From 60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9 Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Tue, 20 Feb 2024 19:12:10 +0900
Subject: fix(modules/akkoma): fix OAuth login

---
 flake.lock                                   | 98 ++++++++++++++++++++++++++--
 flake.nix                                    |  4 +-
 modules/services/akkoma/0001-fix-scope.patch | 28 ++++++++
 modules/services/akkoma/default.nix          | 17 ++++-
 systems/cobalt/default.nix                   |  3 +
 5 files changed, 141 insertions(+), 9 deletions(-)
 create mode 100644 modules/services/akkoma/0001-fix-scope.patch

diff --git a/flake.lock b/flake.lock
index 314a233..3ed8a85 100644
--- a/flake.lock
+++ b/flake.lock
@@ -147,6 +147,22 @@
         "type": "github"
       }
     },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
@@ -165,6 +181,24 @@
         "type": "github"
       }
     },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_2"
+      },
+      "locked": {
+        "lastModified": 1706830856,
+        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -302,16 +336,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1673606088,
-        "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=",
+        "lastModified": 1708370087,
+        "narHash": "sha256-B/9pdlxpPkGLIkkv/rsTYm13D5vSqy8ufz6a7CKZLQw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d",
+        "rev": "b927b88ae0437875c72a782d2d860a53d63076a3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -378,6 +411,26 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-exotic": {
+      "inputs": {
+        "flake-compat": "flake-compat_5",
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1708376361,
+        "narHash": "sha256-ltUn95mmZDaoDUbHo48wCEw+M9ZDW+YjWq5ytMjdBKU=",
+        "ref": "refs/heads/main",
+        "rev": "99e52cee44959fa6b5a46301f00b151e9ea765c3",
+        "revCount": 1,
+        "type": "git",
+        "url": "https://git.exotic.sh/nixpkgs-exotic"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.exotic.sh/nixpkgs-exotic"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "dir": "lib",
@@ -396,6 +449,24 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib_2": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1706550542,
+        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1707603439,
@@ -412,6 +483,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1673606088,
+        "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "poetry2nix": {
       "inputs": {
         "flake-utils": [
@@ -448,6 +535,7 @@
         "impermanence": "impermanence",
         "nixos-mailserver": "nixos-mailserver",
         "nixpkgs-2111": "nixpkgs-2111",
+        "nixpkgs-exotic": "nixpkgs-exotic",
         "sefidel-web": "sefidel-web",
         "sops-nix": "sops-nix",
         "unstable": "unstable",
@@ -457,7 +545,7 @@
     "sefidel-web": {
       "inputs": {
         "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1708115165,
diff --git a/flake.nix b/flake.nix
index 3ef69b4..e9f1a01 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,6 +6,8 @@
     unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
     nixpkgs-2111.url = "github:nixos/nixpkgs/nixos-21.11";
 
+    nixpkgs-exotic.url = "git+https://git.exotic.sh/nixpkgs-exotic";
+
     colmena.url = "github:zhaofengli/colmena";
     colmena.inputs.nixpkgs.follows = "unstable";
 
@@ -32,7 +34,7 @@
 
       system = "x86_64-linux";
 
-      pkgs = import unstable { inherit system; };
+      pkgs = import unstable { inherit system; overlays = [ inputs.nixpkgs-exotic.overlays.default ]; };
 
