auth: add imageFile option

auth/auth-module.nix

@@ -199,6 +199,13 @@ in
                 }
               );
             };
+            imageFile = mkOption {
+              type = types.nullOr lib.types.path;
+              description = ''
+                Filepath of an image which is displayed in Kanidm web GUI for a service.
+              '';
+              default = null;
+            };
           };
         }
       );
@@ -294,6 +301,7 @@ in
          , clientID
          , displayName
          , enablePkce
+         , imageFile
          , originLanding
          , originUrl
          , scopeMaps
@@ -312,8 +320,9 @@ in
               basicSecretFile
               claimMaps
               displayName
-              originUrl
+              imageFile
               originLanding
+              originUrl
               scopeMaps
               ;
             preferShortUsername = useShortPreferredUsername;

auth/auth.nix

@@ -87,15 +87,9 @@ lib.mkIf config.selfprivacy.sso.enable {
       _final: prev: {
         inherit (nixpkgs-2411.legacyPackages.${prev.system}) kanidm;
         kanidm-provision =
-          nixpkgs-2411.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
+          (nixpkgs-2411.legacyPackages.${prev.system}).callPackage
-            version = "git";
+            ./kanidm-provision.nix
-            src = prev.fetchFromGitHub {
+            { };
-              owner = "oddlama";
-              repo = "kanidm-provision";
-              rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
-              hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
-            };
-          });
       }
     )
   ];

auth/kanidm-provision.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  yq,
+  versionCheckHook,
+  nix-update-script,
+  nixosTests,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "kanidm-provision";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "oddlama";
+    repo = "kanidm-provision";
+    tag = "v${version}";
+    hash = "sha256-+NQJEAJ0DqKEV1cYZN7CLzGoBJNUL3SQAMmxRQG5DMI=";
+  };
+
+  postPatch = ''
+    tomlq -ti '.package.version = "${version}"' Cargo.toml
+  '';
+
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-uo/TGyfNChq/t6Dah0HhXhAwktyQk0V/wewezZuftNk=";
+
+  nativeBuildInputs = [
+    yq # for `tomlq`
+  ];
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  versionCheckProgramArg = "--version";
+  doInstallCheck = true;
+
+  passthru = {
+    tests = { inherit (nixosTests) kanidm-provisioning; };
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "A small utility to help with kanidm provisioning";
+    homepage = "https://github.com/oddlama/kanidm-provision";
+    license = with lib.licenses; [
+      asl20
+      mit
+    ];
+    maintainers = with lib.maintainers; [ oddlama ];
+    mainProgram = "kanidm-provision";
+  };
+}

auth/kanidm.nix

@@ -572,6 +572,16 @@ in
                 default = null;
               };
 
+              imageFile = mkOption {
+                description = ''
+                  Application image to display in the WebUI.
+                  Kanidm supports "image/jpeg", "image/png", "image/gif", "image/svg+xml", and "image/webp".
+                  The image will be uploaded each time kanidm-provision is run.
+                '';
+                type = types.nullOr types.path;
+                default = null;
+              };
+
               enableLocalhostRedirects = mkOption {
                 description = "Allow localhost redirects. Only for public clients.";
                 type = types.bool;

sp-modules/gitea/module.nix

@@ -386,6 +386,7 @@ in
 
       selfprivacy.auth.clients."${oauthClientID}" = {
         inherit adminsGroup usersGroup;
+        imageFile = "${pkgs.forgejo.data}/public/assets/img/logo.svg";
         subdomain = cfg.subdomain;
         isTokenNeeded = true;
         originLanding =