fix

module.nix

@@ -11,12 +11,13 @@ let
   auth-passthru = config.selfprivacy.passthru.auth;
   oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID;
   issuer = lib.strings.removeSuffix "/.well-known/openid-configuration" oauthDiscoveryURL;
+  oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback";
 
   usersGroup = "sp.mastodon.users";
   adminsGroup = "sp.mastodon.admins";
 
   oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
-  oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback";
+  serviceAccountFP = auth-passthru.mkServiceAccountTokenFP "mastodon";
 
   secrets = rec {
     dir = "/run/keys/mastodon";
@@ -61,6 +62,21 @@ in
           weight = 0;
         };
       };
+
+    dissallowUnauthenticatedAPI =
+      (lib.mkOption {
+        default = true;
+        type = lib.types.bool;
+        description = "Allow unauthenticated API access";
+      })
+      // {
+        meta = {
+          type = "bool";
+          weight = 1;
+        };
+      };
+    
+    
   };
 
   config = lib.mkIf cfg.enable {
@@ -96,6 +112,8 @@ in
         "SMTP_ENABLE_STARTTLS" = "always";
         "SMTP_TLS" = "true";
         "SMTP_SSL" = "true";
+
+        "DISALLOW_UNAUTHENTICATED_API_ACCESS" = lib.boolToString cfg.dissallowUnauthenticatedAPI;
       };
     };
     users.users.mastodon.isSystemUser = lib.mkForce false;
@@ -162,6 +180,8 @@ in
     selfprivacy.auth.clients.${oauthClientID} = {
       inherit usersGroup;
       inherit adminsGroup;
+      isTokenNeeded = true;
+
       subdomain = cfg.subdomain;
       originLanding = "https://${cfg.subdomain}.${sp.domain}/";
       originUrl = oauthRedirectURL;