       lib = unstable.lib.extend
         (self: super: { my = import ./lib { inherit pkgs inputs; lib = self; }; });
diff --git a/modules/services/akkoma/0001-fix-scope.patch b/modules/services/akkoma/0001-fix-scope.patch
new file mode 100644
index 0000000..a0f8780
--- /dev/null
+++ b/modules/services/akkoma/0001-fix-scope.patch
@@ -0,0 +1,28 @@
+From a72bafca8fae2d0663127fa07f44284598a3631a Mon Sep 17 00:00:00 2001
+From: sefidel <contact@sefidel.net>
+Date: Tue, 20 Feb 2024 18:52:01 +0900
+Subject: [PATCH] fix scope
+
+Signed-off-by: sefidel <contact@sefidel.net>
+---
+ lib/ueberauth/strategy/keycloak.ex | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ueberauth/strategy/keycloak.ex b/lib/ueberauth/strategy/keycloak.ex
+index fa6e84b..413b3d5 100644
+--- a/lib/ueberauth/strategy/keycloak.ex
++++ b/lib/ueberauth/strategy/keycloak.ex
+@@ -71,8 +71,8 @@ defmodule Ueberauth.Strategy.Keycloak do
+   require Logger
+ 
+   use Ueberauth.Strategy,
+-    uid_field: :id,
+-    default_scope: "api read_user read_registry",
++    uid_field: :preferred_username,
++    default_scope: "openid profile email",
+     oauth2_module: Ueberauth.Strategy.Keycloak.OAuth
+ 
+   alias Ueberauth.Auth.Info
+-- 
+2.43.0
+
diff --git a/modules/services/akkoma/default.nix b/modules/services/akkoma/default.nix
index 3671cb4..c2e9347 100644
--- a/modules/services/akkoma/default.nix
+++ b/modules/services/akkoma/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
 with lib;
 let
@@ -12,6 +12,8 @@ in
 {
   options.modules.services.akkoma = {
     enable = mkEnableOption "Akkoma instance";
+    package = mkOption { type = types.package; default = pkgs.akkoma; };
+
     domain = mkOption { type = types.str; };
     realHost = mkOption { type = types.str; };
     instanceName = mkOption { type = types.str; default = "Akkoma on ${cfg.domain}"; };
@@ -25,7 +27,7 @@ in
 
     services.akkoma = {
       enable = true;
-      package = pkgs.akkoma.overrideAttrs (old: {
+      package = cfg.package.overrideAttrs (old: {
         # Akkoma doesn't include OAuth2 dependencies by default
         # This can be obtained by running `OAUTH_CONSUMER_STRATEGIES="..." mix deps.get`.
         # The server should also be launched with the same environment variable set.
@@ -56,6 +58,13 @@ in
               sha256 = "06r10w0azlpypjgggar1lf7h2yazn2dpyicy97zxkjyxgf9jfc60";
             };
 
+            # There must be a way to configure this using config.exs and patchPhase,
+            # But just applying a patch is easier since patching ueberauth and
+            # this package didn't do the trick.
+            patches = [
+              ./0001-fix-scope.patch
+            ];
+
             beamDeps = [ oauth2 oldMixDeps.ueberauth ];
           };
         };
@@ -76,6 +85,7 @@ in
         let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap mkTuple;
         in {
           ":pleroma"."Pleroma.Web.Endpoint".url.host = cfg.realHost;
+          ":pleroma"."Pleroma.Web.Endpoint".extra_cookie_attrs = [ "SameSite=Lax" ];
           ":pleroma"."Pleroma.Web.WebFinger".domain = cfg.domain;
           ":pleroma".":media_proxy".enabled = false;
           ":pleroma".":instance" = {
@@ -86,6 +96,7 @@ in
             notify_email = poorObfuscation cfg.domain "postmaster";
 
             registrations_open = false;
+            account_approval_required = true;
             invites_enabled = true;
 
             limit = 5000;
@@ -95,7 +106,7 @@ in
               logo = "/static/logo.png";
               # FIXME: https://akkoma.dev/AkkomaGang/akkoma/pulls/668
               # TODO: enable on next release
-              # loginMethod = "token";
+              loginMethod = "token";
             };
           };
           ":pleroma".":mrf" = {
diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
index 036e459..285fe61 100644
--- a/systems/cobalt/default.nix
+++ b/systems/cobalt/default.nix
@@ -321,6 +321,9 @@ in
     };
     services.akkoma = {
       enable = true;
+      # v3.10.4 with OAuth fixes backported
+      package = pkgs.exoticPackages.akkoma;
+
       domain = "exotic.sh";
       realHost = "social.exotic.sh";
       instanceName = "exotic.sh social";
-- 
cgit 1.4.1