thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix forgejo,auth: wait until OAuth2 discovery URL is online

Browse Source 
Previously, Forgejo systemd service failed quickly, because kanidm
reports a notice to systemd before discovery URL is ready.
This commit is contained in:
Alexander Tomokhov
2025-04-11 14:06:06 +04:00
parent 54bb84ca46
commit a5f497d9cf
1 changed files with 42 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
sp-modules/gitea/module.nix
View File

@@ -20,6 +20,7 @@ let
oauth2-provider-name = auth-passthru.oauth2-provider-name; oauth2-provider-name = auth-passthru.oauth2-provider-name;
redirect-uri = redirect-uri =
"https://${cfg.subdomain}.${sp.domain}/user/oauth2/${oauth2-provider-name}/callback"; "https://${cfg.subdomain}.${sp.domain}/user/oauth2/${oauth2-provider-name}/callback";
oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID;
# SelfPrivacy uses SP Module ID to identify the group! # SelfPrivacy uses SP Module ID to identify the group!
adminsGroup = "sp.gitea.admins"; adminsGroup = "sp.gitea.admins";
@@ -299,6 +300,23 @@ in
systemd.services.forgejo = { systemd.services.forgejo = {
preStart = preStart =
let let
waitForURL = url: maxRetries: delaySec: ''
for ((i=1; i<=${toString maxRetries}; i++))
do
if ${lib.getExe pkgs.curl} -X GET --silent --fail "${url}" > /dev/null
then
echo "${url} responds to GET HTTP request (attempt #$i)"
exit 0
else
echo "${url} does not respond to GET HTTP request (attempt #$i)"
echo sleeping for ${toString delaySec} seconds
fi
sleep ${toString delaySec}
done
echo "error, max attempts to access "${url}" have been used unsuccessfully!"
exit 124
'';
exe = lib.getExe config.services.forgejo.package; exe = lib.getExe config.services.forgejo.package;
# FIXME skip-tls-verify, bind-password # FIXME skip-tls-verify, bind-password
ldapConfigArgs = '' ldapConfigArgs = ''
@@ -327,32 +345,35 @@ in
--secret "$(< ${oauthClientSecretFP})" \ --secret "$(< ${oauthClientSecretFP})" \
--group-claim-name groups \ --group-claim-name groups \
--admin-group admins \ --admin-group admins \
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauthClientID}' --auto-discover-url '${oauthDiscoveryURL}'
''; '';
in in
lib.mkAfter '' lib.mkMerge [
set -o xtrace (waitForURL oauthDiscoveryURL 10 10)
(lib.mkAfter ''
set -o xtrace
# Check if LDAP is already configured # Check if LDAP is already configured
ldap_line="$(${exe} admin auth list | grep LDAP | head -n 1)" ldap_line="$(${exe} admin auth list | grep LDAP | head -n 1)"
if [[ -n "$ldap_line" ]]; then if [[ -n "$ldap_line" ]]; then
# update ldap config # update ldap config
id="$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')" id="$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-ldap --id "$id" ${ldapConfigArgs} ${exe} admin auth update-ldap --id "$id" ${ldapConfigArgs}
else else
# initially configure ldap # initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs} ${exe} admin auth add-ldap ${ldapConfigArgs}
fi fi
oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)" oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)"
if [[ -n "$oauth_line" ]]; then if [[ -n "$oauth_line" ]]; then
id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')" id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs} ${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs}
else else
${exe} admin auth add-oauth ${oauthConfigArgs} ${exe} admin auth add-oauth ${oauthConfigArgs}
fi fi
''; '')
];
}; };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {