Merge staging-next into staging

3 files changed, 61 insertions, 46 deletions

diff --git a/nixos/modules/services/hardware/ratbagd.nix b/nixos/modules/services/hardware/ratbagd.nix
index c939d5e40a24..5567bcbafd16 100644
--- a/nixos/modules/services/hardware/ratbagd.nix
+++ b/nixos/modules/services/hardware/ratbagd.nix
@@ -11,6 +11,8 @@ in
   options = {
     services.ratbagd = {
       enable = mkEnableOption (lib.mdDoc "ratbagd for configuring gaming mice");
+
+      package = mkPackageOption pkgs "libratbag" { };
     };
   };
 
@@ -18,10 +20,10 @@ in
 
   config = mkIf cfg.enable {
     # Give users access to the "ratbagctl" tool
-    environment.systemPackages = [ pkgs.libratbag ];
+    environment.systemPackages = [ cfg.package ];
 
-    services.dbus.packages = [ pkgs.libratbag ];
+    services.dbus.packages = [ cfg.package ];
 
-    systemd.packages = [ pkgs.libratbag ];
+    systemd.packages = [ cfg.package ];
   };
 }
diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix
index 47af24f024cd..ebb3bc8f0851 100644
--- a/nixos/modules/services/misc/portunus.nix
+++ b/nixos/modules/services/misc/portunus.nix
@@ -37,6 +37,15 @@ in
       '';
     };
 
+    seedSettings = lib.mkOption {
+      type = with lib.types; nullOr (attrsOf (listOf (attrsOf anything)));
+      default = null;
+      description = lib.mdDoc ''
+        Seed settings for users and groups.
+        See upstream for format <https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration>
+      '';
+    };
+
     stateDir = mkOption {
       type = types.path;
       default = "/var/lib/portunus";
@@ -172,49 +181,53 @@ in
       "127.0.0.1" = [ cfg.domain ];
     };
 
-    services.dex = mkIf cfg.dex.enable {
-      enable = true;
-      settings = {
-        issuer = "https://${cfg.domain}/dex";
-        web.http = "127.0.0.1:${toString cfg.dex.port}";
-        storage = {
-          type = "sqlite3";
-          config.file = "/var/lib/dex/dex.db";
-        };
-        enablePasswordDB = false;
-        connectors = [{
-          type = "ldap";
-          id = "ldap";
-          name = "LDAP";
-          config = {
-            host = "${cfg.domain}:636";
-            bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
-            bindPW = "$DEX_SEARCH_USER_PASSWORD";
-            userSearch = {
-              baseDN = "ou=users,${cfg.ldap.suffix}";
-              filter = "(objectclass=person)";
-              username = "uid";
-              idAttr = "uid";
-              emailAttr = "mail";
-              nameAttr = "cn";
-              preferredUsernameAttr = "uid";
-            };
-            groupSearch = {
-              baseDN = "ou=groups,${cfg.ldap.suffix}";
-              filter = "(objectclass=groupOfNames)";
-              nameAttr = "cn";
-              userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
-            };
+    services = {
+      dex = mkIf cfg.dex.enable {
+        enable = true;
+        settings = {
+          issuer = "https://${cfg.domain}/dex";
+          web.http = "127.0.0.1:${toString cfg.dex.port}";
+          storage = {
+            type = "sqlite3";
+            config.file = "/var/lib/dex/dex.db";
           };
-        }];
-
-        staticClients = forEach cfg.dex.oidcClients (client: {
-          inherit (client) id;
-          redirectURIs = [ client.callbackURL ];
-          name = "OIDC for ${client.id}";
-          secretEnv = "DEX_CLIENT_${client.id}";
-        });
+          enablePasswordDB = false;
+          connectors = [{
+            type = "ldap";
+            id = "ldap";
+            name = "LDAP";
+            config = {
+              host = "${cfg.domain}:636";
+              bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
+              bindPW = "$DEX_SEARCH_USER_PASSWORD";
+              userSearch = {
+                baseDN = "ou=users,${cfg.ldap.suffix}";
+                filter = "(objectclass=person)";
+                username = "uid";
+                idAttr = "uid";
+                emailAttr = "mail";
+                nameAttr = "cn";
+                preferredUsernameAttr = "uid";
+              };
+              groupSearch = {
+                baseDN = "ou=groups,${cfg.ldap.suffix}";
+                filter = "(objectclass=groupOfNames)";
+                nameAttr = "cn";
+                userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
+              };
+            };
+          }];
+
+          staticClients = forEach cfg.dex.oidcClients (client: {
+            inherit (client) id;
+            redirectURIs = [ client.callbackURL ];
+            name = "OIDC for ${client.id}";
+            secretEnv = "DEX_CLIENT_${client.id}";
+          });
+        };
       };
+
+      portunus.seedPath = lib.mkIf (cfg.seedSettings != null) (pkgs.writeText "seed.json" (builtins.toJSON cfg.seedSettings));
     };
 
     systemd.services = {
diff --git a/nixos/tests/pomerium.nix b/nixos/tests/pomerium.nix
index abaf56c518e0..d0204488e8ef 100644
--- a/nixos/tests/pomerium.nix
+++ b/nixos/tests/pomerium.nix
@@ -1,7 +1,7 @@
 import ./make-test-python.nix ({ pkgs, lib, ... }: {
   name = "pomerium";
   meta = with lib.maintainers; {
-    maintainers = [ lukegb ];
+    maintainers = [ lukegb devusb ];
   };
 
   nodes = let base = myIP: { pkgs, lib, ... }: {
@@ -103,7 +103,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
     with subtest("ui"):
         pomerium.succeed(
           # check for a string that only appears if the UI is displayed correctly
-            "chromium --no-sandbox --headless --disable-gpu --dump-dom --host-resolver-rules='MAP login.required 127.0.0.1:80' http://login.required/.pomerium | grep 'contact your administrator'"
+            "chromium --no-sandbox --headless --disable-gpu --dump-dom --host-resolver-rules='MAP login.required 127.0.0.1:80' http://login.required/.pomerium | grep 'User Details Not Available'"
         )
   '';
 })