karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update comentario

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-09-22 09:58:06 +01:00
parent fc8e2db679
commit 3bf23f860a
5 changed files with 106 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix
View File

@@ -26,7 +26,7 @@ in
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."comentario/postgresql"}
'';
comentario.content = builtins.readFile (
comentario-secrets.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "secrets.yaml" {
postgres = {
host = "comentario-postgresql";
@@ -56,6 +56,7 @@ in
];
key = autheliaClientId;
secret = hmConfig.sops.placeholder."comentario/authelia/password";
superuserClaim = "is_admin";
}
];
}
@@ -110,16 +111,27 @@ in
networks.comentario.ref
networks.traefik.ref
];
environments = {
BASE_URL = "https://comments.karaolidis.com";
NO_COLOR = "true";
SUPERUSER_CLAIM = "is_admin";
DYN_DEFAULT_AUTH_EMAILUPDATE_ENABLED = "true";
DYN_DEFAULT_AUTH_SIGNUP_CONFIRM_COMMENTER = "false";
DYN_DEFAULT_AUTH_SIGNUP_ENABLED = "false";
DYN_DEFAULT_AUTH_SIGNUP_SSO_ENABLED = "true";
};
volumes = [ "${hmConfig.sops.templates.comentario.path}:/etc/comentario/secrets.yaml:ro" ];
volumes =
let
config = (pkgs.formats.yaml { }).generate "config.yaml" {
baseUrl = "https://comments.karaolidis.com";
log.noColor = true;
dynamicConfigDefaults.auth = {
emailUpdate.enabled = true;
signup = {
confirm.commenter = false;
enabled = false;
sso.enabled = true;
};
};
};
in
[
"${config}:/etc/comentario/config.yaml:ro"
"${hmConfig.sops.templates.comentario-secrets.path}:/etc/comentario/secrets.yaml:ro"
];
labels = [
"traefik.enable=true"
"traefik.http.routers.comentario.rule=Host(`comments.karaolidis.com`)"

20
packages/comentario/default.nix
View File

@@ -2,24 +2,17 @@
# AUTO-UPDATE: nix-update --flake comentario --version=branch=dev --subpackage frontend
pkgs.buildGo125Module (finalAttrs: {
pname = "comentario";
version = "3.14.0-unstable-2025-09-15";
version = "3.14.0-unstable-2025-09-20";
src = pkgs.fetchFromGitLab {
owner = "comentario";
repo = "comentario";
# FIXME: Stable rev once type error is fixed
rev = "d79035b41a912a432b74eb7fb0240b79cabff6bf";
hash = "sha256-nTOojxYBDeA5Z+rh+C+SbFJ4fzmr8sT2oZmO+chiXJM=";
rev = "73cf8040cb9adb31794ec780e5905c2e747ca63f";
hash = "sha256-8rch1sL81wQblaUBebUA/C2HxtAfYHPadt2X2qJWJIk=";
};
patches = [
# fe: dynamic configuration env vars
(builtins.fetchurl {
url = "https://gitlab.com/comentario/comentario/-/merge_requests/23.patch";
sha256 = "sha256:0ih5hwadjkh47vvji4jygpfxcfpjcarhcwazc7asxpfxc87g04pv";
})
./superuser-claim.patch
];
patches = [ ./superuser-claim.patch ];
vendorHash = "sha256-AOI/WnVkrSgJlT2FtYOTuifOPw8sfc4C0g/prVkvJlA=";
@@ -72,13 +65,10 @@ pkgs.buildGo125Module (finalAttrs: {
'';
installPhase = ''
mkdir -p $out/bin $out/lib/${finalAttrs.pname}
mkdir -p $out/bin
cp -r $GOPATH/bin/comentario $out/bin/${finalAttrs.pname}
cp -r db templates $out/lib/${finalAttrs.pname}
wrapProgram $out/bin/${finalAttrs.pname} \
--add-flags "--db-migration-path=$out/lib/${finalAttrs.pname}/db" \
--add-flags "--template-path=$out/lib/${finalAttrs.pname}/templates" \
--add-flags "--static-path=${finalAttrs.frontend}"
'';

