kanidm: add support for multiple versions

nixos/modules/services/security/kanidm.nix

@@ -231,7 +231,10 @@ in
     enableServer = mkEnableOption "the Kanidm server";
     enablePam = mkEnableOption "the Kanidm PAM and NSS integration";
 
-    package = mkPackageOption pkgs "kanidm" { };
+    package = mkPackageOption pkgs "kanidm" {
+      example = "kanidm_1_4";
+      extraDescription = "If not set will receive a specific version based on stateVersion. Set to `pkgs.kanidm` to always receive the latest version, with the understanding that this could introduce breaking changes.";
+    };
 
     serverSettings = mkOption {
       type = types.submodule {
@@ -811,6 +814,16 @@ in
         )
       );
 
+    services.kanidm.package =
+      let
+        pkg =
+          if lib.versionAtLeast config.system.stateVersion "24.11" then
+            pkgs.kanidm_1_4
+          else
+            lib.warn "No default kanidm package found for stateVersion = '${config.system.stateVersion}'. Using unpinned version. Consider setting `services.kanidm.package = pkgs.kanidm_1_x` to avoid upgrades introducing breaking changes." pkgs.kanidm;
+      in
+      lib.mkDefault pkg;
+
     environment.systemPackages = mkIf cfg.enableClient [ cfg.package ];
 
     systemd.tmpfiles.settings."10-kanidm" = {

pkgs/by-name/ka/kanidm/1_3.nix

@@ -0,0 +1,15 @@
+import ./generic.nix {
+  version = "1.3.3";
+  hash = "sha256-W5G7osV4du6w/BfyY9YrDzorcLNizRsoz70RMfO2AbY=";
+  cargoHash = "sha256-gJrzOK6vPPBgsQFkKrbMql00XSfKGjgpZhYJLTURxoI=";
+  extraMeta = {
+    knownVulnerabilities = [
+      ''
+        kanidm 1.3.x has reached EOL as of 2024-12-01.
+
+        Please upgrade by verifying `kanidmd domain upgrade-check` and setting `services.kanidm.package = pkgs.kanidm_1_4;`
+        See upgrade guide at https://kanidm.github.io/kanidm/master/server_updates.html
+      ''
+    ];
+  };
+}

pkgs/by-name/ka/kanidm/1_4.nix

@@ -0,0 +1,5 @@
+import ./generic.nix {
+  version = "1.4.4";
+  hash = "sha256-AXgq9ohnSeQvq1IIhxMhe+FhX6/hyvRsJCI4VaiN/MQ=";
+  cargoHash = "sha256-/PsQ9yqyhSub1Qg2A3wOsgucq4rM0CU4uA8tEOJhtAU=";
+}

