit/bd8bad37d1c0e2d8995a44fd88e234f5340afec5.patch"; 83 - hash = "sha256-Uow+gaO+/dH6zavC0X/SsuMAfhTLRWpamVlL87DXDRA="; 84 - excludes = [ "CHANGES.rst" ]; 85 - }) 86 - ]; 87 - }); 88 - # Required by jinja2-2.11.3 89 - markupsafe = super.markupsafe.overridePythonAttrs (old: rec { 90 - version = "2.0.1"; 91 - src = old.src.override { 92 - inherit version; 93 - hash = "sha256-WUxngH+xYjizDES99082wCzfItHIzake+KDtjav1Ygo="; 94 - }; 95 - }); 96 - itsdangerous = super.itsdangerous.overridePythonAttrs (old: rec { 97 - version = "1.1.0"; 98 - src = old.src.override { 99 - inherit version; 100 - hash = "sha256-MhsDPQfypBNtPsdi6snxahDM1g9TwMka+QIXrOe6Hxk="; 101 - }; 102 - }); 103 - flask = super.flask.overridePythonAttrs (old: rec { 104 - version = "1.1.4"; 105 - src = old.src.override { 106 - inherit version; 107 - hash = "sha256-D762GA04OpGG0NbtlU4AQq2fGODo3giLK0GdUmkn0ZY="; 108 - }; 109 - }); 110 - sqlsoup = super.sqlsoup.overrideAttrs ({ meta ? {}, ... }: { 111 - meta = meta // { broken = false; }; 112 - }); 113 - click = super.click.overridePythonAttrs (old: rec { 114 - version = "7.1.2"; 115 - src = old.src.override { 116 - inherit version; 117 - hash = "sha256-0rUlXHxjSbwb0eWeCM0SrLvWPOZJ8liHVXg6qU37axo="; 118 - }; 119 - disabledTests = [ "test_bytes_args" ]; # https://github.com/pallets/click/commit/6e05e1fa1c2804 120 - }); 121 - # Now requires `lingua` as check input that requires a newer `click`, 122 - # however `click-7` is needed by the older flask we need here. Since it's just 123 - # for the test-suite apparently, let's skip it for now. 124 - mako = super.mako.overridePythonAttrs (lib.const { 125 - nativeCheckInputs = []; 126 - doCheck = false; 127 - }); 128 - # Requires pytest-httpserver as checkInput now which requires Werkzeug>=2 which is not 129 - # supported by current privacyIDEA. 130 - responses = super.responses.overridePythonAttrs (lib.const { 131 - doCheck = false; 132 - }); 133 - flask-babel = (super.flask-babel.override { 134 - sphinxHook = null; 135 - furo = null; 136 - }).overridePythonAttrs (old: (dropDocOutput old) // rec { 137 - pname = "Flask-Babel"; 138 - version = "2.0.0"; 139 - format = "setuptools"; 140 - src = fetchPypi { 141 - inherit pname; 142 - inherit version; 143 - hash = "sha256:f9faf45cdb2e1a32ea2ec14403587d4295108f35017a7821a2b1acb8cfd9257d"; 144 - }; 145 - disabledTests = [ 146 - # AssertionError: assert 'Apr 12, 2010...46:00\u202fPM' == 'Apr 12, 2010, 1:46:00 PM' 147 - # Note the `\u202f` (narrow, no-break space) vs space. 148 - "test_basics" 149 - "test_init_app" 150 - "test_custom_locale_selector" 151 - "test_refreshing" 152 - ]; 153 - }); 154 - psycopg2 = (super.psycopg2.override { 155 - sphinxHook = null; 156 - sphinx-better-theme = null; 157 - }).overridePythonAttrs dropDocOutput; 158 - pyjwt = (super.pyjwt.override { 159 - sphinxHook = null; 160 - sphinx-rtd-theme = null; 161 - }).overridePythonAttrs (old: (dropDocOutput old) // { format = "setuptools"; }); 162 - beautifulsoup4 = (super.beautifulsoup4.override { 163 - sphinxHook = null; 164 - }).overridePythonAttrs dropDocOutput; 165 - pydash = (super.pydash.override { 166 - sphinx-rtd-theme = null; 167 - }).overridePythonAttrs (old: rec { 168 - version = "5.1.0"; 169 - src = fetchPypi { 170 - inherit (old) pname; 171 - inherit version; 172 - hash = "sha256-GysFCsG64EnNB/WSCxT6u+UmOPSF2a2h6xFanuv/aDU="; 173 - }; 174 - format = "setuptools"; 175 - doCheck = false; 176 - }); 177 - pyopenssl = (super.pyopenssl.override { 178 - sphinxHook = null; 179 - sphinx-rtd-theme = null; 180 - }).overridePythonAttrs dropDocOutput; 181 - deprecated = (super.deprecated.override { 182 - sphinxHook = null; 183 - }).overridePythonAttrs dropDocOutput; 184 - wrapt = (super.wrapt.override { 185 - sphinxHook = null; 186 - sphinx-rtd-theme = null; 187 - }).overridePythonAttrs dropDocOutput; 188 - }; 189 - }; 190 - in 191 - python3'.pkgs.buildPythonPackage rec { 192 - pname = "privacyIDEA"; 193 - version = "3.8.1"; 194 - format = "setuptools"; 195 - 196 - src = fetchFromGitHub { 197 - owner = pname; 198 - repo = pname; 199 - rev = "v${version}"; 200 - hash = "sha256-SYXw8PBCb514v3rcy15W/vZS5JyMsu81D2sJmviLRtw="; 201 - fetchSubmodules = true; 202 - }; 203 - 204 - patches = [ 205 - # https://github.com/privacyidea/privacyidea/pull/3611 206 - (fetchpatch { 207 - url = "https://github.com/privacyidea/privacyidea/commit/7db6509721726a34e8528437ddbd4210019b11ef.patch"; 208 - sha256 = "sha256-ZvtauCs1vWyxzGbA0B2+gG8q5JyUO8DF8nm/3/vcYmE="; 209 - }) 210 - ]; 211 - 212 - propagatedBuildInputs = with python3'.pkgs; [ 213 - cryptography pyrad pymysql python-dateutil flask-versioned flask-script 214 - defusedxml croniter flask-migrate pyjwt configobj sqlsoup pillow 215 - python-gnupg passlib pyopenssl beautifulsoup4 smpplib flask-babel 216 - ldap3 huey pyyaml qrcode oauth2client requests lxml cbor2 psycopg2 217 - pydash ecdsa google-auth importlib-metadata argon2-cffi bcrypt segno 218 - ]; 219 - 220 - passthru.tests = { inherit (nixosTests) privacyidea; }; 221 - 222 - nativeCheckInputs = with python3'.pkgs; [ openssl mock pytestCheckHook responses testfixtures ]; 223 - preCheck = "export HOME=$(mktemp -d)"; 224 - postCheck = "unset HOME"; 225 - disabledTests = [ 226 - # expects `/home/` to exist, fails with `FileNotFoundError: [Errno 2] No such file or directory: '/home/'`. 227 - "test_01_loading_scripts" 228 - 229 - # Tries to connect to `fcm.googleapis.com`. 230 - "test_02_api_push_poll" 231 - "test_04_decline_auth_request" 232 - 233 - # Timezone info not available in build sandbox 234 - "test_14_convert_timestamp_to_utc" 235 - 236 - # Fails because of different logger configurations 237 - "test_01_create_default_app" 238 - "test_03_logging_config_file" 239 - "test_04_logging_config_yaml" 240 - "test_05_logging_config_broken_yaml" 241 - ]; 242 - 243 - pythonImportsCheck = [ "privacyidea" ]; 244 - 245 - postPatch = '' 246 - patchShebangs tests/testdata/scripts 247 - substituteInPlace privacyidea/lib/resolvers/LDAPIdResolver.py --replace \ 248 - "/etc/privacyidea/ldap-ca.crt" \ 249 - "${cacert}/etc/ssl/certs/ca-bundle.crt" 250 - ''; 251 - 252 - postInstall = '' 253 - rm -r $out/${python3'.sitePackages}/tests 254 - ''; 255 - 256 - meta = with lib; { 257 - description = "Multi factor authentication system (2FA, MFA, OTP Server)"; 258 - license = licenses.agpl3Plus; 259 - homepage = "http://www.privacyidea.org"; 260 - maintainers = with maintainers; [ ma27 ]; 261 - platforms = platforms.linux; 262 - }; 263 - }

