From 5fdfd7f0048518af374b3bcc252ce66458a209bd Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Mon, 21 Jul 2025 13:04:04 +0200
Subject: [PATCH] Seafile: read secret using python

---
 secrets/default.nix       |  2 ++
 secrets/seafile-oidc.age  | 29 ++++++++++++++---------------
 system/server/seafile.nix | 25 ++++++++++++++++---------
 3 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/secrets/default.nix b/secrets/default.nix
index e808f6b..319a835 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -8,6 +8,7 @@
 
   serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
   abstrServiceUser = x: config.services.${x}.user;
+  abstrServiceGroup = x: config.services.${x}.group;
 in {
   age.secrets = {
     password.file = ./password.age;
@@ -44,6 +45,7 @@ in {
     seafile-oidc = mkIf server {
       file = ./seafile-oidc.age;
       owner = abstrServiceUser "seafile";
+      mode = "400";
     };
   };
 }
diff --git a/secrets/seafile-oidc.age b/secrets/seafile-oidc.age
index d17d8b3..70db7a2 100644
--- a/secrets/seafile-oidc.age
+++ b/secrets/seafile-oidc.age
@@ -1,16 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 GQzYWA bJyIAsI/6hAeQQ9gFYIEY3bYkSZ/1aC+8w3rBYWVHCU
-H38Px7xdB/MFhXdBZxu016/7tuzuk7+mRTv1wyQT+d4
--> ssh-ed25519 MfR7VA +iGb3WpMd0LbGj8wLBWJOHtiDAcuhxNaKboABUJjqlk
-y6Q1+lV4Zg3Bzz4VvTW+/4SxAy5A5tzOL7O/ra9V0ns
--> ssh-ed25519 +cvRTg sFXk188eoPOlJdh2LicBCwTvgRerU+Ou5JNvAawfPmU
-elcMDCCJWkPWpmGMHTNgOMoZIAGqZmw3V4J2Q1opyU0
--> ssh-ed25519 WCPLrA mQMjG0AtKkKIQlSV5FDMhKiLovREAvFmEAye3pfAbSg
-GK8mibNENVSXiQjmKqVuuyAe7b3VpPQ5tqbj/70vwOk
--> ssh-ed25519 7/ziYw U61nqCBxz9bH4aljZqD2zPd7kJxBQlK8O8eH0QD+8Cc
-CCrpXNbLeNkRSeMmMjlEQK4ffyWm/bTozNZ5yfnXssw
--> ssh-ed25519 VQy60Q CiiIktgZ0Q5KPSGu/jwPHwNAVaD7dA7T/FKw8H0K3ws
-ZeTiGA0sSeGS1IJrQMBIh28vUnHupYUrnZBsz+9I4yM
---- qMzO4grI7h5bkEI4d/ruuyMS7RVvZtFsfJT07M8W9W0
-è€Í>q@|6bŸ1<yQ6çÙM‘¼E; (o2WÃ“³
-×|èª¬¸æjUEÖ›è§ÿÝ)ý7JX|;â?.dˆ#i’Ì	ekw¯q¿Q¹Kú§¦¶©¼ì
\ No newline at end of file
+-> ssh-ed25519 GQzYWA N2jnATED5CQTDflLzW2wnIarM0nc8hTJAQ9G9Q5M+2U
+jV9R8GqaqQe4TeXa6mqhZGLWAVPoGpTHuh42tCnTwds
+-> ssh-ed25519 MfR7VA VAlild/90Vofo0zXd42NapS1sHluYLPGP5lMC+JSIFo
+VdPZvpRpC0JA8ba+HI5F3lOuR8qZAlFZt8AQEytqOEs
+-> ssh-ed25519 +cvRTg hW1dt51t+g4MOCPxwP2o7RuIpi16q0b7c5CA4EAxs3o
+UwDgBrgetix+6FuAowZaG6Aq+J1CDZdsjIn9v38g9I8
+-> ssh-ed25519 WCPLrA QksEezxLik0zl+3YiDtM95LQqNeZKAHaqdlmKTOj0XY
+Thj7Gbkw5uti1pzMd0jZ2d4EzIY4QA7MJbC/gPdvIbo
+-> ssh-ed25519 7/ziYw kffVPB2i78R1mlidzoBV15sDVeEWWt40bhrIgtm/Zws
+fFukgot++DcOQd8qrkzD6xh6zFhVnZNmqNF4i33vLLw
+-> ssh-ed25519 VQy60Q 84xB7sxEOT3B8CUb7GZCsbJd69gy0yaBYjgrPN8xox0
+qE+5vjNdy67rZPc8QynIvLZzTqyoofMSMnFC3z7hoXQ
+--- 7mWx4K+zrpZqGRcoLBWXF+Sod/EmnodV74lvYrc4+d4
+:ÑÔ('0v2ös‘¾£_[Xöà½r±î77w´VÆ½ÆôjbÝ‰¤°‘H's+oCd¦X²¯ËªŠGW’™S~4·¨HA\ÓJ•‡MÂÍñx¸­.¢¼ÛÏÈ45ÿ1Öê
\ No newline at end of file
diff --git a/system/server/seafile.nix b/system/server/seafile.nix
index 124c581..50234c2 100644
--- a/system/server/seafile.nix
+++ b/system/server/seafile.nix
@@ -12,7 +12,6 @@
   httpsUrl = "https://" + url;
   authUrl = config.services.zitadel.settings.ExternalDomain;
   httpsAuthUrl = "https://" + authUrl;
-  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
 in {
   config = mkIf cfg {
     services.caddy.virtualHosts.${url}.extraConfig = ''
@@ -48,19 +47,20 @@ in {
         OAUTH_ACTIVATE_USER_AFTER_CREATION = True
         OAUTH_ENABLE_INSECURE_TRANSPORT = False
         OAUTH_CLIENT_ID = "329743411726844274"
-        OAUTH_CLIENT_SECRET = "${oidcSubstitute}"
+
+        with open("${config.age.secrets.seafile-oidc.path}") as f:
+          OAUTH_CLIENT_SECRET = f.read()
+
         OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
-        OAUTH_PROVIDER_DOMAIN = '${authUrl}'
-        OAUTH_PROVIDER = 'JSW Auth'
+        OAUTH_PROVIDER = '${authUrl}'
         OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
         OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
         OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
-        OAUTH_SCOPE = ["user",]
+        OAUTH_SCOPE = ["openid", "profile", "email"]
         OAUTH_ATTRIBUTE_MAP = {
-            "id": (True, "email"),
-            "name": (False, "name"),
-            "email": (False, "contact_email"),
-            "uid": (True, "uid"),
+            "sub": (True, "uid"),
+            "name": (True, "name"),
+            "email": (True, "contact_email")
         }
       '';
       seafileSettings = {
@@ -75,6 +75,13 @@ in {
       };
     };
 
+    # environment.etc."seafile/seahub_settings.py" = {
+    #   text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break.
+    #   source = config.age.secrets.seafile-seahubconf.path;
+    #   user = "seafile";
+    #   group = "seafile";
+    # };
+
     #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things:
     ## * If seafile still uses seafile_settings.py to store openid settings.systemd
     ## * If the service scripts / settings have changed.systemd