diff options
author | sefidel <contact@sefidel.net> | 2024-02-20 19:12:10 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2024-02-20 19:12:46 +0900 |
commit | 60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9 (patch) | |
tree | 87b7ca5410af5ee06e0003af0aeaa77e4e2f35dc | |
parent | 8e119c73d272e31b548f9bc047e88082a93eac07 (diff) | |
download | infra-60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9.tar.gz infra-60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9.zip |
fix(modules/akkoma): fix OAuth login
-rw-r--r-- | flake.lock | 98 | ||||
-rw-r--r-- | flake.nix | 4 | ||||
-rw-r--r-- | modules/services/akkoma/0001-fix-scope.patch | 28 | ||||
-rw-r--r-- | modules/services/akkoma/default.nix | 17 | ||||
-rw-r--r-- | systems/cobalt/default.nix | 3 |
5 files changed, 141 insertions, 9 deletions
diff --git a/flake.lock b/flake.lock index 314a233..3ed8a85 100644 --- a/flake.lock +++ b/flake.lock @@ -147,6 +147,22 @@ "type": "github" } }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -165,6 +181,24 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -302,16 +336,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1673606088, - "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=", + "lastModified": 1708370087, + "narHash": "sha256-B/9pdlxpPkGLIkkv/rsTYm13D5vSqy8ufz6a7CKZLQw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d", + "rev": "b927b88ae0437875c72a782d2d860a53d63076a3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -378,6 +411,26 @@ "type": "indirect" } }, + "nixpkgs-exotic": { + "inputs": { + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1708376361, + "narHash": "sha256-ltUn95mmZDaoDUbHo48wCEw+M9ZDW+YjWq5ytMjdBKU=", + "ref": "refs/heads/main", + "rev": "99e52cee44959fa6b5a46301f00b151e9ea765c3", + "revCount": 1, + "type": "git", + "url": "https://git.exotic.sh/nixpkgs-exotic" + }, + "original": { + "type": "git", + "url": "https://git.exotic.sh/nixpkgs-exotic" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", @@ -396,6 +449,24 @@ "type": "github" } }, + "nixpkgs-lib_2": { + "locked": { + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1707603439, @@ -412,6 +483,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1673606088, + "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "poetry2nix": { "inputs": { "flake-utils": [ @@ -448,6 +535,7 @@ "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", "nixpkgs-2111": "nixpkgs-2111", + "nixpkgs-exotic": "nixpkgs-exotic", "sefidel-web": "sefidel-web", "sops-nix": "sops-nix", "unstable": "unstable", @@ -457,7 +545,7 @@ "sefidel-web": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1708115165, diff --git a/flake.nix b/flake.nix index 3ef69b4..e9f1a01 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,8 @@ unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs-2111.url = "github:nixos/nixpkgs/nixos-21.11"; + nixpkgs-exotic.url = "git+https://git.exotic.sh/nixpkgs-exotic"; + colmena.url = "github:zhaofengli/colmena"; colmena.inputs.nixpkgs.follows = "unstable"; @@ -32,7 +34,7 @@ system = "x86_64-linux"; - pkgs = import unstable { inherit system; }; + pkgs = import unstable { inherit system; overlays = [ inputs.nixpkgs-exotic.overlays.default ]; }; lib = unstable.lib.extend (self: super: { my = import ./lib { inherit pkgs inputs; lib = self; }; }); diff --git a/modules/services/akkoma/0001-fix-scope.patch b/modules/services/akkoma/0001-fix-scope.patch new file mode 100644 index 0000000..a0f8780 --- /dev/null +++ b/modules/services/akkoma/0001-fix-scope.patch @@ -0,0 +1,28 @@ +From a72bafca8fae2d0663127fa07f44284598a3631a Mon Sep 17 00:00:00 2001 +From: sefidel <contact@sefidel.net> +Date: Tue, 20 Feb 2024 18:52:01 +0900 +Subject: [PATCH] fix scope + +Signed-off-by: sefidel <contact@sefidel.net> +--- + lib/ueberauth/strategy/keycloak.ex | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ueberauth/strategy/keycloak.ex b/lib/ueberauth/strategy/keycloak.ex +index fa6e84b..413b3d5 100644 +--- a/lib/ueberauth/strategy/keycloak.ex ++++ b/lib/ueberauth/strategy/keycloak.ex +@@ -71,8 +71,8 @@ defmodule Ueberauth.Strategy.Keycloak do + require Logger + + use Ueberauth.Strategy, +- uid_field: :id, +- default_scope: "api read_user read_registry", ++ uid_field: :preferred_username, ++ default_scope: "openid profile email", + oauth2_module: Ueberauth.Strategy.Keycloak.OAuth + + alias Ueberauth.Auth.Info +-- +2.43.0 + diff --git a/modules/services/akkoma/default.nix b/modules/services/akkoma/default.nix index 3671cb4..c2e9347 100644 --- a/modules/services/akkoma/default.nix +++ b/modules/services/akkoma/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, inputs, ... }: with lib; let @@ -12,6 +12,8 @@ in { options.modules.services.akkoma = { enable = mkEnableOption "Akkoma instance"; + package = mkOption { type = types.package; default = pkgs.akkoma; }; + domain = mkOption { type = types.str; }; realHost = mkOption { type = types.str; }; instanceName = mkOption { type = types.str; default = "Akkoma on ${cfg.domain}"; }; @@ -25,7 +27,7 @@ in services.akkoma = { enable = true; - package = pkgs.akkoma.overrideAttrs (old: { + package = cfg.package.overrideAttrs (old: { # Akkoma doesn't include OAuth2 dependencies by default # This can be obtained by running `OAUTH_CONSUMER_STRATEGIES="..." mix deps.get`. # The server should also be launched with the same environment variable set. @@ -56,6 +58,13 @@ in sha256 = "06r10w0azlpypjgggar1lf7h2yazn2dpyicy97zxkjyxgf9jfc60"; }; + # There must be a way to configure this using config.exs and patchPhase, + # But just applying a patch is easier since patching ueberauth and + # this package didn't do the trick. + patches = [ + ./0001-fix-scope.patch + ]; + beamDeps = [ oauth2 oldMixDeps.ueberauth ]; }; }; @@ -76,6 +85,7 @@ in let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap mkTuple; in { ":pleroma"."Pleroma.Web.Endpoint".url.host = cfg.realHost; + ":pleroma"."Pleroma.Web.Endpoint".extra_cookie_attrs = [ "SameSite=Lax" ]; ":pleroma"."Pleroma.Web.WebFinger".domain = cfg.domain; ":pleroma".":media_proxy".enabled = false; ":pleroma".":instance" = { @@ -86,6 +96,7 @@ in notify_email = poorObfuscation cfg.domain "postmaster"; registrations_open = false; + account_approval_required = true; invites_enabled = true; limit = 5000; @@ -95,7 +106,7 @@ in logo = "/static/logo.png"; # FIXME: https://akkoma.dev/AkkomaGang/akkoma/pulls/668 # TODO: enable on next release - # loginMethod = "token"; + loginMethod = "token"; }; }; ":pleroma".":mrf" = { diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix index 036e459..285fe61 100644 --- a/systems/cobalt/default.nix +++ b/systems/cobalt/default.nix @@ -321,6 +321,9 @@ in }; services.akkoma = { enable = true; + # v3.10.4 with OAuth fixes backported + package = pkgs.exoticPackages.akkoma; + domain = "exotic.sh"; realHost = "social.exotic.sh"; instanceName = "exotic.sh social"; |