Seafile: read secret using python

2025-07-21 13:04:04 +02:00 · 2025-07-21 13:04:04 +02:00 · 5fdfd7f004
commit 5fdfd7f004
parent 4fe684dd8d
3 changed files with 32 additions and 24 deletions
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -8,6 +8,7 @@
  serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
  abstrServiceUser = x: config.services.${x}.user;
  abstrServiceGroup = x: config.services.${x}.group;
 in {
  age.secrets = {
    password.file = ./password.age;
@ -44,6 +45,7 @@ in {
    seafile-oidc = mkIf server {
      file = ./seafile-oidc.age;
      owner = abstrServiceUser "seafile";
      mode = "400";
    };
  };
 }
--- a/secrets/seafile-oidc.age
+++ b/secrets/seafile-oidc.age
@ -1,16 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 GQzYWA bJyIAsI/6hAeQQ9gFYIEY3bYkSZ/1aC+8w3rBYWVHCU
+-> ssh-ed25519 GQzYWA N2jnATED5CQTDflLzW2wnIarM0nc8hTJAQ9G9Q5M+2U
-H38Px7xdB/MFhXdBZxu016/7tuzuk7+mRTv1wyQT+d4
+jV9R8GqaqQe4TeXa6mqhZGLWAVPoGpTHuh42tCnTwds
-> ssh-ed25519 MfR7VA +iGb3WpMd0LbGj8wLBWJOHtiDAcuhxNaKboABUJjqlk
+-> ssh-ed25519 MfR7VA VAlild/90Vofo0zXd42NapS1sHluYLPGP5lMC+JSIFo
-y6Q1+lV4Zg3Bzz4VvTW+/4SxAy5A5tzOL7O/ra9V0ns
+VdPZvpRpC0JA8ba+HI5F3lOuR8qZAlFZt8AQEytqOEs
-> ssh-ed25519 +cvRTg sFXk188eoPOlJdh2LicBCwTvgRerU+Ou5JNvAawfPmU
+-> ssh-ed25519 +cvRTg hW1dt51t+g4MOCPxwP2o7RuIpi16q0b7c5CA4EAxs3o
-elcMDCCJWkPWpmGMHTNgOMoZIAGqZmw3V4J2Q1opyU0
+UwDgBrgetix+6FuAowZaG6Aq+J1CDZdsjIn9v38g9I8
-> ssh-ed25519 WCPLrA mQMjG0AtKkKIQlSV5FDMhKiLovREAvFmEAye3pfAbSg
+-> ssh-ed25519 WCPLrA QksEezxLik0zl+3YiDtM95LQqNeZKAHaqdlmKTOj0XY
-GK8mibNENVSXiQjmKqVuuyAe7b3VpPQ5tqbj/70vwOk
+Thj7Gbkw5uti1pzMd0jZ2d4EzIY4QA7MJbC/gPdvIbo
-> ssh-ed25519 7/ziYw U61nqCBxz9bH4aljZqD2zPd7kJxBQlK8O8eH0QD+8Cc
+-> ssh-ed25519 7/ziYw kffVPB2i78R1mlidzoBV15sDVeEWWt40bhrIgtm/Zws
-CCrpXNbLeNkRSeMmMjlEQK4ffyWm/bTozNZ5yfnXssw
+fFukgot++DcOQd8qrkzD6xh6zFhVnZNmqNF4i33vLLw
-> ssh-ed25519 VQy60Q CiiIktgZ0Q5KPSGu/jwPHwNAVaD7dA7T/FKw8H0K3ws
+-> ssh-ed25519 VQy60Q 84xB7sxEOT3B8CUb7GZCsbJd69gy0yaBYjgrPN8xox0
-ZeTiGA0sSeGS1IJrQMBIh28vUnHupYUrnZBsz+9I4yM
+qE+5vjNdy67rZPc8QynIvLZzTqyoofMSMnFC3z7hoXQ
--- qMzO4grI7h5bkEI4d/ruuyMS7RVvZtFsfJT07M8W9W0
+--- 7mWx4K+zrpZqGRcoLBWXF+Sod/EmnodV74lvYrc4+d4
-è€Í>q@|6bŸ1<yQ6<51>çÙM‘¼E; (o2WÃ“³
+:ÑÔ('0v2ös‘¾£
_[Xöà½r±î77w´VÆ½ÆôjbÝ‰¤°‘H's+oCd¦X²¯ËªŠGW’™S~4·¨HA\ÓJ•‡MÂÍñx¸.¢¼ÛÏÈ45ÿ1Öê
 ×|èª¬¸æj<C3A6>UEÖ<45>›è§ÿÝ)ý7JX|;â?.dˆ#i’Ì	ekw¯q¿Q¹Kú§¦¶©¼ì
--- a/system/server/seafile.nix
+++ b/system/server/seafile.nix
@ -12,7 +12,6 @@
  httpsUrl = "https://" + url;
  authUrl = config.services.zitadel.settings.ExternalDomain;
  httpsAuthUrl = "https://" + authUrl;
  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
 in {
  config = mkIf cfg {
    services.caddy.virtualHosts.${url}.extraConfig = ''
@ -48,19 +47,20 @@ in {
        OAUTH_ACTIVATE_USER_AFTER_CREATION = True
        OAUTH_ENABLE_INSECURE_TRANSPORT = False
        OAUTH_CLIENT_ID = "329743411726844274"
-        OAUTH_CLIENT_SECRET = "${oidcSubstitute}"
+
        with open("${config.age.secrets.seafile-oidc.path}") as f:
          OAUTH_CLIENT_SECRET = f.read()
        OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
-        OAUTH_PROVIDER_DOMAIN = '${authUrl}'
+        OAUTH_PROVIDER = '${authUrl}'
        OAUTH_PROVIDER = 'JSW Auth'
        OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
        OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
        OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
-        OAUTH_SCOPE = ["user",]
+        OAUTH_SCOPE = ["openid", "profile", "email"]
        OAUTH_ATTRIBUTE_MAP = {
-            "id": (True, "email"),
+            "sub": (True, "uid"),
-            "name": (False, "name"),
+            "name": (True, "name"),
-            "email": (False, "contact_email"),
+            "email": (True, "contact_email")
            "uid": (True, "uid"),
        }
      '';
      seafileSettings = {
@ -75,6 +75,13 @@ in {
      };
    };
    # environment.etc."seafile/seahub_settings.py" = {
    #   text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break.
    #   source = config.age.secrets.seafile-seahubconf.path;
    #   user = "seafile";
    #   group = "seafile";
    # };
    #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things:
    ## * If seafile still uses seafile_settings.py to store openid settings.systemd
    ## * If the service scripts / settings have changed.systemd