From 3bf23f860a8ce6f17f953ba4f773454475cc0001 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Mon, 22 Sep 2025 09:58:06 +0100 Subject: [PATCH] Update comentario Signed-off-by: Nikolaos Karaolidis --- .../console/podman/comentario/default.nix | 34 ++++--- packages/comentario/default.nix | 20 +--- packages/comentario/superuser-claim.patch | 97 +++++++++++++++---- packages/docker/comentario/default.nix | 1 + patches.nix | 2 +- 5 files changed, 106 insertions(+), 48 deletions(-) diff --git a/hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix b/hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix index 6363907..d396965 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix @@ -26,7 +26,7 @@ in POSTGRES_PASSWORD=${hmConfig.sops.placeholder."comentario/postgresql"} ''; - comentario.content = builtins.readFile ( + comentario-secrets.content = builtins.readFile ( (pkgs.formats.yaml { }).generate "secrets.yaml" { postgres = { host = "comentario-postgresql"; @@ -56,6 +56,7 @@ in ]; key = autheliaClientId; secret = hmConfig.sops.placeholder."comentario/authelia/password"; + superuserClaim = "is_admin"; } ]; } @@ -110,16 +111,27 @@ in networks.comentario.ref networks.traefik.ref ]; - environments = { - BASE_URL = "https://comments.karaolidis.com"; - NO_COLOR = "true"; - SUPERUSER_CLAIM = "is_admin"; - DYN_DEFAULT_AUTH_EMAILUPDATE_ENABLED = "true"; - DYN_DEFAULT_AUTH_SIGNUP_CONFIRM_COMMENTER = "false"; - DYN_DEFAULT_AUTH_SIGNUP_ENABLED = "false"; - DYN_DEFAULT_AUTH_SIGNUP_SSO_ENABLED = "true"; - }; - volumes = [ "${hmConfig.sops.templates.comentario.path}:/etc/comentario/secrets.yaml:ro" ]; + volumes = + let + config = (pkgs.formats.yaml { }).generate "config.yaml" { + baseUrl = "https://comments.karaolidis.com"; + log.noColor = true; + + dynamicConfigDefaults.auth = { + emailUpdate.enabled = true; + + signup = { + confirm.commenter = false; + enabled = false; + sso.enabled = true; + }; + }; + }; + in + [ + "${config}:/etc/comentario/config.yaml:ro" + "${hmConfig.sops.templates.comentario-secrets.path}:/etc/comentario/secrets.yaml:ro" + ]; labels = [ "traefik.enable=true" "traefik.http.routers.comentario.rule=Host(`comments.karaolidis.com`)" diff --git a/packages/comentario/default.nix b/packages/comentario/default.nix index 571d2d1..67cee9c 100644 --- a/packages/comentario/default.nix +++ b/packages/comentario/default.nix @@ -2,24 +2,17 @@ # AUTO-UPDATE: nix-update --flake comentario --version=branch=dev --subpackage frontend pkgs.buildGo125Module (finalAttrs: { pname = "comentario"; - version = "3.14.0-unstable-2025-09-15"; + version = "3.14.0-unstable-2025-09-20"; src = pkgs.fetchFromGitLab { owner = "comentario"; repo = "comentario"; # FIXME: Stable rev once type error is fixed - rev = "d79035b41a912a432b74eb7fb0240b79cabff6bf"; - hash = "sha256-nTOojxYBDeA5Z+rh+C+SbFJ4fzmr8sT2oZmO+chiXJM="; + rev = "73cf8040cb9adb31794ec780e5905c2e747ca63f"; + hash = "sha256-8rch1sL81wQblaUBebUA/C2HxtAfYHPadt2X2qJWJIk="; }; - patches = [ - # fe: dynamic configuration env vars - (builtins.fetchurl { - url = "https://gitlab.com/comentario/comentario/-/merge_requests/23.patch"; - sha256 = "sha256:0ih5hwadjkh47vvji4jygpfxcfpjcarhcwazc7asxpfxc87g04pv"; - }) - ./superuser-claim.patch - ]; + patches = [ ./superuser-claim.patch ]; vendorHash = "sha256-AOI/WnVkrSgJlT2FtYOTuifOPw8sfc4C0g/prVkvJlA="; @@ -72,13 +65,10 @@ pkgs.buildGo125Module (finalAttrs: { ''; installPhase = '' - mkdir -p $out/bin $out/lib/${finalAttrs.pname} + mkdir -p $out/bin cp -r $GOPATH/bin/comentario $out/bin/${finalAttrs.pname} - cp -r db templates $out/lib/${finalAttrs.pname} wrapProgram $out/bin/${finalAttrs.pname} \ - --add-flags "--db-migration-path=$out/lib/${finalAttrs.pname}/db" \ - --add-flags "--template-path=$out/lib/${finalAttrs.pname}/templates" \ --add-flags "--static-path=${finalAttrs.frontend}" ''; diff --git a/packages/comentario/superuser-claim.patch b/packages/comentario/superuser-claim.patch index d33606d..0e2f6cf 100644 --- a/packages/comentario/superuser-claim.patch +++ b/packages/comentario/superuser-claim.patch @@ -144,7 +144,7 @@ index 7d3dc792..723e8149 100644 [InstanceConfigItemKey.operationNewOwnerEnabled]: $localize`Non-owner users can add domains`, // Domain defaults diff --git a/internal/api/restapi/handlers/oauth.go b/internal/api/restapi/handlers/oauth.go -index 0d8cd282..01324302 100644 +index 8c5129f2..3837d229 100644 --- a/internal/api/restapi/handlers/oauth.go +++ b/internal/api/restapi/handlers/oauth.go @@ -220,7 +220,7 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re @@ -156,15 +156,26 @@ index 0d8cd282..01324302 100644 } else if sso { // SSO embed signup -@@ -248,9 +248,18 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re +@@ -248,9 +248,29 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re return errors.New(errMessage) } + // Check if the superuser claim is set + superuser := false -+ if raw, ok := fedUser.RawData[config.ServerConfig.SuperuserClaim]; ok { -+ if isAdmin, ok := raw.(bool); ok && isAdmin { -+ superuser = true ++ if fidp, ok := config.FederatedIdProviders[models.FederatedIdpID(idpID)]; ok { ++ if fidp.SuperuserClaim != "" { ++ if raw, ok := fedUser.RawData[fidp.SuperuserClaim]; ok { ++ switch v := raw.(type) { ++ case bool: ++ if v { ++ superuser = true ++ } ++ case string: ++ if v == "true" || v == "1" { ++ superuser = true ++ } ++ } ++ } + } + } + @@ -173,25 +184,51 @@ index 0d8cd282..01324302 100644 WithConfirmed(true). // Confirm the user right away as we trust the IdP + WithSuperuser(superuser). WithLangFromReq(params.HTTPRequest). - WithSignup(params.HTTPRequest, authSession.Host, !config.ServerConfig.LogFullIPs). + WithSignup(params.HTTPRequest, authSession.Host, !config.ServerConfig.Logging.FullIPs). WithFederated(fedUser.UserID, idpID). -diff --git a/internal/config/config.go b/internal/config/config.go -index e1292447..1715a7f6 100644 ---- a/internal/config/config.go -+++ b/internal/config/config.go -@@ -36,6 +36,7 @@ type ServerConfiguration struct { - TemplatePath string `long:"template-path" description:"Path to template files" default:"./templates" env:"TEMPLATE_PATH"` - SecretsFile string `long:"secrets" description:"Path to YAML file with secrets" default:"secrets.yaml" env:"SECRETS_FILE"` - Superuser string `long:"superuser" description:"ID or email of user to be made superuser" default:"" env:"SUPERUSER"` -+ SuperuserClaim string `long:"superuser-claim" description:"Name of the OIDC claim for superusers" default:"is_superuser" env:"SUPERUSER_CLAIM"` - LogFullIPs bool `long:"log-full-ips" description:"Log IP addresses in full" env:"LOG_FULL_IPS"` - HomeContentURL string `long:"home-content-url" description:"URL of a HTML page to display on homepage" env:"HOME_CONTENT_URL"` - GitLabURL string `long:"gitlab-url" description:"Custom GitLab URL for authentication" default:"" env:"GITLAB_URL"` +diff --git a/internal/config/oauth.go b/internal/config/oauth.go +index 10917c44..7ba997d9 100644 +--- a/internal/config/oauth.go ++++ b/internal/config/oauth.go +@@ -177,9 +177,10 @@ func oidcConfigure() error { + // Add it to the configured providers map + mid := models.FederatedIdpID(qid) + FederatedIdProviders[mid] = &data.FederatedIdentityProvider{ +- ID: mid, +- Name: p.Name, +- GothName: qid, ++ ID: mid, ++ Name: p.Name, ++ GothName: qid, ++ SuperuserClaim: p.SuperuserClaim, + } + cnt++ + } +diff --git a/internal/config/secrets.go b/internal/config/secrets.go +index d3e2af97..92f33f74 100644 +--- a/internal/config/secrets.go ++++ b/internal/config/secrets.go +@@ -59,10 +59,11 @@ type APIKey struct { + + // OIDCProvider stores