chore: add locales to firefly

config/services/firefly.nix

@@ -4,6 +4,7 @@
   lib,
   ...
 }: {
+  i18n.supportedLocales = ["all"];
   wireguard.elisabeth = {
     client.via = "elisabeth";
     firewallRuleForNode.elisabeth.allowedTCPPorts = [80];
@@ -26,6 +27,9 @@
       TRUSTED_PROXIES = nodes.elisabeth.config.wireguard.elisabeth.ipv4;
       SITE_OWNER = "firefly-admin@${config.secrets.secrets.global.domains.mail_public}";
       APP_KEY_FILE = config.age.secrets.appKey.path;
+      AUTHENTICATION_GUARD = "remote_user_guard";
+      AUTHENTICATION_GUARD_HEADER = "X-User";
+      AUTHENTICATION_GUARD_EMAIL = "X-Email";
     };
   };
 

config/services/kanidm.nix

@@ -88,9 +88,6 @@ in {
         preferShortUsername = true;
       };
 
-      groups."rss.access" = {};
-      groups."oauth2-proxy.access" = {};
-
       groups."nextcloud.access" = {
         members = ["nextcloud.admins"];
       };
@@ -122,7 +119,25 @@ in {
         scopeMaps."immich.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
       };
-      groups."netbird.access" = {
+
+      groups."rss.access" = {};
+      groups."firefly.access" = {};
+      groups."adguardhome.access" = {
+      };
+      systems.oauth2.oauth2-proxy = {
+        displayName = "Oauth2-Proxy";
+        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
+        basicSecretFile = config.age.secrets.oauth2-proxy.path;
+        scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
+        scopeMaps."rss.access" = ["openid" "email" "profile"];
+        scopeMaps."firefly.access" = ["openid" "email" "profile"];
+        preferShortUsername = true;
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup."adguardhome.access" = ["adguardhome_access"];
+          valuesByGroup."rss.access" = ["ttrss_access"];
+          valuesByGroup."firefly.access" = ["firefly_access"];
+        };
       };
 
       groups."forgejo.access" = {
@@ -131,23 +146,6 @@ in {
       groups."forgejo.admins" = {
         members = ["administrator"];
       };
-
-      systems.oauth2.oauth2-proxy = {
-        displayName = "Oauth2-Proxy";
-        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
-        basicSecretFile = config.age.secrets.oauth2-proxy.path;
-        scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
-        scopeMaps."rss.access" = ["openid" "email" "profile"];
-        preferShortUsername = true;
-        claimMaps.groups = {
-          joinType = "array";
-          valuesByGroup."adguardhome.access" = ["adguardhome_access"];
-          valuesByGroup."rss.access" = ["ttrss_access"];
-        };
-      };
-
-      groups."adguardhome.access" = {
-      };
       systems.oauth2.forgejo = {
         displayName = "Forgejo";
         originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/";
@@ -160,6 +158,18 @@ in {
           valuesByGroup."forgejo.admins" = ["admin"];
         };
       };
+
+      groups."netbird.access" = {
+      };
+      systems.oauth2.netbird = {
+        public = true;
+        displayName = "Netbird";
+        originUrl = "https://netbird.${config.secrets.secrets.global.domains.web}/";
+        preferShortUsername = true;
+        enableLocalhostRedirects = true;
+        enableLegacyCrypto = true;
+        scopeMaps."netbird.access" = ["openid" "email" "profile"];
+      };
     };
   };
   systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute

hosts/elisabeth/guests.nix

@@ -70,7 +70,7 @@ in {
 
               # pass information via X-User and X-Email headers to backend,
               # requires running with --set-xauthrequest flag
-              auth_request_set $user   $upstream_http_x_auth_request_user;
+              auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
               auth_request_set $email  $upstream_http_x_auth_request_email;
               proxy_set_header X-User  $user;
               proxy_set_header X-Email $email;
@@ -160,7 +160,9 @@ in {
       (blockOf "paperless" {maxBodySize = "5G";})
       (proxyProtect "ttrss" {port = 80;} true)
       (blockOf "yourspotify" {port = 80;})
-      (blockOf "firefly" {port = 80;})
+      ((proxyProtect "firefly" {port = 80;} true)
+        // {
+        })
       (blockOf "apispotify" {
         port = 3000;
         upstream = "yourspotify";

modules/kanidm.nix

@@ -450,6 +450,12 @@ in {
           options = {
             present = mkPresentOption "oauth2 resource server";
 
+            public = mkOption {
+              description = "Whether this is a public client (enforces PKCE, doesn't use a basic secret)";
+              type = types.bool;
+              default = false;
+            };
+
             displayName = mkOption {
               description = "Display name";
               type = types.str;
@@ -479,10 +485,23 @@ in {
               default = null;
             };
 
+            enableLocalhostRedirects = mkOption {
+              description = "Allow localhost redirects. Only for public clients.";
+              type = types.bool;
+              default = false;
+            };
+
+            enableLegacyCrypto = mkOption {
+              description = "Enable legacy crypto on this client. Allows JWT signing algorthms like RS256.";
+              type = types.bool;
+              default = false;
+            };
+
             allowInsecureClientDisablePkce = mkOption {
               description = ''
                 Disable PKCE on this oauth2 resource server to work around insecure clients
                 that may not support it. You should request the client to enable PKCE!
+                Only for non-public clients.
               '';
               type = types.bool;
               default = false;
@@ -681,6 +700,21 @@ in {
               assertion = (cfg.provision.enable && cfg.enableServer) -> any (xs: xs != []) (attrValues claimCfg.valuesByGroup);
               message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
             }
+            # Public clients cannot define a basic secret
+            {
+              assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
+              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
+            }
+            # Public clients cannot disable PKCE
+            {
+              assertion = (cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> !oauth2Cfg.allowInsecureClientDisablePkce;
+              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
+            }
+            # Non-public clients cannot enable localhost redirects
+            {
+              assertion = (cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public) -> !oauth2Cfg.enableLocalhostRedirects;
+              message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
+            }
           ]))
       ));
 

users/common/programs/nvim/default.nix

@@ -42,7 +42,7 @@
           floating_big_letter = {
             font = "ansi-shadow",
           },
-          selection_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+          selection_chars = "EITCAUDJÄÜVF",
           show_prompt = false,
         }
       '';