fix: kanidm strict redirect uri

update template flake
chore: update nextcloud
2024-11-11 17:24:26 +01:00 · 2024-11-11 17:24:14 +01:00 · 2024-11-11 14:25:00 +01:00
6 changed files with 111 additions and 58 deletions
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@ -83,7 +83,7 @@ in
      };
      systems.oauth2.paperless = {
        displayName = "paperless";
-        originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";
+        originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/accounts/oidc/kanidm/login/callback/";
        originLanding = "https://ppl.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-paperless.path;
        scopeMaps."paperless.access" = [
@ -124,7 +124,7 @@ in
      };
      systems.oauth2.immich = {
        displayName = "Immich";
-        originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
+        originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/auth/login";
        originLanding = "https://immich.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-immich.path;
        allowInsecureClientDisablePkce = true;
@ -146,7 +146,7 @@ in

      systems.oauth2.oauth2-proxy = {
        displayName = "Oauth2-Proxy";
-        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
+        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/oauth2/callback";
        originLanding = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-proxy.path;
        scopeMaps."adguardhome.access" = [
@ -199,7 +199,7 @@ in
      };
      systems.oauth2.forgejo = {
        displayName = "Forgejo";
-        originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/";
+        originUrl = "https://forge.${config.secrets.secrets.global.domains.web}/user/oauth2/kanidm/callback";
        originLanding = "https://forge.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-forgejo.path;
        scopeMaps."forgejo.access" = [
--- a/config/services/nextcloud.nix
+++ b/config/services/nextcloud.nix
@ -52,7 +52,7 @@ in
  services.nextcloud = {
    inherit hostName;
    enable = true;
-    package = pkgs.nextcloud28;
+    package = pkgs.nextcloud30;
    configureRedis = true;
    config.adminpassFile = config.age.secrets.ncpasswd.path; # Kinda ok just remember to instanly change after first setup
    config.adminuser = "admin";
@ -62,7 +62,6 @@ in
        calendar
        tasks
        notes
-        maps
        phonetrack
        user_oidc
        ;
--- a/flake.lock
+++ b/flake.lock
@ -28,9 +28,7 @@
    "agenix-rekey": {
      "inputs": {
        "devshell": "devshell",
-        "flake-utils": [
-          "flake-utils"
-        ],
+        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -261,7 +259,7 @@
          "nixos-extra-modules",
          "nixpkgs"
        ],
-        "systems": "systems_5"
+        "systems": "systems_7"
      },
      "locked": {
        "lastModified": 1701787589,
@ -543,9 +541,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": [
-          "systems"
-        ]
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1726560853,
@ -563,7 +559,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1681202837,
@ -581,7 +577,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1726560853,
@ -601,24 +597,6 @@
      "inputs": {
        "systems": "systems_6"
      },
-      "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_5": {
-      "inputs": {
-        "systems": "systems_7"
-      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@ -633,10 +611,28 @@
        "type": "github"
      }
    },
-    "flake-utils_6": {
+    "flake-utils_5": {
      "inputs": {
        "systems": "systems_8"
      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_6": {
+      "inputs": {
+        "systems": "systems_9"
+      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@ -652,6 +648,24 @@
      }
    },
    "flake-utils_7": {
+      "inputs": {
+        "systems": "systems_10"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_8": {
      "inputs": {
        "systems": [
          "stylix",
@ -1000,7 +1014,7 @@
    },
    "lib-aggregate": {
      "inputs": {
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_6",
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
@ -1032,9 +1046,7 @@
    },
    "microvm": {
      "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
+        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -1141,7 +1153,7 @@
    "nix-topology": {
      "inputs": {
        "devshell": "devshell_3",
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
        "nixpkgs": "nixpkgs",
        "pre-commit-hooks": "pre-commit-hooks_2"
      },
@ -1177,7 +1189,7 @@
    "nixos-extra-modules": {
      "inputs": {
        "devshell": "devshell_4",
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_5",
        "lib-net": "lib-net",
        "nixpkgs": [
          "nixpkgs"
@ -1479,7 +1491,7 @@
    },
    "nuschtosSearch": {
      "inputs": {
-        "flake-utils": "flake-utils_6",
+        "flake-utils": "flake-utils_7",
        "ixx": "ixx",
        "nixpkgs": [
          "nixvim",
@ -1644,7 +1656,6 @@
        "devshell": "devshell_2",
        "disko": "disko",
        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "lanzaboote": "lanzaboote",
@ -1662,7 +1673,7 @@
        "pre-commit-hooks": "pre-commit-hooks_4",
        "spicetify-nix": "spicetify-nix",
        "stylix": "stylix",
-        "systems": "systems_10",
+        "systems": "systems_12",
        "templates": "templates"
      }
    },
@ -1735,11 +1746,11 @@
        "base16-helix": "base16-helix",
        "base16-vim": "base16-vim",
        "flake-compat": "flake-compat_9",
-        "flake-utils": "flake-utils_7",
+        "flake-utils": "flake-utils_8",
        "gnome-shell": "gnome-shell",
        "home-manager": "home-manager_3",
        "nixpkgs": "nixpkgs_4",
-        "systems": "systems_9",
+        "systems": "systems_11",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-tmux": "tinted-tmux"
@ -1789,6 +1800,36 @@
        "type": "github"
      }
    },
+    "systems_11": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_12": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
@ -1911,11 +1952,11 @@
    },
    "templates": {
      "locked": {
-        "lastModified": 1714155401,
-        "narHash": "sha256-8TjVrDOGIsq7Oc7Slh+GR7PSzdGcbVr1ZDrN/2hB1Xg=",
+        "lastModified": 1731342153,
+        "narHash": "sha256-AzxI/lvVJcdoGouGxX7xr1y+u9tPrtSprI1UwdgV00g=",
        "ref": "refs/heads/main",
-        "rev": "50d70e8c4197adaea6d71edb7c6ee657e230d98c",
-        "revCount": 12,
+        "rev": "675917283e8cd12207a42cc2009ed591f98dc469",
+        "revCount": 15,
        "type": "git",
        "url": "https://forge.lel.lol/patrick/nix-templates.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,6 @@
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

