diff --git a/machines/gerd/services/authelia/authelia.nix b/machines/gerd/services/authelia/authelia.nix index 90e3cdb..a1bac9e 100644 --- a/machines/gerd/services/authelia/authelia.nix +++ b/machines/gerd/services/authelia/authelia.nix @@ -90,6 +90,20 @@ in { user = config.mine.shared.settings.ldap.bind_dn; }; }; + + # authelia have changed how the by-default handles auth, so in theory everything + # should contact the `userinfo` endpoint. but not everything does, which leads to us + # having to create a default policy for this + # https://github.com/pulsejet/nextcloud-oidc-login/issues/311#issuecomment-2763239352 + identity_providers.oidc.claims_policies.default.id_token = [ + "rat" + "groups" + "email" + "email_verified" + "alt_emails" + "preferred_username" + "name" + ]; }; }; diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix index 452f158..349c759 100644 --- a/machines/gerd/services/nextcloud.nix +++ b/machines/gerd/services/nextcloud.nix @@ -142,10 +142,10 @@ in { extraApps = { inherit (config.services.nextcloud.package.packages.apps) contacts calendar tasks gpoddersync; oidc_login = let - version = "3.2.0"; + version = "3.2.2"; # TODO(eyJhb): add to niv in pkgs.fetchNextcloudApp { - sha256 = "sha256-DrbaKENMz2QJfbDKCMrNGEZYpUEvtcsiqw9WnveaPZA="; + sha256 = "sha256-RLYquOE83xquzv+s38bahOixQ+y4UI6OxP9HfO26faI="; url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${version}/oidc_login.tar.gz"; license = "agpl3Only"; }; @@ -223,6 +223,7 @@ in { client_secret = "$pbkdf2-sha512$310000$kLNQ/1A.uasSN4g8q94jUQ$8OKNUNNumHCh8dVG5/QWys7u.y1guqFXlrL.bMm7/HKTsWhpib/W.8qlU6VU7V1Be/h14Y.fJi3RLvbkEdo2kA"; consent_mode = "implicit"; redirect_uris = [ "https://${svc_domain}/apps/oidc_login/oidc" ]; + claims_policy = "default"; scopes = [ "openid" "profile" diff --git a/machines/gerd/services/rallly/default.nix b/machines/gerd/services/rallly/default.nix index d6f4710..e58df59 100644 --- a/machines/gerd/services/rallly/default.nix +++ b/machines/gerd/services/rallly/default.nix @@ -106,6 +106,7 @@ in { client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ"; consent_mode = "implicit"; redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ]; + claims_policy = "default"; scopes = [ "openid" "email" diff --git a/shared/sources/sources.json b/shared/sources/sources.json index 1a60706..f4de43b 100644 --- a/shared/sources/sources.json +++ b/shared/sources/sources.json @@ -5,10 +5,10 @@ "homepage": "https://matrix.to/#/#agenix:nixos.org", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", - "sha256": "006ngydiykjgqs85cl19h9klq8kaqm5zs0ng51dnwy7nzgqxzsdr", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "sha256": "0ngkhf7qamibhbl9z1dryzscd36y4fz1m1h6fb2z6fylw0b8029p", "type": "tarball", - "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz", + "url": "https://github.com/ryantm/agenix/archive/4835b1dc898959d8547a871ef484930675cb47f1.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "disko": { @@ -17,10 +17,10 @@ "homepage": "", "owner": "nix-community", "repo": "disko", - "rev": "51d33bbb7f1e74ba5f9d9a77357735149da99081", - "sha256": "0fg2ym4kc1pcayfg4jka742512r8nackwl8w1syxvg82yasixnjc", + "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba", + "sha256": "06gbwfkzm73xrf2brnlvg0g6dbjjry7xqmaar320dqwclq44jf83", "type": "tarball", - "url": "https://github.com/nix-community/disko/archive/51d33bbb7f1e74ba5f9d9a77357735149da99081.tar.gz", + "url": "https://github.com/nix-community/disko/archive/a894f2811e1ee8d10c50560551e50d6ab3c392ba.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "drasl": { @@ -36,10 +36,10 @@ "homepage": null, "owner": "RasmusRendal", "repo": "drtvrss", - "rev": "1234121a3f615d80bc18107768182fb43df0bbac", - "sha256": "0yxarbbsj4giyszc8pf64d0gy9qsld9skgdxxfgygrgk2wspycnc", + "rev": "2059220fb3342202091179f5496575ed596eab9e", + "sha256": "017m02xhm8j2i85jq30dm2z3vnxv74f06b7mqi8wz32j95x5qdal", "type": "tarball", - "url": "https://github.com/RasmusRendal/drtvrss/archive/1234121a3f615d80bc18107768182fb43df0bbac.tar.gz", + "url": "https://github.com/RasmusRendal/drtvrss/archive/2059220fb3342202091179f5496575ed596eab9e.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "flake-compat": { @@ -48,10 +48,10 @@ "homepage": null, "owner": "edolstra", "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "sha256": "19d2z6xsvpxm184m41qrpi1bplilwipgnzv9jy17fgw421785q1m", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "sha256": "09m84vsz1py50giyfpx0fpc7a4i0r1xsb54dh0dpdg308lp4p188", "type": "tarball", - "url": "https://github.com/edolstra/flake-compat/archive/ff81ac966bb2cae68946d5ed5fc4994f96d0ffec.tar.gz", + "url": "https://github.com/edolstra/flake-compat/archive/9100a0f413b0c601e0533d1d94ffd501ce2e7885.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "impermanence": { @@ -72,10 +72,10 @@ "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef", - "sha256": "09dahi81cn02gnzsc8a00n945dxc18656ar0ffx5vgxjj1nhgsvy", + "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", + "sha256": "1fcmsax6cs1s6p9apzxg17why08xy47dz226wnb5wwr0aargqlj2", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/4faa5f5321320e49a78ae7848582f684d64783e9.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } }