From 3294ff3da446f66d20176e591f9b4a02a6c9e459 Mon Sep 17 00:00:00 2001 From: Thary Date: Sat, 20 Sep 2025 12:46:40 +0300 Subject: [PATCH] fix --- module.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/module.nix b/module.nix index 3fc34d4..553185d 100644 --- a/module.nix +++ b/module.nix @@ -11,12 +11,13 @@ let auth-passthru = config.selfprivacy.passthru.auth; oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID; issuer = lib.strings.removeSuffix "/.well-known/openid-configuration" oauthDiscoveryURL; + oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback"; usersGroup = "sp.mastodon.users"; adminsGroup = "sp.mastodon.admins"; oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID; - oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback"; + serviceAccountFP = auth-passthru.mkServiceAccountTokenFP "mastodon"; secrets = rec { dir = "/run/keys/mastodon"; @@ -61,6 +62,21 @@ in weight = 0; }; }; + + dissallowUnauthenticatedAPI = + (lib.mkOption { + default = true; + type = lib.types.bool; + description = "Allow unauthenticated API access"; + }) + // { + meta = { + type = "bool"; + weight = 1; + }; + }; + + }; config = lib.mkIf cfg.enable { @@ -96,6 +112,8 @@ in "SMTP_ENABLE_STARTTLS" = "always"; "SMTP_TLS" = "true"; "SMTP_SSL" = "true"; + + "DISALLOW_UNAUTHENTICATED_API_ACCESS" = lib.boolToString cfg.dissallowUnauthenticatedAPI; }; }; users.users.mastodon.isSystemUser = lib.mkForce false; @@ -162,6 +180,8 @@ in selfprivacy.auth.clients.${oauthClientID} = { inherit usersGroup; inherit adminsGroup; + isTokenNeeded = true; + subdomain = cfg.subdomain; originLanding = "https://${cfg.subdomain}.${sp.domain}/"; originUrl = oauthRedirectURL;