From 1d571d14865d4fc97cd85290d2505c86b8d8fa73 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Thu, 29 May 2025 16:22:08 +0200
Subject: [PATCH 1/3] bumped sources

---
 shared/sources/sources.json | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/shared/sources/sources.json b/shared/sources/sources.json
index 1a60706..f4de43b 100644
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://matrix.to/#/#agenix:nixos.org",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
-        "sha256": "006ngydiykjgqs85cl19h9klq8kaqm5zs0ng51dnwy7nzgqxzsdr",
+        "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
+        "sha256": "0ngkhf7qamibhbl9z1dryzscd36y4fz1m1h6fb2z6fylw0b8029p",
         "type": "tarball",
-        "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz",
+        "url": "https://github.com/ryantm/agenix/archive/4835b1dc898959d8547a871ef484930675cb47f1.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "disko": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "51d33bbb7f1e74ba5f9d9a77357735149da99081",
-        "sha256": "0fg2ym4kc1pcayfg4jka742512r8nackwl8w1syxvg82yasixnjc",
+        "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba",
+        "sha256": "06gbwfkzm73xrf2brnlvg0g6dbjjry7xqmaar320dqwclq44jf83",
         "type": "tarball",
-        "url": "https://github.com/nix-community/disko/archive/51d33bbb7f1e74ba5f9d9a77357735149da99081.tar.gz",
+        "url": "https://github.com/nix-community/disko/archive/a894f2811e1ee8d10c50560551e50d6ab3c392ba.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "drasl": {
@@ -36,10 +36,10 @@
         "homepage": null,
         "owner": "RasmusRendal",
         "repo": "drtvrss",
-        "rev": "1234121a3f615d80bc18107768182fb43df0bbac",
-        "sha256": "0yxarbbsj4giyszc8pf64d0gy9qsld9skgdxxfgygrgk2wspycnc",
+        "rev": "2059220fb3342202091179f5496575ed596eab9e",
+        "sha256": "017m02xhm8j2i85jq30dm2z3vnxv74f06b7mqi8wz32j95x5qdal",
         "type": "tarball",
-        "url": "https://github.com/RasmusRendal/drtvrss/archive/1234121a3f615d80bc18107768182fb43df0bbac.tar.gz",
+        "url": "https://github.com/RasmusRendal/drtvrss/archive/2059220fb3342202091179f5496575ed596eab9e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "flake-compat": {
@@ -48,10 +48,10 @@
         "homepage": null,
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "sha256": "19d2z6xsvpxm184m41qrpi1bplilwipgnzv9jy17fgw421785q1m",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "sha256": "09m84vsz1py50giyfpx0fpc7a4i0r1xsb54dh0dpdg308lp4p188",
         "type": "tarball",
-        "url": "https://github.com/edolstra/flake-compat/archive/ff81ac966bb2cae68946d5ed5fc4994f96d0ffec.tar.gz",
+        "url": "https://github.com/edolstra/flake-compat/archive/9100a0f413b0c601e0533d1d94ffd501ce2e7885.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "impermanence": {
@@ -72,10 +72,10 @@
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
-        "sha256": "09dahi81cn02gnzsc8a00n945dxc18656ar0ffx5vgxjj1nhgsvy",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
+        "sha256": "1fcmsax6cs1s6p9apzxg17why08xy47dz226wnb5wwr0aargqlj2",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/4faa5f5321320e49a78ae7848582f684d64783e9.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From bb68927c6e498036f48e5114fc5715f2b779d747 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Thu, 29 May 2025 16:22:16 +0200
Subject: [PATCH 2/3] nextcloud: updated oidc_login

---
 machines/gerd/services/nextcloud.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix
index 452f158..cbc0400 100644
--- a/machines/gerd/services/nextcloud.nix
+++ b/machines/gerd/services/nextcloud.nix
@@ -142,10 +142,10 @@ in {
     extraApps = {
       inherit (config.services.nextcloud.package.packages.apps) contacts calendar tasks gpoddersync;
       oidc_login = let
-        version = "3.2.0";
+        version = "3.2.2";
         # TODO(eyJhb): add to niv
       in pkgs.fetchNextcloudApp {
-          sha256 = "sha256-DrbaKENMz2QJfbDKCMrNGEZYpUEvtcsiqw9WnveaPZA=";
+          sha256 = "sha256-RLYquOE83xquzv+s38bahOixQ+y4UI6OxP9HfO26faI=";
           url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${version}/oidc_login.tar.gz";
           license = "agpl3Only";
       };

From 8e5f22a87e54be5d59e583cd65bbdd66311c90ee Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Thu, 29 May 2025 16:22:28 +0200
Subject: [PATCH 3/3] authelia: update stopped providing claims in response

This adds the default claim policy, which can be used to provide the
past behaviour for this. Services that require this still needs to be identified.
---
 machines/gerd/services/authelia/authelia.nix | 14 ++++++++++++++
 machines/gerd/services/nextcloud.nix         |  1 +
 machines/gerd/services/rallly/default.nix    |  1 +
 3 files changed, 16 insertions(+)

diff --git a/machines/gerd/services/authelia/authelia.nix b/machines/gerd/services/authelia/authelia.nix
index 90e3cdb..a1bac9e 100644
--- a/machines/gerd/services/authelia/authelia.nix
+++ b/machines/gerd/services/authelia/authelia.nix
@@ -90,6 +90,20 @@ in {
           user = config.mine.shared.settings.ldap.bind_dn;
         };
       };
+
+      # authelia have changed how the by-default handles auth, so in theory everything
+      # should contact the `userinfo` endpoint. but not everything does, which leads to us
+      # having to create a default policy for this
+      # https://github.com/pulsejet/nextcloud-oidc-login/issues/311#issuecomment-2763239352
+      identity_providers.oidc.claims_policies.default.id_token = [
+        "rat"
+        "groups"
+        "email"
+        "email_verified"
+        "alt_emails"
+        "preferred_username"
+        "name"
+      ];
     };
   };
 
diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix
index cbc0400..349c759 100644
--- a/machines/gerd/services/nextcloud.nix
+++ b/machines/gerd/services/nextcloud.nix
@@ -223,6 +223,7 @@ in {
     client_secret = "$pbkdf2-sha512$310000$kLNQ/1A.uasSN4g8q94jUQ$8OKNUNNumHCh8dVG5/QWys7u.y1guqFXlrL.bMm7/HKTsWhpib/W.8qlU6VU7V1Be/h14Y.fJi3RLvbkEdo2kA";
     consent_mode = "implicit";
     redirect_uris = [ "https://${svc_domain}/apps/oidc_login/oidc" ];
+    claims_policy = "default";
     scopes = [
       "openid"
       "profile"
diff --git a/machines/gerd/services/rallly/default.nix b/machines/gerd/services/rallly/default.nix
index d6f4710..e58df59 100644
--- a/machines/gerd/services/rallly/default.nix
+++ b/machines/gerd/services/rallly/default.nix
@@ -106,6 +106,7 @@ in {
     client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
     consent_mode = "implicit";
     redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    claims_policy = "default";
     scopes = [
       "openid"
       "email"