pkgs/by-name/ka/kanidm/generic.nix

@@ -0,0 +1,152 @@
+{
+  version,
+  hash,
+  cargoHash,
+  extraMeta ? { },
+}:
+
+{
+  stdenv,
+  lib,
+  formats,
+  nixosTests,
+  rustPlatform,
+  fetchFromGitHub,
+  installShellFiles,
+  nix-update-script,
+  pkg-config,
+  udev,
+  openssl,
+  sqlite,
+  pam,
+  bashInteractive,
+  rust-jemalloc-sys,
+  kanidm,
+  # If this is enabled, kanidm will be built with two patches allowing both
+  # oauth2 basic secrets and admin credentials to be provisioned.
+  # This is NOT officially supported (and will likely never be),
+  # see https://github.com/kanidm/kanidm/issues/1747.
+  # Please report any provisioning-related errors to
+  # https://github.com/oddlama/kanidm-provision/issues/ instead.
+  enableSecretProvisioning ? false,
+}:
+
+let
+  arch = if stdenv.hostPlatform.isx86_64 then "x86_64" else "generic";
+in
+rustPlatform.buildRustPackage rec {
+  pname = "kanidm";
+  inherit version cargoHash;
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    inherit hash;
+  };
+
+  KANIDM_BUILD_PROFILE = "release_nixos_${arch}";
+
+  patches = lib.optionals enableSecretProvisioning [
+    ./patches/oauth2-basic-secret-modify.patch
+    ./patches/recover-account.patch
+  ];
+
+  postPatch =
+    let
+      format = (formats.toml { }).generate "${KANIDM_BUILD_PROFILE}.toml";
+      profile = {
+        admin_bind_path = "/run/kanidmd/sock";
+        cpu_flags = if stdenv.hostPlatform.isx86_64 then "x86_64_legacy" else "none";
+        default_config_path = "/etc/kanidm/server.toml";
+        default_unix_shell_path = "${lib.getBin bashInteractive}/bin/bash";
+        htmx_ui_pkg_path = "@htmx_ui_pkg_path@";
+      };
+    in
+    ''
+      cp ${format profile} libs/profiles/${KANIDM_BUILD_PROFILE}.toml
+      substituteInPlace libs/profiles/${KANIDM_BUILD_PROFILE}.toml \
+        --replace-fail '@htmx_ui_pkg_path@' "$out/ui/hpkg"
+    '';
+
+  nativeBuildInputs = [
+    pkg-config
+    installShellFiles
+  ];
+
+  buildInputs = [
+    udev
+    openssl
+    sqlite
+    pam
+    rust-jemalloc-sys
+  ];
+
+  # The UI needs to be in place before the tests are run.
+  postBuild = ''
+    mkdir -p $out/ui
+    cp -r server/core/static $out/ui/hpkg
+  '';
+
+  # Upstream runs with the Rust equivalent of -Werror,
+  # which breaks when we upgrade to new Rust before them.
+  # Just allow warnings. It's fine, really.
+  env.RUSTFLAGS = "--cap-lints warn";
+
+  # Not sure what pathological case it hits when compiling tests with LTO,
+  # but disabling it takes the total `cargo check` time from 40 minutes to
+  # around 5 on a 16-core machine.
+  cargoTestFlags = [
+    "--config"
+    ''profile.release.lto="off"''
+  ];
+
+  preFixup = ''
+    installShellCompletion \
+      --bash $releaseDir/build/completions/*.bash \
+      --zsh $releaseDir/build/completions/_*
+
+    # PAM and NSS need fix library names
+    mv $out/lib/libnss_kanidm.so $out/lib/libnss_kanidm.so.2
+    mv $out/lib/libpam_kanidm.so $out/lib/pam_kanidm.so
+  '';
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) kanidm kanidm-provisioning;
+    };
+
+    updateScript = lib.optionals (!enableSecretProvisioning) (nix-update-script {
+      # avoid spurious releases and tags such as "debs"
+      extraArgs = [
+        "-vr"
+        "v(.*)"
+        "--override-filename"
+        "pkgs/by-name/ka/kanidm/${
+          builtins.replaceStrings [ "." ] [ "_" ] (lib.versions.majorMinor kanidm.version)
+        }.nix"
+      ];
+    });
+
+    inherit enableSecretProvisioning;
+    withSecretProvisioning = kanidm.override { enableSecretProvisioning = true; };
+  };
+
+  # can take over 4 hours on 2 cores and needs 16GB+ RAM
+  requiredSystemFeatures = [ "big-parallel" ];
+
+  meta =
+    with lib;
+    {
+      changelog = "https://github.com/kanidm/kanidm/releases/tag/v${version}";
+      description = "Simple, secure and fast identity management platform";
+      homepage = "https://github.com/kanidm/kanidm";
+      license = licenses.mpl20;
+      platforms = platforms.linux;
+      maintainers = with maintainers; [
+        adamcstephens
+        Flakebi
+      ];
+    }
+    // extraMeta;
+}

