thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth,forgejo): recognize admins

Browse Source
This commit is contained in:
Alexander Tomokhov
2024-12-30 05:13:28 +04:00
parent 153e1c12d5
commit 041479a48b
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
sp-modules/gitea/module.nix
View File

@@ -17,7 +17,9 @@ let
is-auth-enabled = config.selfprivacy.modules.auth.enable; is-auth-enabled = config.selfprivacy.modules.auth.enable;
oauth-client-id = "forgejo"; oauth-client-id = "forgejo";
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
redirect-uri = "https://git.${sp.domain}/user/oauth2/OAUTH/callback"; oauth2-provider-name = auth-passthru.oauth2-provider-name;
redirect-uri =
"https://git.${sp.domain}/user/oauth2/${oauth2-provider-name}/callback";
admins-group = "sp.forgejo.admins"; admins-group = "sp.forgejo.admins";
users-group = "sp.forgejo.users"; users-group = "sp.forgejo.users";
@@ -256,8 +258,6 @@ in
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false; SHOW_REGISTRATION_BUTTON = false;
ENABLE_BASIC_AUTHENTICATION = false; ENABLE_BASIC_AUTHENTICATION = false;
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_ORG_VISIBILITY = "limited";
}; };
# disallow explore page and access to private repositories, but allow public # disallow explore page and access to private repositories, but allow public
@@ -300,7 +300,7 @@ in
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'' + lib.strings.optionalString is-auth-enabled '' '' + lib.strings.optionalString is-auth-enabled ''
rewrite ^/user/login.*$ /user/oauth2/OAUTH last; rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
# FIXME is it needed? # FIXME is it needed?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
''; '';
@@ -341,10 +341,12 @@ in
''; '';
# FIXME secret # FIXME secret
oauthConfigArgs = '' oauthConfigArgs = ''
--name OAUTH \ --name "${oauth2-provider-name}" \
--provider openidConnect \ --provider openidConnect \
--key forgejo \ --key forgejo \
--secret VERYSTRONGSECRETFORFORGEJO \ --secret VERYSTRONGSECRETFORFORGEJO \
--group-claim-name groups \
--admin-group admins \
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}' --auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
''; '';
in in
@@ -363,7 +365,7 @@ in
${exe} admin auth add-ldap ${ldapConfigArgs} ${exe} admin auth add-ldap ${ldapConfigArgs}
fi fi
oauth_line="$(${exe} admin auth list | grep OAUTH | head -n 1)" oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)"
if [[ -n "$oauth_line" ]]; then if [[ -n "$oauth_line" ]]; then
id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')" id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs} ${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs}
@@ -383,7 +385,7 @@ in
}; };
}; };
# for ExecStartPre script to have access to /run/keys/* # for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members = users.groups.keys.members =
lib.mkIf is-auth-enabled [ config.services.forgejo.group ]; lib.mkIf is-auth-enabled [ config.services.forgejo.group ];
@@ -421,6 +423,10 @@ in
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144 # currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
# supplementaryScopeMaps."${admins-group}" = # supplementaryScopeMaps."${admins-group}" =
# [ "read:admin" "write:admin" ]; # [ "read:admin" "write:admin" ];
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admins" ];
};
}; };
}; };
}; };