From 95f3fdb1300449f54d9691b6051f9f977399058f Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 6 Feb 2025 18:19:42 +0100
Subject: [PATCH] =?UTF-8?q?Implemented=20OIDC=20f=C3=BCr=20mastodon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/docker-mastodon/README.md        |  7 +++++++
 roles/docker-mastodon/templates/env.j2 | 26 +++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/roles/docker-mastodon/README.md b/roles/docker-mastodon/README.md
index b9ec4692..1146e4f2 100644
--- a/roles/docker-mastodon/README.md
+++ b/roles/docker-mastodon/README.md
@@ -40,6 +40,12 @@ To ensure all required database tables and structures are in place after an upda
 docker compose exec -it web bash -c "RAILS_ENV=production bin/rails db:migrate"
 ```
 
+### delete cache
+```bash
+docker-compose exec web bundle exec rails assets:precompile
+docker-compose restart
+```
+
 This command enters the web container and runs migrations in production mode, updating the database structure to match the current version of the Mastodon software. If your Mastodon web container is named differently in your `docker-compose.yml`, replace `web` with the appropriate container name.
 
 ## further information
@@ -48,4 +54,5 @@ This command enters the web container and runs migrations in production mode, up
 - https://www.2daygeek.com/linux-command-check-website-is-up-down-alive/
 - https://vitobotta.com/2022/11/07/setting-up-a-personal-mastodon-instance/
 - https://www.digitalocean.com/community/tutorials/how-to-scale-your-mastodon-server
+- https://github.com/mastodon/mastodon/issues/7958
 
diff --git a/roles/docker-mastodon/templates/env.j2 b/roles/docker-mastodon/templates/env.j2
index 1d4bc431..8d2d037b 100644
--- a/roles/docker-mastodon/templates/env.j2
+++ b/roles/docker-mastodon/templates/env.j2
@@ -1,3 +1,5 @@
+# @see https://docs.joinmastodon.org/admin/config
+
 LOCAL_DOMAIN={{domain}}
 ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
 SINGLE_USER_MODE={{applications.mastodon.single_user_mode}}
@@ -27,4 +29,26 @@ SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
 
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}
-ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
\ No newline at end of file
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
+
+{% if oidc.enabled | bool %}
+################################### 
+# OpenID Connect settings
+###################################
+# @see https://github.com/mastodon/mastodon/pull/16221
+# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
+
+OIDC_ENABLED={{ oidc.enabled | string | lower }}
+OIDC_DISPLAY_NAME="{{primary_domain}} SSO"
+OIDC_ISSUER={{oidc.client.issuer_url}}
+OIDC_DISCOVERY=true
+OIDC_SCOPE="openid,profile,email"
+OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+OIDC_CLIENT_ID={{oidc.client.id}}
+OIDC_REDIRECT_URI=https://{{domain}}
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
+OIDC_CLIENT_SECRET={{oidc.client.secret}}
+OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
+ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
+ONE_CLICK_SSO_LOGIN=true
+{% endif %}
\ No newline at end of file