pkgs/by-name/ka/kanidm/package.nix

@@ -1,133 +1 @@
-{ stdenv
-, lib
-, formats
-, nixosTests
-, rustPlatform
-, fetchFromGitHub
-, installShellFiles
-, nix-update-script
-, pkg-config
-, udev
-, openssl
-, sqlite
-, pam
-, bashInteractive
-, rust-jemalloc-sys
-, kanidm
-# If this is enabled, kanidm will be built with two patches allowing both
-# oauth2 basic secrets and admin credentials to be provisioned.
-# This is NOT officially supported (and will likely never be),
-# see https://github.com/kanidm/kanidm/issues/1747.
-# Please report any provisioning-related errors to
-# https://github.com/oddlama/kanidm-provision/issues/ instead.
-, enableSecretProvisioning ? false
-}:
-
-let
-  arch = if stdenv.hostPlatform.isx86_64 then "x86_64" else "generic";
-in
-rustPlatform.buildRustPackage rec {
-  pname = "kanidm";
-  version = "1.4.4";
-
-  src = fetchFromGitHub {
-    owner = pname;
-    repo = pname;
-    rev = "refs/tags/v${version}";
-    hash = "sha256-AXgq9ohnSeQvq1IIhxMhe+FhX6/hyvRsJCI4VaiN/MQ=";
-  };
-
-  cargoHash = "sha256-/PsQ9yqyhSub1Qg2A3wOsgucq4rM0CU4uA8tEOJhtAU=";
-
-  KANIDM_BUILD_PROFILE = "release_nixos_${arch}";
-
-  patches = lib.optionals enableSecretProvisioning [
-    ./patches/oauth2-basic-secret-modify.patch
-    ./patches/recover-account.patch
-  ];
-
-  postPatch =
-    let
-      format = (formats.toml { }).generate "${KANIDM_BUILD_PROFILE}.toml";
-      profile = {
-        admin_bind_path = "/run/kanidmd/sock";
-        cpu_flags = if stdenv.hostPlatform.isx86_64 then "x86_64_legacy" else "none";
-        default_config_path = "/etc/kanidm/server.toml";
-        default_unix_shell_path = "${lib.getBin bashInteractive}/bin/bash";
-        htmx_ui_pkg_path = "@htmx_ui_pkg_path@";
-      };
-    in
-    ''
-      cp ${format profile} libs/profiles/${KANIDM_BUILD_PROFILE}.toml
-      substituteInPlace libs/profiles/${KANIDM_BUILD_PROFILE}.toml \
-        --replace-fail '@htmx_ui_pkg_path@' "$out/ui/hpkg"
-    '';
-
-  nativeBuildInputs = [
-    pkg-config
-    installShellFiles
-  ];
-
-  buildInputs = [
-    udev
-    openssl
-    sqlite
-    pam
-    rust-jemalloc-sys
-  ];
-
-  # The UI needs to be in place before the tests are run.
-  postBuild = ''
-    mkdir -p $out/ui
-    cp -r server/core/static $out/ui/hpkg
-  '';
-
-  # Upstream runs with the Rust equivalent of -Werror,
-  # which breaks when we upgrade to new Rust before them.
-  # Just allow warnings. It's fine, really.
-  env.RUSTFLAGS = "--cap-lints warn";
-
-  # Not sure what pathological case it hits when compiling tests with LTO,
-  # but disabling it takes the total `cargo check` time from 40 minutes to
-  # around 5 on a 16-core machine.
-  cargoTestFlags = ["--config" ''profile.release.lto="off"''];
-
-  preFixup = ''
-    installShellCompletion \
-      --bash $releaseDir/build/completions/*.bash \
-      --zsh $releaseDir/build/completions/_*
-
-    # PAM and NSS need fix library names
-    mv $out/lib/libnss_kanidm.so $out/lib/libnss_kanidm.so.2
-    mv $out/lib/libpam_kanidm.so $out/lib/pam_kanidm.so
-  '';
-
-  passthru = {
-    tests = {
-      inherit (nixosTests) kanidm kanidm-provisioning;
-    };
-
-    updateScript = nix-update-script {
-      # avoid spurious releases and tags such as "debs"
-      extraArgs = [
-        "-vr"
-        "v(.*)"
-      ];
-    };
-
-    inherit enableSecretProvisioning;
-    withSecretProvisioning = kanidm.override { enableSecretProvisioning = true; };
-  };
-
-  # can take over 4 hours on 2 cores and needs 16GB+ RAM
-  requiredSystemFeatures = [ "big-parallel" ];
-
-  meta = with lib; {
-    changelog = "https://github.com/kanidm/kanidm/releases/tag/v${version}";
-    description = "Simple, secure and fast identity management platform";
-    homepage = "https://github.com/kanidm/kanidm";
-    license = licenses.mpl20;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ adamcstephens Flakebi ];
-  };
-}
+import ./1_4.nix

pkgs/top-level/all-packages.nix

@@ -11694,7 +11694,16 @@ with pkgs;
 
   jitsi-videobridge = callPackage ../servers/jitsi-videobridge { };
 
-  kanidmWithSecretProvisioning = callPackage ../by-name/ka/kanidm/package.nix {
+  kanidm_1_3 = callPackage ../by-name/ka/kanidm/1_3.nix { };
+  kanidm_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { };
+
+  kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_4;
+
+  kanidmWithSecretProvisioning_1_3 = callPackage ../by-name/ka/kanidm/1_3.nix {
+    enableSecretProvisioning = true;
+  };
+
+  kanidmWithSecretProvisioning_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix {
     enableSecretProvisioning = true;
   };