Server: immich mobile support login oauth

system/server/immich.nix

@@ -9,12 +9,14 @@
   cfg = config.niksos.server;
   oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
   config-dir = "/run/immich-conf";
+  url = "photos.jsw.tf";
+  httpsUrl = "https://" + url;
 in {
   config =
     mkIf cfg
     {
       users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
-      services.caddy.virtualHosts."photos.jsw.tf".extraConfig = ''
+      services.caddy.virtualHosts.${url}.extraConfig = ''
         reverse_proxy localhost:9002
       '';
 
@@ -29,7 +31,7 @@ in {
         #NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs..
         environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json";
         settings = {
-          server.externalDomain = "https://photos.jsw.tf";
+          server.externalDomain = httpsUrl;
           oauth = {
             enabled = true;
             autoLaunch = true;
@@ -38,6 +40,8 @@ in {
             clientId = "329735769805619570";
             clientSecret = oidcSubstitute;
             issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration";
+            mobileRedirectUri = "${httpsUrl}/api/oauth/mobile-redirect";
+            mobileOverrideEnabled = true;
           };
           passwordLogin.enabled = false;
           ffmpeg = {

system/server/seafile.nix

@@ -3,25 +3,52 @@
   inputs,
   pkgs,
   ...
-}: {
+}: let
+  url = "files.jsw.tf";
+  httpsUrl = "https://" + url;
+  authUrl = config.services.zitadel.settings.ExternalDomain;
+  httpsAuthUrl = "https://" + authUrl;
+  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
+  config-dir = "/run/immich-conf";
+in {
   services.seafile = {
     enable = config.niksos.server;
     seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
 
-    adminEmail = "jurnwubben@gmail.com";
+    adminEmail = "jsw@jsw.tf";
     initialAdminPassword = "ChangeMeTheFuckNow!";
 
     gc.enable = true;
 
-    ccnetSettings.General.SERVICE_URL = "https://files.jsw.tf";
+    ccnetSettings.General.SERVICE_URL = httpsUrl;
     seahubExtraConf = ''
-      ALLOWED_HOSTS = ['.files.jsw.tf']
+      ALLOWED_HOSTS = ['.${url}']
       CSRF_COOKIE_SECURE = True
       CSRF_COOKIE_SAMESITE = 'Strict'
-      CSRF_TRUSTED_ORIGINS = ['https://files.jsw.tf', 'https://www.files.jsw.tf']
+      CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
 
       SITE_NAME = "JSW Cloud"
       SITE_TITLE = "JSW Cloud"
+
+      ENABLE_OAUTH = True
+      OAUTH_CREATE_UNKNOWN_USER = True
+      OAUTH_ACTIVATE_USER_AFTER_CREATION = True
+      OAUTH_ENABLE_INSECURE_TRANSPORT = False
+      OAUTH_CLIENT_ID = "329743411726844274"
+      OAUTH_CLIENT_SECRET = "${oidcSubstitute}"
+      OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
+      OAUTH_PROVIDER_DOMAIN = '${authUrl}'
+      OAUTH_PROVIDER = 'JSW Auth'
+      OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
+      OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
+      OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
+      OAUTH_SCOPE = ["user",]
+      OAUTH_ATTRIBUTE_MAP = {
+          "id": (True, "email"),
+          "name": (False, "name"),
+          "email": (False, "contact_email"),
+          "uid": (True, "uid"),
+      }
     '';
     seafileSettings = {
       quota.default = 30;
@@ -35,8 +62,7 @@
     };
   };
 
-  services.caddy.virtualHosts."files.jsw.tf" = {
-    # serverAliases = ["www.share.jsw.tf"];
+  services.caddy.virtualHosts.${url} = {
     extraConfig = ''
            handle_path /seafhttp/* {
       reverse_proxy * unix//run/seafile/server.sock