about summary refs log tree commit diff
path: root/modules/services/akkoma
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2024-02-20 19:12:10 +0900
committersefidel <contact@sefidel.net>2024-02-20 19:12:46 +0900
commit60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9 (patch)
tree87b7ca5410af5ee06e0003af0aeaa77e4e2f35dc /modules/services/akkoma
parent8e119c73d272e31b548f9bc047e88082a93eac07 (diff)
downloadinfra-60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9.tar.gz
infra-60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9.zip
fix(modules/akkoma): fix OAuth login
Diffstat (limited to 'modules/services/akkoma')
-rw-r--r--modules/services/akkoma/0001-fix-scope.patch28
-rw-r--r--modules/services/akkoma/default.nix17
2 files changed, 42 insertions, 3 deletions
diff --git a/modules/services/akkoma/0001-fix-scope.patch b/modules/services/akkoma/0001-fix-scope.patch
new file mode 100644
index 0000000..a0f8780
--- /dev/null
+++ b/modules/services/akkoma/0001-fix-scope.patch
@@ -0,0 +1,28 @@
+From a72bafca8fae2d0663127fa07f44284598a3631a Mon Sep 17 00:00:00 2001
+From: sefidel <contact@sefidel.net>
+Date: Tue, 20 Feb 2024 18:52:01 +0900
+Subject: [PATCH] fix scope
+
+Signed-off-by: sefidel <contact@sefidel.net>
+---
+ lib/ueberauth/strategy/keycloak.ex | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ueberauth/strategy/keycloak.ex b/lib/ueberauth/strategy/keycloak.ex
+index fa6e84b..413b3d5 100644
+--- a/lib/ueberauth/strategy/keycloak.ex
++++ b/lib/ueberauth/strategy/keycloak.ex
+@@ -71,8 +71,8 @@ defmodule Ueberauth.Strategy.Keycloak do
+   require Logger
+ 
+   use Ueberauth.Strategy,
+-    uid_field: :id,
+-    default_scope: "api read_user read_registry",
++    uid_field: :preferred_username,
++    default_scope: "openid profile email",
+     oauth2_module: Ueberauth.Strategy.Keycloak.OAuth
+ 
+   alias Ueberauth.Auth.Info
+-- 
+2.43.0
+
diff --git a/modules/services/akkoma/default.nix b/modules/services/akkoma/default.nix
index 3671cb4..c2e9347 100644
--- a/modules/services/akkoma/default.nix
+++ b/modules/services/akkoma/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
 with lib;
 let
@@ -12,6 +12,8 @@ in
 {
   options.modules.services.akkoma = {
     enable = mkEnableOption "Akkoma instance";
+    package = mkOption { type = types.package; default = pkgs.akkoma; };
+
     domain = mkOption { type = types.str; };
     realHost = mkOption { type = types.str; };
     instanceName = mkOption { type = types.str; default = "Akkoma on ${cfg.domain}"; };
@@ -25,7 +27,7 @@ in
 
     services.akkoma = {
       enable = true;
-      package = pkgs.akkoma.overrideAttrs (old: {
+      package = cfg.package.overrideAttrs (old: {
         # Akkoma doesn't include OAuth2 dependencies by default
         # This can be obtained by running `OAUTH_CONSUMER_STRATEGIES="..." mix deps.get`.
         # The server should also be launched with the same environment variable set.
@@ -56,6 +58,13 @@ in
               sha256 = "06r10w0azlpypjgggar1lf7h2yazn2dpyicy97zxkjyxgf9jfc60";
             };
 
+            # There must be a way to configure this using config.exs and patchPhase,
+            # But just applying a patch is easier since patching ueberauth and
+            # this package didn't do the trick.
+            patches = [
+              ./0001-fix-scope.patch
+            ];
+
             beamDeps = [ oauth2 oldMixDeps.ueberauth ];
           };
         };
@@ -76,6 +85,7 @@ in
         let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap mkTuple;
         in {
           ":pleroma"."Pleroma.Web.Endpoint".url.host = cfg.realHost;
+          ":pleroma"."Pleroma.Web.Endpoint".extra_cookie_attrs = [ "SameSite=Lax" ];
           ":pleroma"."Pleroma.Web.WebFinger".domain = cfg.domain;
           ":pleroma".":media_proxy".enabled = false;
           ":pleroma".":instance" = {
@@ -86,6 +96,7 @@ in
             notify_email = poorObfuscation cfg.domain "postmaster";
 
             registrations_open = false;
+            account_approval_required = true;
             invites_enabled = true;
 
             limit = 5000;
@@ -95,7 +106,7 @@ in
               logo = "/static/logo.png";
               # FIXME: https://akkoma.dev/AkkomaGang/akkoma/pulls/668
               # TODO: enable on next release
-              # loginMethod = "token";
+              loginMethod = "token";
             };
           };
           ":pleroma".":mrf" = {