Get kas.codes minimally functioning

2025-07-18 23:42:46 +02:00 · 2025-07-18 23:42:46 +02:00 · 9bd9eb328b
commit 9bd9eb328b
parent dec0048a7b
3 changed files with 28 additions and 15 deletions
--- a/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
+++ b/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
@ -87,8 +87,8 @@ in
      mailer = {
        ENABLED = true;
        SMTP_ADDR = "kas.codes";
-        FROM = "forgejo@khs.codes";
-        USER = "forgejo@khs.codes";
+        FROM = "forgejo@kas.codes";
+        USER = "forgejo@kas.codes";
      };
      "ui.meta" = {
        AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>";
--- a/nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix
+++ b/nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix
@ -16,22 +16,28 @@ let
      config="${config.services.forgejo.stateDir}/custom/conf/app.ini"
      secret="$(cat ${oauthSecretIdFile})"

+      options=(
+          "--name" "Kanidm" \
+          "--key" "forgejo" \
+          "--secret" "$secret" \
+          "--auto-discover-url" https://login.kaareskovgaard.net/oauth2/openid/forgejo/.well-known/openid-configuration \
+          "--scopes" "email profile" \
+          "--skip-local-2fa" \
+          "--provider" openidConnect \
+          "--group-claim-name" "groups" \
+          "--admin-group" "admin" \
+          "--group-team-map-removal" \
+          "--group-team-map" '{"nix": {"nix": [] }, "actions": { "actons": [] }}'
+      )
+
      if gitea "--config=$config" admin auth list | grep -q "Kanidm" 2> /dev/null; then
-        echo "Oauth2 app already exists, updating not yet implemented"
-        exit 0
+        id="$(gitea "--config=$config" admin auth list | grep "Kanidm" | cut -d$'\t' -f1)"
+        gitea "--config=$config" admin auth update-oauth \
+          --id "$id" \
+          "''${options[@]}"
      else
        gitea "--config=$config" admin auth add-oauth \
-          --name "Kanidm" \
-          --key "forgejo" \
-          --secret "$secret" \
-          --auto-discover-url https://login.kaareskovgaard.net/oauth2/openid/forgejo/.well-known/openid-configuration \
-          --scopes "email profile" \
-          --skip-local-2fa \
-          --provider openidConnect \
-          --group-claim-name groups \
-          --admin-group admin \
-          --group-team-map-removal \
-          --group-team-map '{"nix": ["nix"], "actions": ["actons"]}'
+          "''${options[@]}"
      fi
    '';
  };
--- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
+++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
@ -79,6 +79,10 @@ in
        present = true;
        members = [ "khs" ];
      };
+      groups.forgejo_admin = {
+        present = true;
+        members = [ "khs" ];
+      };
      # We cannot add oauth2 apps before the secrets for them are generated.
      systems.oauth2 = lib.mkIf (!bootstrapping) {
        openbao = {
@ -167,6 +171,9 @@ in
              "forgejo_comitter" = [
                "comitter"
              ];
+              "forgejo_admin" = [
+                "admin"
+              ];
            };
          };
        };