diff --git a/sp-modules/auth/module.nix b/sp-modules/auth/module.nix index 80850ad..8670e81 100644 --- a/sp-modules/auth/module.nix +++ b/sp-modules/auth/module.nix @@ -98,6 +98,7 @@ in enable = true; autoRemove = true; # if false, obsolete oauth2 scopeMaps remain groups."sp.admins".present = true; + groups.${passthru.full-users-group}.present = true; }; enableClient = true; clientSettings = { @@ -184,6 +185,8 @@ in (lib.strings.splitString "." domain); ldap-host = "127.0.0.1"; ldap-port = 3636; + + full-users-group = "sp.full_users"; }; }; } diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index 82e57ab..390c017 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -414,7 +414,8 @@ in services.kanidm.provision = { groups = { "${admins-group}".members = [ "sp.admins" ]; - "${users-group}".members = [ admins-group ]; + "${users-group}".members = + [ admins-group auth-passthru.full-users-group ]; }; systems.oauth2.forgejo = { displayName = "Forgejo"; diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index f8f9499..1ad01f5 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -383,7 +383,8 @@ in services.kanidm.provision = { groups = { "${admins-group}".members = [ "sp.admins" ]; - "${users-group}".members = [ admins-group ]; + "${users-group}".members = + [ admins-group auth-passthru.full-users-group ]; }; systems.oauth2.${oauth-client-id} = { displayName = "Nextcloud"; diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix index 9ed07d4..996abc2 100644 --- a/sp-modules/roundcube/module.nix +++ b/sp-modules/roundcube/module.nix @@ -102,7 +102,8 @@ in services.kanidm.provision = { groups = { "sp.roundcube.admins".members = [ "sp.admins" ]; - "sp.roundcube.users".members = [ "sp.roundcube.admins" ]; + "sp.roundcube.users".members = + [ "sp.roundcube.admins" auth-passthru.full-users-group ]; }; systems.oauth2.roundcube = { displayName = "Roundcube";