dovwiefiwuef'

config-paths-needed.json

@@ -1,8 +1,9 @@
 [
   [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "username" ],
   [ "selfprivacy", "modules", "auth", "enable" ],
   [ "selfprivacy", "modules", "mastodon" ],
-  [ "selfprivacy", "passthru", "auth", "mkOAuth2ClientSecretFP" ],
+  [ "selfprivacy", "passthru", "auth" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-discovery-url" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
   [ "selfprivacy", "sso", "enable" ],
@@ -11,6 +12,8 @@
   [ "services", "mastodon", "package" ],
   [ "services", "mastodon", "user" ],
   [ "services", "mastodon", "group" ],
+  [ "services", "mastodon", "database" ],
   [ "services", "postfix", "user" ],
-  [ "services", "postfix", "group" ]
+  [ "services", "postfix", "group" ],
+  [ "services", "kanidm", "serverSettings", "origin" ]
 ]

flake.nix

@@ -1,6 +1,5 @@
 {
   # TODO: check whether there is no TODOs
-  # TODO: check whether there is no hedgegdoc mentions
   description = "Mastodon module";
 
   outputs = { ... }:
@@ -35,6 +34,7 @@
           supportLevel = "normal";
           sso = {
             userGroup = "sp.mastodon.users";
+            adminsGroup = "sp.mastodon.admins";
           };
         };
     };

mastodon-kanidm-sync.py

@@ -0,0 +1,148 @@
+import os
+import json
+import time
+import requests
+import psycopg2 as ps
+
+def read_file(path):
+    with open(path, "r", encoding="utf-8") as f:
+        return f.read()
+
+def getenv(name):
+    try:
+        return os.environ[name]
+    except KeyError:
+        print(f"[ERROR] Missing environment variable {name}. You should NOT run this script by hand, please use systemd mastodon-kanidm-sync.service.")
+        exit(1)
+
+# Import configuration
+KANIDM_URL = getenv("KANIDM_URL")
+KANIDM_TOKEN = read_file(getenv("KANIDM_TOKEN_PATH")).strip()
+OWNER_USERNAME = getenv("OWNER_USERNAME")
+SLEEP_TIME = int(getenv("SLEEP_TIME"))
+
+def sync_mastodon():
+    # Fetch kanidm users list from userdata file
+    # Userdata file is json list with information about what users are configured by kanidm
+    try:
+        USERDATA = read_file(getenv("USERDATA_FILE_PATH")).strip()
+        userdata = json.loads(USERDATA)
+        print("[INFO] ")
+    except FileNotFoundError:
+        userdata = []
+
+    # Load database
+    conn = ps.connect(
+        dbname=getenv("POSTGRES_DBNAME"),
+        user=getenv("POSTGRES_USER"),
+        host=getenv("POSTGRES_HOST")
+    )
+
+    # Fetch current userdata from database
+    cur = conn.cursor()
+    cur.execute('''
+        SELECT identities.uid, users.id, user_roles.name
+        FROM users
+        JOIN identities
+          ON users.id = identities.id
+        LEFT JOIN user_roles
+          ON users.role_id = user_roles.id;
+        '''
+    )
+
+    state = cur.fetchall()
+
+    users = {}
+    for i in state:
+        users[i[0]] = {
+            "id": i[1],
+            "role": i[2],
+            "isKanidmUser": False
+        }
+
+    # Fetch Kanidm userdata
+    kanidm_users_raw = requests.get(
+        f"{KANIDM_URL}/v1/person",
+        headers={
+            "Authorization": f"Bearer {KANIDM_TOKEN}",
+            "Content-Type": "application/json",
+        },
+        timeout=5,
+    ).json()
+
+    def give_role(uid, role, putUserdata = True):
+        if (uid not in userdata) and (putUserdata):
+            userdata.append(uid)
+        users[uid]["isKanidmUser"] = True
+        users[uid]["role"] = role
+        print(f"[INFO] {uid} is marked as {role}")
+        
+
+    for i in kanidm_users_raw:
+        i = i["attrs"]
+        for uid in i["name"]: # [user].attrs.name is a list
+          if uid in users: # Don't apply anything for users who have no mastodon access (sp.mastodon.users) or didn't register
+            if uid == OWNER_USERNAME:
+                give_role(uid, "Owner", False)
+                continue
+
+            for group in i["memberof"]:
+              if group.startswith("sp.mastodon.admins@") or group.startswith("sp.admins@"):
+                give_role(uid, "Admin")
+                break
+
+              elif group.startswith("sp.mastodon.moderators@"):
+                give_role(uid, "Moderator")
+                break
+
+              elif uid in userdata:
+                # If user, who previously had a role, has no roles set by Kanidm, delete them from userdata list so allow setting roles directly by mastodon
+                give_role(uid, None, False)
+                userdata.remove(uid)
+
+    print("[DEBUG]", users)
+
+    # Fetch RoleIDs
+    cur = conn.cursor()
+    cur.execute("SELECT id, name FROM user_roles;")
+
+    roles_raw = cur.fetchall()
+    roles = {}
+    for i in roles_raw:
+        roles[i[1]] = i[0]
+
+    # Give roles
+    for uid in users:
+        if not users[uid]["isKanidmUser"]:
+            continue
+        
+        if users[uid]["role"]:
+            rolename = users[uid]["role"]
+            roleid = roles[rolename]
+        else:
+            roleid = "NULL"
+
+        sqlcommand = f"UPDATE users SET role_id = {roleid} WHERE id = {users[uid]["id"]};"
+        print("[DEBUG] SQL:", sqlcommand)
+        cur.execute(sqlcommand)
+
+    conn.commit()
+    cur.close()
+    conn.close()
+
+    print("[INFO] Final userdata.json file content: ", userdata)
+
+    def write_userdata(mode):
+        with open(getenv("USERDATA_FILE_PATH"), mode) as f:
+            f.write(json.dumps(userdata))
+            f.close()
+
+    try:
+        write_userdata("w")
+    except FileNotFoundError:
+        print("[INFO] userdata.json file doesn't exist. Creating it")
+        write_userdata("x")
+
+while True:
+    sync_mastodon()
+    time.sleep(SLEEP_TIME)

module.nix

@@ -11,15 +11,19 @@ let
   auth-passthru = config.selfprivacy.passthru.auth;
   oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID;
   issuer = lib.strings.removeSuffix "/.well-known/openid-configuration" oauthDiscoveryURL;
+  oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback";
 
   usersGroup = "sp.mastodon.users";
   adminsGroup = "sp.mastodon.admins";
 
   oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
-  oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback";
+  serviceAccountFP = auth-passthru.mkServiceAccountTokenFP "mastodon";
 
-  # emailPassword = pkgs.runCommand "genpassword" {} "echo `head -c 32 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g'` > $out";
+  secrets = rec {
-  # emailPasswordHash = pkgs.runCommand "genpassword" {} "echo `head -c 32 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g'` > $out";
+    dir = "/run/keys/mastodon";
+    hashedPasswordFile = "${dir}/hashed_email_password";
+    passwordFile = "${dir}/email_password";
+  };
 in
 {
   options.selfprivacy.modules.mastodon = {
@@ -48,7 +52,7 @@ in
       (lib.mkOption {
         default = "mastodon";
         type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
-        description = "Subdomain";
+        description = "Subdomain (changing subdomain after setting up will cause breakage of the server!)";
       })
       // {
         meta = {
@@ -58,6 +62,19 @@ in
           weight = 0;
         };
       };
+
+    dissallowUnauthenticatedAPI =
+      (lib.mkOption {
+        default = true;
+        type = lib.types.bool;
+        description = "Allow unauthenticated API access";
+      })
+      // {
+        meta = {
+          type = "bool";
+          weight = 1;
+        };
+      };
   };
 
   config = lib.mkIf cfg.enable {
@@ -68,71 +85,110 @@ in
       };
     };
 
-    # services.postgresql = {
-    #   ensureDatabases = [ "mastodon" ];
-    #   ensureUsers = [
-    #     {
-    #       name = "mastodon";
-    #       ensureDBOwnership = true;
-    #     }
-    #   ];
-    # };
-
     services.mastodon = {
       enable = true;
       localDomain = "${cfg.subdomain}.${sp.domain}";
       enableUnixSocket = false;
       configureNginx = true;
       database.createLocally = true;
-      streamingProcesses = 3;
+      streamingProcesses = 2;
 
       smtp = {
         createLocally = false;
-        user = "noreply.mastodon@${sp.domain}";
+
         fromAddress = "noreply.mastodon@${sp.domain}";
-        passwordFile = "/run/keys/mastodon/email_password";
+        user = "noreply.mastodon";
+        passwordFile = secrets.passwordFile;
         authenticate = true;
+
+        host = "hollowness.top";
+        port = 465;
+      };
+      extraConfig = {
+        "SMTP_ENABLE_STARTTLS_AUTO" = "true"; # Simple NixOS MailServer doesn't allow connections without SSL
+        "SMTP_ENABLE_STARTTLS" = "always";
+        "SMTP_TLS" = "true";
+        "SMTP_SSL" = "true";
+
+        "DISALLOW_UNAUTHENTICATED_API_ACCESS" = lib.boolToString cfg.dissallowUnauthenticatedAPI;
       };
     };
 
-    # mailserver.loginAccounts."noreply.mastodon@${sp.domain}" = {
+    selfprivacy.emails."noreplymastodon" = {
-      # hashedPasswordFile = "/run/keys/mastodon/email_password";
+      hashedPasswordFile = secrets.hashedPasswordFile;
-      # sendOnly = true;
+      systemdTargets = [ "mastodon-email-password-setup.service" ];
-    # };
+      sendOnly = true;
-
+    };
-    services.postfix.config.virtual_mailbox_maps = [ "hash:/run/postfix/mastodon.cf" ];
 
     systemd = {
       services.mastodon-email-password-setup = {
         enable = true;
         wantedBy = [ "multi-user.target" "mastodon-web.service" "postfix.service" ];
         serviceConfig = {
+          Slice = "mastodon.slice";
           Type = "oneshot";
           ExecStart = pkgs.writeShellScript "gen-mastodon-email-password" ''
             export password=$(head -c 32 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g')
+            mkdir ${secrets.dir} || true # Create ${secrets.dir} if it doesn't exist
 
-            rm -f /run/keys/mastodon/email_password || true
+            rm -f ${secrets.passwordFile} || true
-            mkdir /run/keys/mastodon/ || true # Create /run/keys/mastodon if it doesn't exist
+            echo "$password" > ${secrets.passwordFile}
-            echo $password > /run/keys/mastodon/email_password
+            chmod 400 ${secrets.passwordFile}
-            chmod 400 /run/keys/mastodon/email_password
+            chown ${config.services.mastodon.user}:${config.services.mastodon.group} ${secrets.passwordFile}
-            chown ${config.services.mastodon.user}:${config.services.mastodon.group} /run/keys/mastodon/email_password
 
-            rm -f /run/postfix/mastodon.cf || true
+            export hashedPassword=$(${lib.getExe pkgs.mkpasswd} -sm bcrypt "$password")
-            mkdir /run/postfix/ || true # Create /run/postfix if it doesn't exist
+
-            export hashedPassword=$(mkpasswd -sm bcrypt "$password")
+            rm -f ${secrets.hashedPasswordFile} || true
-            echo "noreply.mastodon@${sp.domain}: $hashedPassword" > /run/postfix/mastodon.cf
+            echo "$hashedPassword" > ${secrets.hashedPasswordFile}
-            chmod 440 /run/postfix/mastodon.cf
+            chmod 440 ${secrets.hashedPasswordFile}
-            chown ${config.services.postfix.user}:${config.services.postfix.group} /run/postfix/mastodon.cf
+            chown ${config.services.postfix.user}:${config.services.postfix.group} ${secrets.hashedPasswordFile}
           '';
         };
       };
 
+      services.mastodon-kanidm-sync = {
+        after = [
+          "postgresql.service"
+          "kanidm.service"
+        ];
+        requires = [
+          "kanidm.service"
+          "postgresql.service"
+        ];
+        wantedBy = [ "multi-user.target" ];
+        environment = let db = config.services.mastodon.database;
+        in {
+          KANIDM_URL = config.services.kanidm.serverSettings.origin;
+          KANIDM_TOKEN_PATH = serviceAccountFP;
+          POSTGRES_DBNAME = db.name;
+          POSTGRES_USER = db.user;
+          POSTGRES_HOST = db.host;
+          USERDATA_FILE_PATH = "/var/lib/mastodon/.userdata.json";
+          OWNER_USERNAME = sp.username;
+          SLEEP_TIME = "30";
+        };
+        serviceConfig = {
+          Slice = "mastodon.slice";
+          User = "mastodon";
+          Group = "mastodon";
+          LoadCredential = [ "kanidm-token:${serviceAccountFP}" ];
+          ExecStart = pkgs.writers.writePython3 "mas-kanidm-sync" {
+            doCheck = false;
+            libraries = with pkgs.python3Packages; [
+              requests
+              psycopg2
+            ];
+          } (builtins.readFile ./mastodon-kanidm-sync.py);
+        };
+      };
+
       services.mastodon-web = {
         unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/mastodon";
         serviceConfig = {
-          loadCredentials = ["client-secret:${oauthClientSecretFP}"];
+          Slice = "mastodon.slice";
+          LoadCredential = ["client-secret:${oauthClientSecretFP}"];
           ExecStart = lib.mkForce (pkgs.writeShellScript "run-mastodon-with-client-secret" ''
-            export CLIENT_SECRET=$(cat $CREDENTIALS_DIRECTORY/client-secret)
+            export OIDC_CLIENT_SECRET=$(cat $CREDENTIALS_DIRECTORY/client-secret)
             ${config.services.mastodon.package}/bin/puma -C config/puma.rb
           '');
         };
@@ -141,26 +197,30 @@ in
           OIDC_DISPLAY_NAME= "Kanidm";
           OIDC_ISSUER = issuer;
           OIDC_DISCOVERY = "true";
-          OIDC_SCOPE = "openid,profile";
+          OIDC_SCOPE = "openid,profile,email";
-          OIDC_UID_FIELD = "sub";
+          OIDC_UID_FIELD = "preferred_username";
           OIDC_CLIENT_ID = oauthClientID;
           OIDC_REDIRECT_URI = oauthRedirectURL;
-        };        
+          OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "false";
+        };
       };
       slices.mastodon = {
         description = "Mastodon service slice";
       };
     };
 
+    services.kanidm.provision.groups."sp.mastodon.moderators" = {};
     selfprivacy.auth.clients.${oauthClientID} = {
       inherit usersGroup;
       inherit adminsGroup;
+      isTokenNeeded = true;
+
       subdomain = cfg.subdomain;
       originLanding = "https://${cfg.subdomain}.${sp.domain}/";
       originUrl = oauthRedirectURL;
       clientSystemdUnits = [ "mastodon.service" ];
-      # enablePkce = true;
       enablePkce = false;
+      useShortPreferredUsername = true;
       linuxUserOfClient = "mastodon";
       linuxGroupOfClient = "mastodon";
     };