    nixpkgs-octoprint.url = "github:patrickdag/nixpkgs/octoprint-update";
-
    nixpkgs-wayland = {
      url = "github:nix-community/nixpkgs-wayland";
      inputs.nixpkgs.follows = "nixpkgs";
@ -18,7 +17,6 @@
    microvm = {
      url = "github:astro/microvm.nix";
      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
    };

    # to prevent multiple instances of systems
@ -52,12 +50,6 @@
    agenix-rekey = {
      url = "github:oddlama/agenix-rekey";
      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-
-    flake-utils = {
-      url = "github:numtide/flake-utils";
-      inputs.systems.follows = "systems";
    };

    pre-commit-hooks = {
--- a/patches/PR/355216.diff
+++ b/patches/PR/355216.diff
@ -0,0 +1,21 @@
+diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
+index a368b6eee2a6e..96f6e23740c80 100644
+--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
+@@ -502,13 +502,13 @@ in
+               };
+ 
+               originUrl = mkOption {
+-                description = "The origin URL of the service. OAuth2 redirects will only be allowed to sites under this origin. Must end with a slash.";
+                description = "The origin URL of the service. OAuth2 redirects will only need to either exactly match or match this origin depending on wether strict-redirect is enabled.";
+                 type =
+                   let
+-                    originStrType = types.strMatching ".*://.*/$";
+                    originStrType = types.strMatching ".*://.*$";
+                   in
+                   types.either originStrType (types.nonEmptyListOf originStrType);
+-                example = "https://someservice.example.com/";
+                example = "https://someservice.example.com/auth/login";
+               };
+ 
+               originLanding = mkOption {
--- a/pkgs/scripts/fetch-prs.sh
+++ b/pkgs/scripts/fetch-prs.sh
@ -1,5 +1,5 @@
 # dependencies: wcurl
-PRS=("354038")
+PRS=("354038" "355216")

 if [ ! -f flake.nix ]; then
 	echo "Not in a flake top level"
Author	SHA1	Message	Date
Patrick	6322469cd2	fix: kanidm strict redirect uri	2024-11-11 17:24:26 +01:00
Patrick	4cb6de6563	update template flake	2024-11-11 17:24:14 +01:00
Patrick	bee39dff7d	chore: update nextcloud	2024-11-11 14:25:00 +01:00