From 2039c1a9dd556b2ae626080831fd06f89ce752fc Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Sun, 21 Jan 2024 17:01:06 -0800
Subject: [PATCH] feat(tei): update to kanidm-develop

OAuth 2.0 localhost redirects aren't part of a kanidm release yet.
---
 ci/flake-cron.nix     |  1 +
 ci/nodes.nix          |  1 +
 flake.lock            |  6 +++---
 flake.nix             | 10 ++++++++++
 systems/tei/nixos.nix |  8 ++++++++
 5 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix
index 8c69fe9a..685b3e92 100644
--- a/ci/flake-cron.nix
+++ b/ci/flake-cron.nix
@@ -22,6 +22,7 @@ in {
   gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
 
   nix.config = {
+    accept-flake-config = true;
     extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
     #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
   };
diff --git a/ci/nodes.nix b/ci/nodes.nix
index 47eb27e9..1f97166b 100644
--- a/ci/nodes.nix
+++ b/ci/nodes.nix
@@ -20,6 +20,7 @@ with lib; {
   channels.nixfiles.path = ../.;
 
   nix.config = {
+    accept-flake-config = true;
     extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
     #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
   };
diff --git a/flake.lock b/flake.lock
index efac507e..f6c940f9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
     "arcexprs": {
       "flake": false,
       "locked": {
-        "lastModified": 1705947565,
-        "narHash": "sha256-L82r4wYC86SygCpUa7WNqyZGs0EtntsIhQoFTw7MmJs=",
+        "lastModified": 1706196577,
+        "narHash": "sha256-lFG8gaadISrBFAYRcdEeWMoZuZD1QWFLeP0fHCHQPIE=",
         "owner": "arcnmx",
         "repo": "nixexprs",
-        "rev": "e720dd2e934b4a36ba65087a469a56e2958b9093",
+        "rev": "d7ed162f0b61e1657955446d239e4eddba116f61",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 3abdd083..b52198d3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,6 +27,16 @@
       };
     };
   };
+  nixConfig = {
+    extra-substituters = [
+      "https://arc.cachix.org"
+      "https://kittywitch.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="
+      "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="
+    ];
+  };
 
   outputs = {
     self,
diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix
index 308e8947..e101d78a 100644
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   meta,
+  pkgs,
   ...
 }: let
   inherit (lib.modules) mkIf mkMerge;
@@ -29,6 +30,13 @@ in {
 
   sops.defaultSopsFile = ./secrets.yaml;
 
+  services.kanidm = {
+    package = lib.warnIf
+      (pkgs.kanidm.version != "1.1.0-rc.15")
+      "upstream kanidm may have localhost oauth2 support now!"
+      pkgs.kanidm-develop;
+  };
+
   networking.firewall = {
     interfaces.local.allowedTCPPorts = mkMerge [
       (mkIf kanidm.enableServer [