authelia: update stopped providing claims in response

This adds the default claim policy, which can be used to provide the
past behaviour for this. Services that require this still needs to be identified.

machines/gerd/services/authelia/authelia.nix

@@ -90,6 +90,20 @@ in {
           user = config.mine.shared.settings.ldap.bind_dn;
         };
       };
+
+      # authelia have changed how the by-default handles auth, so in theory everything
+      # should contact the `userinfo` endpoint. but not everything does, which leads to us
+      # having to create a default policy for this
+      # https://github.com/pulsejet/nextcloud-oidc-login/issues/311#issuecomment-2763239352
+      identity_providers.oidc.claims_policies.default.id_token = [
+        "rat"
+        "groups"
+        "email"
+        "email_verified"
+        "alt_emails"
+        "preferred_username"
+        "name"
+      ];
     };
   };
 

machines/gerd/services/nextcloud.nix

@@ -142,10 +142,10 @@ in {
     extraApps = {
       inherit (config.services.nextcloud.package.packages.apps) contacts calendar tasks gpoddersync;
       oidc_login = let
-        version = "3.2.0";
+        version = "3.2.2";
         # TODO(eyJhb): add to niv
       in pkgs.fetchNextcloudApp {
-          sha256 = "sha256-DrbaKENMz2QJfbDKCMrNGEZYpUEvtcsiqw9WnveaPZA=";
+          sha256 = "sha256-RLYquOE83xquzv+s38bahOixQ+y4UI6OxP9HfO26faI=";
           url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${version}/oidc_login.tar.gz";
           license = "agpl3Only";
       };
@@ -223,6 +223,7 @@ in {
     client_secret = "$pbkdf2-sha512$310000$kLNQ/1A.uasSN4g8q94jUQ$8OKNUNNumHCh8dVG5/QWys7u.y1guqFXlrL.bMm7/HKTsWhpib/W.8qlU6VU7V1Be/h14Y.fJi3RLvbkEdo2kA";
     consent_mode = "implicit";
     redirect_uris = [ "https://${svc_domain}/apps/oidc_login/oidc" ];
+    claims_policy = "default";
     scopes = [
       "openid"
       "profile"

machines/gerd/services/rallly/default.nix

@@ -106,6 +106,7 @@ in {
     client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
     consent_mode = "implicit";
     redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    claims_policy = "default";
     scopes = [
       "openid"
       "email"

shared/sources/sources.json

@@ -5,10 +5,10 @@
         "homepage": "https://matrix.to/#/#agenix:nixos.org",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
-        "sha256": "006ngydiykjgqs85cl19h9klq8kaqm5zs0ng51dnwy7nzgqxzsdr",
+        "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
+        "sha256": "0ngkhf7qamibhbl9z1dryzscd36y4fz1m1h6fb2z6fylw0b8029p",
         "type": "tarball",
-        "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz",
+        "url": "https://github.com/ryantm/agenix/archive/4835b1dc898959d8547a871ef484930675cb47f1.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "disko": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "51d33bbb7f1e74ba5f9d9a77357735149da99081",
-        "sha256": "0fg2ym4kc1pcayfg4jka742512r8nackwl8w1syxvg82yasixnjc",
+        "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba",
+        "sha256": "06gbwfkzm73xrf2brnlvg0g6dbjjry7xqmaar320dqwclq44jf83",
         "type": "tarball",
-        "url": "https://github.com/nix-community/disko/archive/51d33bbb7f1e74ba5f9d9a77357735149da99081.tar.gz",
+        "url": "https://github.com/nix-community/disko/archive/a894f2811e1ee8d10c50560551e50d6ab3c392ba.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "drasl": {
@@ -36,10 +36,10 @@
         "homepage": null,
         "owner": "RasmusRendal",
         "repo": "drtvrss",
-        "rev": "1234121a3f615d80bc18107768182fb43df0bbac",
-        "sha256": "0yxarbbsj4giyszc8pf64d0gy9qsld9skgdxxfgygrgk2wspycnc",
+        "rev": "2059220fb3342202091179f5496575ed596eab9e",
+        "sha256": "017m02xhm8j2i85jq30dm2z3vnxv74f06b7mqi8wz32j95x5qdal",
         "type": "tarball",
-        "url": "https://github.com/RasmusRendal/drtvrss/archive/1234121a3f615d80bc18107768182fb43df0bbac.tar.gz",
+        "url": "https://github.com/RasmusRendal/drtvrss/archive/2059220fb3342202091179f5496575ed596eab9e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "flake-compat": {
@@ -48,10 +48,10 @@
         "homepage": null,
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "sha256": "19d2z6xsvpxm184m41qrpi1bplilwipgnzv9jy17fgw421785q1m",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "sha256": "09m84vsz1py50giyfpx0fpc7a4i0r1xsb54dh0dpdg308lp4p188",
         "type": "tarball",
-        "url": "https://github.com/edolstra/flake-compat/archive/ff81ac966bb2cae68946d5ed5fc4994f96d0ffec.tar.gz",
+        "url": "https://github.com/edolstra/flake-compat/archive/9100a0f413b0c601e0533d1d94ffd501ce2e7885.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "impermanence": {
@@ -72,10 +72,10 @@
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
-        "sha256": "09dahi81cn02gnzsc8a00n945dxc18656ar0ffx5vgxjj1nhgsvy",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
+        "sha256": "1fcmsax6cs1s6p9apzxg17why08xy47dz226wnb5wwr0aargqlj2",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/4faa5f5321320e49a78ae7848582f684d64783e9.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }