Enable SSO with keycloak for mastodon

2024-01-19 12:16:42 +01:00 · 2024-01-19 12:16:42 +01:00 · 656c01b1fe
parent 89a9e54092
commit 656c01b1fe
2 changed files with 22 additions and 0 deletions
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@ -50,7 +50,21 @@ in
    extraConfig = {
      SMTP_TLS = "true";
      ES_PRESET = "single_node_cluster";
+      OIDC_CLIENT_ID = "mastodon";
+      OIDC_ENABLED = "true";
+      OMNIAUTH_ONLY = "false";
+      OIDC_DISPLAY_NAME = "Login with Nekoverse ID";
+      OIDC_ISSUER = "https://id.nekover.se/realms/nekoverse";
+      OIDC_DISCOVERY = "true";
+      OIDC_SCOPE = "openid,profile,email";
+      OIDC_UID_FIELD = "preferred_username";
+      OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback";
+      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
+      OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout";
    };
+    extraEnvFiles = [
+      "/secrets/mastodon-keycloak-client-secret.secret"
+    ];
    elasticsearch.host = "127.0.0.1";
  };
 }
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@ -33,5 +33,13 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
+    "mastodon-keycloak-client-secret.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
  };
 }