1 files changed, 58 insertions, 42 deletions

diff --git a/nixpkgs/nixos/modules/services/misc/portunus.nix b/nixpkgs/nixos/modules/services/misc/portunus.nix
index 7036a372d1ea..ebb3bc8f0851 100644
--- a/nixpkgs/nixos/modules/services/misc/portunus.nix
+++ b/nixpkgs/nixos/modules/services/misc/portunus.nix
@@ -37,6 +37,15 @@ in
       '';
     };
 
+    seedSettings = lib.mkOption {
+      type = with lib.types; nullOr (attrsOf (listOf (attrsOf anything)));
+      default = null;
+      description = lib.mdDoc ''
+        Seed settings for users and groups.
+        See upstream for format <https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration>
+      '';
+    };
+
     stateDir = mkOption {
       type = types.path;
       default = "/var/lib/portunus";
@@ -172,49 +181,53 @@ in
       "127.0.0.1" = [ cfg.domain ];
     };
 
-    services.dex = mkIf cfg.dex.enable {
-      enable = true;
-      settings = {
-        issuer = "https://${cfg.domain}/dex";
-        web.http = "127.0.0.1:${toString cfg.dex.port}";
-        storage = {
-          type = "sqlite3";
-          config.file = "/var/lib/dex/dex.db";
-        };
-        enablePasswordDB = false;
-        connectors = [{
-          type = "ldap";
-          id = "ldap";
-          name = "LDAP";
-          config = {
-            host = "${cfg.domain}:636";
-            bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
-            bindPW = "$DEX_SEARCH_USER_PASSWORD";
-            userSearch = {
-              baseDN = "ou=users,${cfg.ldap.suffix}";
-              filter = "(objectclass=person)";
-              username = "uid";
-              idAttr = "uid";
-              emailAttr = "mail";
-              nameAttr = "cn";
-              preferredUsernameAttr = "uid";
-            };
-            groupSearch = {
-              baseDN = "ou=groups,${cfg.ldap.suffix}";
-              filter = "(objectclass=groupOfNames)";
-              nameAttr = "cn";
-              userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
-            };
+    services = {
+      dex = mkIf cfg.dex.enable {
+        enable = true;
+        settings = {
+          issuer = "https://${cfg.domain}/dex";
+          web.http = "127.0.0.1:${toString cfg.dex.port}";
+          storage = {
+            type = "sqlite3";
+            config.file = "/var/lib/dex/dex.db";
           };
-        }];
-
-        staticClients = forEach cfg.dex.oidcClients (client: {
-          inherit (client) id;
-          redirectURIs = [ client.callbackURL ];
-          name = "OIDC for ${client.id}";
-          secretEnv = "DEX_CLIENT_${client.id}";
-        });
+          enablePasswordDB = false;
+          connectors = [{
+            type = "ldap";
+            id = "ldap";
+            name = "LDAP";
+            config = {
+              host = "${cfg.domain}:636";
+              bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
+              bindPW = "$DEX_SEARCH_USER_PASSWORD";
+              userSearch = {
+                baseDN = "ou=users,${cfg.ldap.suffix}";
+                filter = "(objectclass=person)";
+                username = "uid";
+                idAttr = "uid";
+                emailAttr = "mail";
+                nameAttr = "cn";
+                preferredUsernameAttr = "uid";
+              };
+              groupSearch = {
+                baseDN = "ou=groups,${cfg.ldap.suffix}";
+                filter = "(objectclass=groupOfNames)";
+                nameAttr = "cn";
+                userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
+              };
+            };
+          }];
+
+          staticClients = forEach cfg.dex.oidcClients (client: {
+            inherit (client) id;
+            redirectURIs = [ client.callbackURL ];
+            name = "OIDC for ${client.id}";
+            secretEnv = "DEX_CLIENT_${client.id}";
+          });
+        };
       };
+
+      portunus.seedPath = lib.mkIf (cfg.seedSettings != null) (pkgs.writeText "seed.json" (builtins.toJSON cfg.seedSettings));
     };
 
     systemd.services = {
@@ -230,7 +243,10 @@ in
         description = "Self-contained authentication service";
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
-        serviceConfig.ExecStart = "${cfg.package.out}/bin/portunus-orchestrator";
+        serviceConfig = {
+          ExecStart = "${cfg.package}/bin/portunus-orchestrator";
+          Restart = "on-failure";
+        };
         environment = {
           PORTUNUS_LDAP_SUFFIX = cfg.ldap.suffix;
           PORTUNUS_SERVER_BINARY = "${cfg.package}/bin/portunus-server";