From 60b28b4bed95a745ba1050ebc2fb0c8dc6f925f9 Mon Sep 17 00:00:00 2001 From: sefidel Date: Tue, 20 Feb 2024 19:12:10 +0900 Subject: fix(modules/akkoma): fix OAuth login --- modules/services/akkoma/0001-fix-scope.patch | 28 ++++++++++++++++++++++++++++ modules/services/akkoma/default.nix | 17 ++++++++++++++--- 2 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 modules/services/akkoma/0001-fix-scope.patch (limited to 'modules/services/akkoma') diff --git a/modules/services/akkoma/0001-fix-scope.patch b/modules/services/akkoma/0001-fix-scope.patch new file mode 100644 index 0000000..a0f8780 --- /dev/null +++ b/modules/services/akkoma/0001-fix-scope.patch @@ -0,0 +1,28 @@ +From a72bafca8fae2d0663127fa07f44284598a3631a Mon Sep 17 00:00:00 2001 +From: sefidel +Date: Tue, 20 Feb 2024 18:52:01 +0900 +Subject: [PATCH] fix scope + +Signed-off-by: sefidel +--- + lib/ueberauth/strategy/keycloak.ex | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ueberauth/strategy/keycloak.ex b/lib/ueberauth/strategy/keycloak.ex +index fa6e84b..413b3d5 100644 +--- a/lib/ueberauth/strategy/keycloak.ex ++++ b/lib/ueberauth/strategy/keycloak.ex +@@ -71,8 +71,8 @@ defmodule Ueberauth.Strategy.Keycloak do + require Logger + + use Ueberauth.Strategy, +- uid_field: :id, +- default_scope: "api read_user read_registry", ++ uid_field: :preferred_username, ++ default_scope: "openid profile email", + oauth2_module: Ueberauth.Strategy.Keycloak.OAuth + + alias Ueberauth.Auth.Info +-- +2.43.0 + diff --git a/modules/services/akkoma/default.nix b/modules/services/akkoma/default.nix index 3671cb4..c2e9347 100644 --- a/modules/services/akkoma/default.nix +++ b/modules/services/akkoma/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, inputs, ... }: with lib; let @@ -12,6 +12,8 @@ in { options.modules.services.akkoma = { enable = mkEnableOption "Akkoma instance"; + package = mkOption { type = types.package; default = pkgs.akkoma; }; + domain = mkOption { type = types.str; }; realHost = mkOption { type = types.str; }; instanceName = mkOption { type = types.str; default = "Akkoma on ${cfg.domain}"; }; @@ -25,7 +27,7 @@ in services.akkoma = { enable = true; - package = pkgs.akkoma.overrideAttrs (old: { + package = cfg.package.overrideAttrs (old: { # Akkoma doesn't include OAuth2 dependencies by default # This can be obtained by running `OAUTH_CONSUMER_STRATEGIES="..." mix deps.get`. # The server should also be launched with the same environment variable set. @@ -56,6 +58,13 @@ in sha256 = "06r10w0azlpypjgggar1lf7h2yazn2dpyicy97zxkjyxgf9jfc60"; }; + # There must be a way to configure this using config.exs and patchPhase, + # But just applying a patch is easier since patching ueberauth and + # this package didn't do the trick. + patches = [ + ./0001-fix-scope.patch + ]; + beamDeps = [ oauth2 oldMixDeps.ueberauth ]; }; }; @@ -76,6 +85,7 @@ in let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap mkTuple; in { ":pleroma"."Pleroma.Web.Endpoint".url.host = cfg.realHost; + ":pleroma"."Pleroma.Web.Endpoint".extra_cookie_attrs = [ "SameSite=Lax" ]; ":pleroma"."Pleroma.Web.WebFinger".domain = cfg.domain; ":pleroma".":media_proxy".enabled = false; ":pleroma".":instance" = { @@ -86,6 +96,7 @@ in notify_email = poorObfuscation cfg.domain "postmaster"; registrations_open = false; + account_approval_required = true; invites_enabled = true; limit = 5000; @@ -95,7 +106,7 @@ in logo = "/static/logo.png"; # FIXME: https://akkoma.dev/AkkomaGang/akkoma/pulls/668 # TODO: enable on next release - # loginMethod = "token"; + loginMethod = "token"; }; }; ":pleroma".":mrf" = { -- cgit 1.4.1