97
packages/comentario/superuser-claim.patch
View File

@@ -144,7 +144,7 @@ index 7d3dc792..723e8149 100644
[InstanceConfigItemKey.operationNewOwnerEnabled]: $localize`Non-owner users can add domains`,
// Domain defaults
diff --git a/internal/api/restapi/handlers/oauth.go b/internal/api/restapi/handlers/oauth.go
index 0d8cd282..01324302 100644
index 8c5129f2..3837d229 100644
--- a/internal/api/restapi/handlers/oauth.go
+++ b/internal/api/restapi/handlers/oauth.go
@@ -220,7 +220,7 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re
@@ -156,15 +156,26 @@ index 0d8cd282..01324302 100644
} else if sso {
// SSO embed signup
@@ -248,9 +248,18 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re
@@ -248,9 +248,29 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re
return errors.New(errMessage)
}
+ // Check if the superuser claim is set
+ superuser := false
+ if raw, ok := fedUser.RawData[config.ServerConfig.SuperuserClaim]; ok {
+ if isAdmin, ok := raw.(bool); ok && isAdmin {
+ superuser = true
+ if fidp, ok := config.FederatedIdProviders[models.FederatedIdpID(idpID)]; ok {
+ if fidp.SuperuserClaim != "" {
+ if raw, ok := fedUser.RawData[fidp.SuperuserClaim]; ok {
+ switch v := raw.(type) {
+ case bool:
+ if v {
+ superuser = true
+ }
+ case string:
+ if v == "true" || v == "1" {
+ superuser = true
+ }
+ }
+ }
+ }
+ }
+
@@ -173,25 +184,51 @@ index 0d8cd282..01324302 100644
WithConfirmed(true). // Confirm the user right away as we trust the IdP
+ WithSuperuser(superuser).
WithLangFromReq(params.HTTPRequest).
WithSignup(params.HTTPRequest, authSession.Host, !config.ServerConfig.LogFullIPs).
WithSignup(params.HTTPRequest, authSession.Host, !config.ServerConfig.Logging.FullIPs).
WithFederated(fedUser.UserID, idpID).
diff --git a/internal/config/config.go b/internal/config/config.go
index e1292447..1715a7f6 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -36,6 +36,7 @@ type ServerConfiguration struct {
TemplatePath string `long:"template-path" description:"Path to template files" default:"./templates" env:"TEMPLATE_PATH"`
SecretsFile string `long:"secrets" description:"Path to YAML file with secrets" default:"secrets.yaml" env:"SECRETS_FILE"`
Superuser string `long:"superuser" description:"ID or email of user to be made superuser" default:"" env:"SUPERUSER"`
+ SuperuserClaim string `long:"superuser-claim" description:"Name of the OIDC claim for superusers" default:"is_superuser" env:"SUPERUSER_CLAIM"`
LogFullIPs bool `long:"log-full-ips" description:"Log IP addresses in full" env:"LOG_FULL_IPS"`
HomeContentURL string `long:"home-content-url" description:"URL of a HTML page to display on homepage" env:"HOME_CONTENT_URL"`
GitLabURL string `long:"gitlab-url" description:"Custom GitLab URL for authentication" default:"" env:"GITLAB_URL"`
diff --git a/internal/config/oauth.go b/internal/config/oauth.go
index 10917c44..7ba997d9 100644
--- a/internal/config/oauth.go
+++ b/internal/config/oauth.go
@@ -177,9 +177,10 @@ func oidcConfigure() error {
// Add it to the configured providers map
mid := models.FederatedIdpID(qid)
FederatedIdProviders[mid] = &data.FederatedIdentityProvider{
- ID: mid,
- Name: p.Name,
- GothName: qid,
+ ID: mid,
+ Name: p.Name,
+ GothName: qid,
+ SuperuserClaim: p.SuperuserClaim,
}
cnt++
}
diff --git a/internal/config/secrets.go b/internal/config/secrets.go
index d3e2af97..92f33f74 100644
--- a/internal/config/secrets.go
+++ b/internal/config/secrets.go
@@ -59,10 +59,11 @@ type APIKey struct {
// OIDCProvider stores OIDC provider configuration