OIDC provider configuration + type OIDCProvider struct { +- KeySecretURL `yaml:",inline"` +- ID string `yaml:"id"` // Unique provider ID, e.g. "keycloak" +- Name string `yaml:"name"` // Provider display name, e.g. "Keycloak" +- Scopes []string `yaml:"scopes"` // Additional scopes to request ++ KeySecretURL `yaml:",inline"` ++ ID string `yaml:"id"` // Unique provider ID, e.g. "keycloak" ++ Name string `yaml:"name"` // Provider display name, e.g. "Keycloak" ++ Scopes []string `yaml:"scopes"` // Additional scopes to request ++ SuperuserClaim string `yaml:"superuserClaim"` // Name of the OIDC claim for superusers + } + + // QualifiedID returns the provider's ID prepended with the common OIDC prefix diff --git a/internal/data/dyn_config.go b/internal/data/dyn_config.go -index 8595ea2a..621fd132 100644 +index 0cd0d64e..b4ff042d 100644 --- a/internal/data/dyn_config.go +++ b/internal/data/dyn_config.go -@@ -170,6 +170,7 @@ const ( +@@ -171,6 +171,7 @@ const ( ConfigKeyAuthSignupConfirmCommenter DynConfigItemKey = "auth.signup.confirm.commenter" ConfigKeyAuthSignupConfirmUser DynConfigItemKey = "auth.signup.confirm.user" ConfigKeyAuthSignupEnabled DynConfigItemKey = "auth.signup.enabled" @@ -199,7 +236,7 @@ index 8595ea2a..621fd132 100644 ConfigKeyIntegrationsUseGravatar DynConfigItemKey = "integrations.useGravatar" ConfigKeyOperationNewOwnerEnabled DynConfigItemKey = "operation.newOwner.enabled" ) -@@ -203,6 +204,7 @@ var DefaultDynInstanceConfig = DynConfigMap{ +@@ -204,6 +205,7 @@ var DefaultDynInstanceConfig = DynConfigMap{ ConfigKeyAuthSignupConfirmCommenter: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, ConfigKeyAuthSignupConfirmUser: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, ConfigKeyAuthSignupEnabled: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, @@ -207,3 +244,21 @@ index 8595ea2a..621fd132 100644 ConfigKeyIntegrationsUseGravatar: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionIntegrations}, ConfigKeyOperationNewOwnerEnabled: {DefaultValue: "false", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionMisc}, ConfigKeyDomainDefaultsPrefix + DomainConfigKeyCommentDeletionAuthor: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionComments}, +diff --git a/internal/data/models.go b/internal/data/models.go +index 4561fad5..0b491724 100644 +--- a/internal/data/models.go ++++ b/internal/data/models.go +@@ -74,9 +74,10 @@ func (sd SortDirection) ToOrderedExpression(ident string) exp.OrderedExpression + + // FederatedIdentityProvider describes a federated identity provider + type FederatedIdentityProvider struct { +- ID models.FederatedIdpID // Provider ID +- Name string // Provider name +- GothName string // Name of the corresponding goth provider ++ ID models.FederatedIdpID // Provider ID ++ Name string // Provider name ++ GothName string // Name of the corresponding goth provider ++ SuperuserClaim string // Name of the OIDC claim for superusers + } + + // ToDTO converts this model into an API model diff --git a/packages/docker/comentario/default.nix b/packages/docker/comentario/default.nix index b928e6c..104f63f 100644 --- a/packages/docker/comentario/default.nix +++ b/packages/docker/comentario/default.nix @@ -17,6 +17,7 @@ pkgs.dockerTools.buildImage { Env = [ "HOST=0.0.0.0" "PORT=8080" + "CONFIG_FILE=/etc/comentario/config.yaml" "SECRETS_FILE=/etc/comentario/secrets.yaml" ]; ExposedPorts = { diff --git a/patches.nix b/patches.nix index 16fb58e..8e1b957 100644 --- a/patches.nix +++ b/patches.nix @@ -4,7 +4,7 @@ (patcher.fetchpatch { name = "feat: supports images"; url = "https://github.com/SEIAROTg/quadlet-nix/compare/main...karaolidis:quadlet-nix:image.diff"; - hash = "sha256-XLdOrSJ/gyLARGI0psBejtpX9Z2NSRTaUbFtBi8BxPw="; + hash = "sha256-8li8XuBV3+J0s3FACOyKP+ndffn8T/PQXq+UrIk2TAc="; }) ]; }