-32

pkgs/development/python-modules/privacyidea-ldap-proxy/default.nix

··· 1 - { lib, buildPythonPackage, fetchFromGitHub, twisted, ldaptor, configobj, fetchpatch }: 2 - 3 - buildPythonPackage rec { 4 - pname = "privacyidea-ldap-proxy"; 5 - version = "0.7"; 6 - 7 - src = fetchFromGitHub { 8 - owner = "privacyidea"; 9 - repo = pname; 10 - rev = "v${version}"; 11 - sha256 = "1i2kgxqd38xvb42qj0a4a35w4vk0fyp3n7w48kqmvrxc77p6r6i8"; 12 - }; 13 - 14 - patches = [ 15 - # support for LDAPCompareRequest. 16 - (fetchpatch { 17 - url = "https://github.com/mayflower/privacyidea-ldap-proxy/commit/a13356717379b174f1a6abf767faa0dbd459f5dd.patch"; 18 - hash = "sha256-SBTj9ayQ8JFD8BoYIl77nxWVV3PXnHZ8JMlJnxd/nEk="; 19 - }) 20 - ]; 21 - 22 - propagatedBuildInputs = [ twisted ldaptor configobj ]; 23 - 24 - pythonImportsCheck = [ "pi_ldapproxy" ]; 25 - 26 - meta = with lib; { 27 - description = "LDAP Proxy to intercept LDAP binds and authenticate against privacyIDEA"; 28 - homepage = "https://github.com/privacyidea/privacyidea-ldap-proxy"; 29 - license = licenses.agpl3Only; 30 - maintainers = [ ]; 31 - }; 32 - }

+1

pkgs/top-level/aliases.nix

··· 710 710 pinentry_qt = throw "'pinentry_qt' has been renamed to/replaced by 'pinentry-qt'"; # Converted to throw 2023-09-10 711 711 pinentry_qt5 = pinentry-qt; # Added 2020-02-11 712 712 poetry2nix = throw "poetry2nix is now maintained out-of-tree. Please use https://github.com/nix-community/poetry2nix/"; # Added 2023-10-26 713 + privacyidea = throw "privacyidea has been removed from nixpkgs"; # Added 2023-10-31 713 714 probe-rs-cli = throw "probe-rs-cli is now part of the probe-rs package"; # Added 2023-07-03 714 715 processing3 = throw "'processing3' has been renamed to/replaced by 'processing'"; # Converted to throw 2023-09-10 715 716 prometheus-dmarc-exporter = dmarc-metrics-exporter; # added 2022-05-31

-2

pkgs/top-level/all-packages.nix

··· 19871 19871 19872 19872 premake = premake4; 19873 19873 19874 - privacyidea = callPackage ../applications/misc/privacyidea { }; 19875 - 19876 19874 process-compose = callPackage ../applications/misc/process-compose { }; 19877 19875 19878 19876 process-viewer = callPackage ../applications/misc/process-viewer { };

+1 -1

pkgs/top-level/python-aliases.nix

··· 262 262 poster3 = throw "poster3 is unmaintained and source is no longer available"; # added 2023-05-29 263 263 postorius = throw "Please use pkgs.mailmanPackages.postorius"; # added 2022-04-29 264 264 powerlineMemSegment = powerline-mem-segment; # added 2021-10-08 265 - privacyidea = throw "privacyidea has been renamed to pkgs.privacyidea"; # added 2021-06-20 265 + privacyidea-ldap-proxy = throw "privacyidea-ldap-proxy has been removed from nixpkgs"; # added 2023-10-31 266 266 prometheus_client = prometheus-client; # added 2021-06-10 267 267 prompt_toolkit = prompt-toolkit; # added 2021-07-22 268 268 protonup = protonup-ng; # Added 2022-11-06

-2

pkgs/top-level/python-packages.nix

··· 9510 9510 9511 9511 prison = callPackage ../development/python-modules/prison { }; 9512 9512 9513 - privacyidea-ldap-proxy = callPackage ../development/python-modules/privacyidea-ldap-proxy { }; 9514 - 9515 9513 proboscis = callPackage ../development/python-modules/proboscis { }; 9516 9514 9517 9515 process-tests = callPackage ../development/python-modules/process-tests { };