kanidm: add support for multiple versions

[adamcstephens]

Adds package support for multiple versions. Will probably require updateScript modifictions, but putting that off for now.

Sets default in module to the version at NixOS release time. kanidm will release new, potentially breaking changes during each NixOS release, at which point users will need to manually update their configuration.

This will be manually backported, with the stateVersion updated for 24.05, to verify the workflow and ensure support for the remaining weeks of 24.05.

Resolves #353889
Closes #361458

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

This won’t meet the by-name rules. I suggest taking a look at openjfx, ninja, and apple-sdk for some examples of how you can make multi‐version packages work while keeping nixpkgs-vet happy.

[adamcstephens]

No rebuild changes for 1.4, and 1.3 is insecure as expected.

aarch64-linux

❯ nom-build -A kanidm.passthru.tests.kanidm
Finished at 14:10:45 after 7s
/nix/store/a93igs4dv30nw9bbmqp5rc11k9vd6pag-vm-test-run-kanidm

❯ nom-build -A kanidm_1_4.passthru.tests.kanidm
Finished at 14:11:00 after 6s
/nix/store/a93igs4dv30nw9bbmqp5rc11k9vd6pag-vm-test-run-kanidm

❯ nom-build -A kanidm_1_3
error:
       … in the condition of the assert statement
         at /home/adam/git/nixpkgs/lib/customisation.nix:365:17:
          364|     in commonAttrs // {
          365|       drvPath = assert condition; drv.drvPath;
             |                 ^
          366|       outPath = assert condition; drv.outPath;

       … while evaluating the attribute 'handled'
         at /home/adam/git/nixpkgs/pkgs/stdenv/generic/check-meta.nix:507:7:
          506|       # or, alternatively, just output a warning message.
          507|       handled =
             |       ^
          508|         (

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: Package ‘kanidm-1.3.3’ in /home/adam/git/nixpkgs/pkgs/by-name/ka/kanidm/generic.nix:142 is marked as insecure, refusing to evaluate.


       Known issues:
        - kanidm 1.3.x has reached EOL as of 2024-12-01.

       Please upgrade by verifying `kanidmd domain upgrade-check` and setting `services.kanidm.package = pkgs.kanidm_1_4;`
       See upgrade guide at https://kanidm.github.io/kanidm/master/server_updates.html


       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘kanidm-1.3.3’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "kanidm-1.3.3"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘kanidm-1.3.3’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "kanidm-1.3.3"
              ];
            }
┏━ 1 Errors: 
 ⋮ 
┃ 
┃        Please upgrade by verifying `kanidmd domain upgrade-check` and setting `services.kanidm.package = pkgs.kanidm_1_4;`
┃        See upgrade guide at https://kanidm.github.io/kanidm/master/server_updates.html
┃ 
┃ 
┃        You can install it anyway by allowing this package, using the
┃        following methods:
┃ 
┃        a) To temporarily allow all insecure packages, you can use an environment
┃           variable for a single invocation of the nix tools:
┃ 
┃             $ export NIXPKGS_ALLOW_INSECURE=1
┃ 
┃           Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
┃                 then pass `--impure` in order to allow use of environment variables.
┃ 
┃        b) for `nixos-rebuild` you can add ‘kanidm-1.3.3’ to
┃           `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
┃           like so:
┃ 
┃             {
┃               nixpkgs.config.permittedInsecurePackages = [
┃                 "kanidm-1.3.3"
┃               ];
┃             }
┃ 
┃        c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
┃           ‘kanidm-1.3.3’ to `permittedInsecurePackages` in
┃           ~/.config/nixpkgs/config.nix, like so:
┃ 
┃             {
┃               permittedInsecurePackages = [
┃                 "kanidm-1.3.3"
┃               ];
┃             }
┣━━━                                                            
┗━ ∑ ⚠ Exited with 1 errors reported by nix at 14:17:26 after 0s

[yu-re-ka]

Hi, do you have any update about the backport to 24.11?

[adamcstephens]

Yes, #364105