fix forgejo: OAuth secret, ExecStartPost ignore failure, subdomain
This commit is contained in:
Alexander Tomokhov
@@ -19,7 +19,7 @@ let
|
|||||||
auth-passthru = config.passthru.selfprivacy.auth;
|
auth-passthru = config.passthru.selfprivacy.auth;
|
||||||
oauth2-provider-name = auth-passthru.oauth2-provider-name;
|
oauth2-provider-name = auth-passthru.oauth2-provider-name;
|
||||||
redirect-uri =
|
redirect-uri =
|
||||||
"https://git.${sp.domain}/user/oauth2/${oauth2-provider-name}/callback";
|
"https://${cfg.subdomain}.${sp.domain}/user/oauth2/${oauth2-provider-name}/callback";
|
||||||
|
|
||||||
admins-group = "sp.forgejo.admins";
|
admins-group = "sp.forgejo.admins";
|
||||||
users-group = "sp.forgejo.users";
|
users-group = "sp.forgejo.users";
|
||||||
@@ -28,13 +28,21 @@ let
|
|||||||
kanidm-service-account-token-name = "${oauth-client-id}-service-account-token";
|
kanidm-service-account-token-name = "${oauth-client-id}-service-account-token";
|
||||||
kanidm-service-account-token-fp =
|
kanidm-service-account-token-fp =
|
||||||
"/run/keys/${oauth-client-id}/kanidm-service-account-token"; # FIXME sync with auth module
|
"/run/keys/${oauth-client-id}/kanidm-service-account-token"; # FIXME sync with auth module
|
||||||
kanidmExecStartPostScriptRoot = pkgs.writeShellScript
|
# TODO rewrite to tmpfiles.d
|
||||||
"${oauth-client-id}-kanidm-ExecStartPost-root-script.sh"
|
kanidmExecStartPreScriptRoot = pkgs.writeShellScript
|
||||||
|
"${oauth-client-id}-kanidm-ExecStartPre-root-script.sh"
|
||||||
''
|
''
|
||||||
# set-group-ID bit allows for kanidm user to create files,
|
# set-group-ID bit allows kanidm user to create files with another group
|
||||||
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${oauth-client-id}
|
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${oauth-client-id}
|
||||||
chown kanidm:${config.services.forgejo.group} /run/keys/${oauth-client-id}
|
chown kanidm:${config.services.forgejo.group} /run/keys/${oauth-client-id}
|
||||||
'';
|
'';
|
||||||
|
kanidm-oauth-client-secret-fp =
|
||||||
|
"/run/keys/${oauth-client-id}/kanidm-oauth-client-secret";
|
||||||
|
kanidmExecStartPreScript = pkgs.writeShellScript
|
||||||
|
"${oauth-client-id}-kanidm-ExecStartPre-script.sh" ''
|
||||||
|
[ -f "${kanidm-oauth-client-secret-fp}" ] || \
|
||||||
|
"${lib.getExe pkgs.openssl}" rand -base64 -out "${kanidm-oauth-client-secret-fp}" 32
|
||||||
|
'';
|
||||||
kanidmExecStartPostScript = pkgs.writeShellScript
|
kanidmExecStartPostScript = pkgs.writeShellScript
|
||||||
"${oauth-client-id}-kanidm-ExecStartPost-script.sh"
|
"${oauth-client-id}-kanidm-ExecStartPost-script.sh"
|
||||||
''
|
''
|
||||||
@@ -50,9 +58,9 @@ let
|
|||||||
else
|
else
|
||||||
echo "kanidm service account \"${kanidm-service-account-name}\" is not found"
|
echo "kanidm service account \"${kanidm-service-account-name}\" is not found"
|
||||||
echo "creating new kanidm service account \"${kanidm-service-account-name}\""
|
echo "creating new kanidm service account \"${kanidm-service-account-name}\""
|
||||||
if $KANIDM service-account create --name idm_admin ${kanidm-service-account-name} ${kanidm-service-account-name} idm_admin
|
if $KANIDM service-account create --name idm_admin "${kanidm-service-account-name}" "${kanidm-service-account-name}" idm_admin
|
||||||
then
|
then
|
||||||
"kanidm service account \"${kanidm-service-account-name}\" created"
|
echo "kanidm service account \"${kanidm-service-account-name}\" created"
|
||||||
else
|
else
|
||||||
echo "error: cannot create kanidm service account \"${kanidm-service-account-name}\""
|
echo "error: cannot create kanidm service account \"${kanidm-service-account-name}\""
|
||||||
exit 1
|
exit 1
|
||||||
@@ -60,10 +68,10 @@ let
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# add Kanidm service account to `idm_mail_servers` group
|
# add Kanidm service account to `idm_mail_servers` group
|
||||||
$KANIDM group add-members idm_mail_servers ${kanidm-service-account-name}
|
$KANIDM group add-members idm_mail_servers "${kanidm-service-account-name}"
|
||||||
|
|
||||||
# create a new read-only token for kanidm
|
# create a new read-only token for kanidm
|
||||||
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin ${kanidm-service-account-name} ${kanidm-service-account-token-name} --output json)"
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidm-service-account-name}" "${kanidm-service-account-token-name}" --output json)"
|
||||||
then
|
then
|
||||||
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
||||||
exit 1
|
exit 1
|
||||||
@@ -339,12 +347,11 @@ in
|
|||||||
--bind-password "$(cat ${kanidm-service-account-token-fp})" \
|
--bind-password "$(cat ${kanidm-service-account-token-fp})" \
|
||||||
--synchronize-users
|
--synchronize-users
|
||||||
'';
|
'';
|
||||||
# FIXME secret
|
|
||||||
oauthConfigArgs = ''
|
oauthConfigArgs = ''
|
||||||
--name "${oauth2-provider-name}" \
|
--name "${oauth2-provider-name}" \
|
||||||
--provider openidConnect \
|
--provider openidConnect \
|
||||||
--key forgejo \
|
--key forgejo \
|
||||||
--secret VERYSTRONGSECRETFORFORGEJO \
|
--secret "$(<${kanidm-oauth-client-secret-fp})" \
|
||||||
--group-claim-name groups \
|
--group-claim-name groups \
|
||||||
--admin-group admins \
|
--admin-group admins \
|
||||||
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
|
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
|
||||||
@@ -375,9 +382,7 @@ in
|
|||||||
''
|
''
|
||||||
);
|
);
|
||||||
# TODO consider passing oauth consumer service to auth module instead
|
# TODO consider passing oauth consumer service to auth module instead
|
||||||
wants = lib.mkIf is-auth-enabled
|
requires = lib.mkIf is-auth-enabled
|
||||||
[ auth-passthru.oauth2-systemd-service ];
|
|
||||||
after = lib.mkIf is-auth-enabled
|
|
||||||
[ auth-passthru.oauth2-systemd-service ];
|
[ auth-passthru.oauth2-systemd-service ];
|
||||||
};
|
};
|
||||||
slices.gitea = {
|
slices.gitea = {
|
||||||
@@ -389,14 +394,14 @@ in
|
|||||||
users.groups.keys.members =
|
users.groups.keys.members =
|
||||||
lib.mkIf is-auth-enabled [ config.services.forgejo.group ];
|
lib.mkIf is-auth-enabled [ config.services.forgejo.group ];
|
||||||
|
|
||||||
|
systemd.services.kanidm.serviceConfig.ExecStartPre =
|
||||||
|
lib.mkIf is-auth-enabled [
|
||||||
|
("-+" + kanidmExecStartPreScriptRoot)
|
||||||
|
("-" + kanidmExecStartPreScript)
|
||||||
|
];
|
||||||
systemd.services.kanidm.serviceConfig.ExecStartPost =
|
systemd.services.kanidm.serviceConfig.ExecStartPost =
|
||||||
lib.mkIf is-auth-enabled
|
lib.mkIf is-auth-enabled
|
||||||
(lib.mkAfter
|
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
|
||||||
[
|
|
||||||
("+" + kanidmExecStartPostScriptRoot)
|
|
||||||
kanidmExecStartPostScript
|
|
||||||
]
|
|
||||||
);
|
|
||||||
services.kanidm.provision = lib.mkIf is-auth-enabled {
|
services.kanidm.provision = lib.mkIf is-auth-enabled {
|
||||||
groups = {
|
groups = {
|
||||||
"${admins-group}".members = [ "sp.admins" ];
|
"${admins-group}".members = [ "sp.admins" ];
|
||||||
@@ -406,7 +411,7 @@ in
|
|||||||
displayName = "Forgejo";
|
displayName = "Forgejo";
|
||||||
originUrl = redirect-uri;
|
originUrl = redirect-uri;
|
||||||
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
|
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
|
||||||
basicSecretFile = pkgs.writeText "bs-forgejo" "VERYSTRONGSECRETFORFORGEJO"; # FIXME
|
basicSecretFile = kanidm-oauth-client-secret-fp;
|
||||||
# when true, name is passed to a service instead of name@domain
|
# when true, name is passed to a service instead of name@domain
|
||||||
preferShortUsername = true;
|
preferShortUsername = true;
|
||||||
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
||||||
|
|||||||
Reference in New Issue
Block a user