type OIDCProvider struct {
- KeySecretURL `yaml:",inline"`
- ID string `yaml:"id"` // Unique provider ID, e.g. "keycloak"
- Name string `yaml:"name"` // Provider display name, e.g. "Keycloak"
- Scopes []string `yaml:"scopes"` // Additional scopes to request
+ KeySecretURL `yaml:",inline"`
+ ID string `yaml:"id"` // Unique provider ID, e.g. "keycloak"
+ Name string `yaml:"name"` // Provider display name, e.g. "Keycloak"
+ Scopes []string `yaml:"scopes"` // Additional scopes to request
+ SuperuserClaim string `yaml:"superuserClaim"` // Name of the OIDC claim for superusers
}
// QualifiedID returns the provider's ID prepended with the common OIDC prefix
diff --git a/internal/data/dyn_config.go b/internal/data/dyn_config.go
index 8595ea2a..621fd132 100644
index 0cd0d64e..b4ff042d 100644
--- a/internal/data/dyn_config.go
+++ b/internal/data/dyn_config.go
@@ -170,6 +170,7 @@ const (
@@ -171,6 +171,7 @@ const (
ConfigKeyAuthSignupConfirmCommenter DynConfigItemKey = "auth.signup.confirm.commenter"
ConfigKeyAuthSignupConfirmUser DynConfigItemKey = "auth.signup.confirm.user"
ConfigKeyAuthSignupEnabled DynConfigItemKey = "auth.signup.enabled"
@@ -199,7 +236,7 @@ index 8595ea2a..621fd132 100644
ConfigKeyIntegrationsUseGravatar DynConfigItemKey = "integrations.useGravatar"
ConfigKeyOperationNewOwnerEnabled DynConfigItemKey = "operation.newOwner.enabled"
)
@@ -203,6 +204,7 @@ var DefaultDynInstanceConfig = DynConfigMap{
@@ -204,6 +205,7 @@ var DefaultDynInstanceConfig = DynConfigMap{
ConfigKeyAuthSignupConfirmCommenter: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
ConfigKeyAuthSignupConfirmUser: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
ConfigKeyAuthSignupEnabled: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
@@ -207,3 +244,21 @@ index 8595ea2a..621fd132 100644
ConfigKeyIntegrationsUseGravatar: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionIntegrations},
ConfigKeyOperationNewOwnerEnabled: {DefaultValue: "false", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionMisc},
ConfigKeyDomainDefaultsPrefix + DomainConfigKeyCommentDeletionAuthor: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionComments},
diff --git a/internal/data/models.go b/internal/data/models.go
index 4561fad5..0b491724 100644
--- a/internal/data/models.go
+++ b/internal/data/models.go
@@ -74,9 +74,10 @@ func (sd SortDirection) ToOrderedExpression(ident string) exp.OrderedExpression
// FederatedIdentityProvider describes a federated identity provider
type FederatedIdentityProvider struct {
- ID models.FederatedIdpID // Provider ID
- Name string // Provider name
- GothName string // Name of the corresponding goth provider
+ ID models.FederatedIdpID // Provider ID
+ Name string // Provider name
+ GothName string // Name of the corresponding goth provider
+ SuperuserClaim string // Name of the OIDC claim for superusers
}
// ToDTO converts this model into an API model

1
packages/docker/comentario/default.nix
View File

@@ -17,6 +17,7 @@ pkgs.dockerTools.buildImage {
Env = [
"HOST=0.0.0.0"
"PORT=8080"
"CONFIG_FILE=/etc/comentario/config.yaml"
"SECRETS_FILE=/etc/comentario/secrets.yaml"
];
ExposedPorts = {

2
patches.nix
View File

@@ -4,7 +4,7 @@
(patcher.fetchpatch {
name = "feat: supports images";
url = "https://github.com/SEIAROTg/quadlet-nix/compare/main...karaolidis:quadlet-nix:image.diff";
hash = "sha256-XLdOrSJ/gyLARGI0psBejtpX9Z2NSRTaUbFtBi8BxPw=";
hash = "sha256-8li8XuBV3+J0s3FACOyKP+ndffn8T/PQXq+UrIk2TAc=";
})
];
}