fix forgejo,auth: wait until OAuth2 discovery URL is online

Previously, Forgejo systemd service failed quickly, because kanidm reports a notice to systemd before discovery URL is ready.
2025-04-11 14:06:06 +04:00
parent 54bb84ca46
commit a5f497d9cf
1 changed files with 42 additions and 21 deletions
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@@ -20,6 +20,7 @@ let
  oauth2-provider-name = auth-passthru.oauth2-provider-name;
  redirect-uri =
    "https://${cfg.subdomain}.${sp.domain}/user/oauth2/${oauth2-provider-name}/callback";
+  oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID;

  # SelfPrivacy uses SP Module ID to identify the group!
  adminsGroup = "sp.gitea.admins";
@@ -299,6 +300,23 @@ in
      systemd.services.forgejo = {
        preStart =
          let
+            waitForURL = url: maxRetries: delaySec: ''
+              for ((i=1; i<=${toString maxRetries}; i++))
+              do
+                  if ${lib.getExe pkgs.curl} -X GET --silent --fail "${url}" > /dev/null
+                  then
+                      echo "${url} responds to GET HTTP request (attempt #$i)"
+                      exit 0
+                  else
+                      echo "${url} does not respond to GET HTTP request (attempt #$i)"
+                      echo sleeping for ${toString delaySec} seconds
+                  fi
+                  sleep ${toString delaySec}
+              done
+              echo "error, max attempts to access "${url}" have been used unsuccessfully!"
+              exit 124
+            '';
+
            exe = lib.getExe config.services.forgejo.package;
            # FIXME skip-tls-verify, bind-password
            ldapConfigArgs = ''
@@ -327,10 +345,12 @@ in
              --secret "$(< ${oauthClientSecretFP})" \
              --group-claim-name groups \
              --admin-group admins \
-              --auto-discover-url '${auth-passthru.oauth2-discovery-url oauthClientID}'
+              --auto-discover-url '${oauthDiscoveryURL}'
            '';
          in
-          lib.mkAfter ''
+          lib.mkMerge [
+            (waitForURL oauthDiscoveryURL 10 10)
+            (lib.mkAfter ''
              set -o xtrace

              # Check if LDAP is already configured
@@ -352,7 +372,8 @@ in
              else
                ${exe} admin auth add-oauth ${oauthConfigArgs}
              fi
-          '';
+            '')
+          ];
      };

      services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {