diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix index bec6464..a6d50a2 100644 --- a/config/services/kanidm.nix +++ b/config/services/kanidm.nix @@ -83,7 +83,7 @@ in }; systems.oauth2.paperless = { displayName = "paperless"; - originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/"; + originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/accounts/oidc/kanidm/login/callback/"; originLanding = "https://ppl.${config.secrets.secrets.global.domains.web}/"; basicSecretFile = config.age.secrets.oauth2-paperless.path; scopeMaps."paperless.access" = [ @@ -124,7 +124,7 @@ in }; systems.oauth2.immich = { displayName = "Immich"; - originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/"; + originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/auth/login"; originLanding = "https://immich.${config.secrets.secrets.global.domains.web}/"; basicSecretFile = config.age.secrets.oauth2-immich.path; allowInsecureClientDisablePkce = true; @@ -146,7 +146,7 @@ in systems.oauth2.oauth2-proxy = { displayName = "Oauth2-Proxy"; - originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/"; + originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/oauth2/callback"; originLanding = "https://oauth2.${config.secrets.secrets.global.domains.web}/"; basicSecretFile = config.age.secrets.oauth2-proxy.path; scopeMaps."adguardhome.access" = [ @@ -199,7 +199,7 @@ in }; systems.oauth2.forgejo = { displayName = "Forgejo"; - originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/"; + originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/user/oauth2/kanidm/callback"; originLanding = "https://forge.${config.secrets.secrets.global.domains.web}/"; basicSecretFile = config.age.secrets.oauth2-forgejo.path; scopeMaps."forgejo.access" = [ diff --git a/patches/PR/355216.diff b/patches/PR/355216.diff new file mode 100644 index 0000000..8a75a60 --- /dev/null +++ b/patches/PR/355216.diff @@ -0,0 +1,21 @@ +diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix +index a368b6eee2a6e..96f6e23740c80 100644 +--- a/nixos/modules/services/security/kanidm.nix ++++ b/nixos/modules/services/security/kanidm.nix +@@ -502,13 +502,13 @@ in + }; + + originUrl = mkOption { +- description = "The origin URL of the service. OAuth2 redirects will only be allowed to sites under this origin. Must end with a slash."; ++ description = "The origin URL of the service. OAuth2 redirects will only need to either exactly match or match this origin depending on wether strict-redirect is enabled."; + type = + let +- originStrType = types.strMatching ".*://.*/$"; ++ originStrType = types.strMatching ".*://.*$"; + in + types.either originStrType (types.nonEmptyListOf originStrType); +- example = "https://someservice.example.com/"; ++ example = "https://someservice.example.com/auth/login"; + }; + + originLanding = mkOption { diff --git a/pkgs/scripts/fetch-prs.sh b/pkgs/scripts/fetch-prs.sh index 99a2cb7..6abadfd 100755 --- a/pkgs/scripts/fetch-prs.sh +++ b/pkgs/scripts/fetch-prs.sh @@ -1,5 +1,5 @@ # dependencies: wcurl -PRS=("354038") +PRS=("354038" "355216") if [ ! -f flake.nix ]; then echo "Not in a flake top level"