From f5bacf17b3a5ffeab56f1501e4a1bdbc7e1ccc96 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 18 Jun 2025 15:15:48 +0200
Subject: [PATCH] Added draft for pixelfed OIDC

---
 roles/docker-pixelfed/Todo.md                 |  2 +-
 .../templates/docker-compose.yml.j2           |  4 ++--
 roles/docker-pixelfed/templates/env.j2        | 22 ++++++++++++++++++-
 roles/docker-pixelfed/vars/configuration.yml  |  6 ++++-
 4 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/roles/docker-pixelfed/Todo.md b/roles/docker-pixelfed/Todo.md
index be5ff4bc..ae11c9aa 100644
--- a/roles/docker-pixelfed/Todo.md
+++ b/roles/docker-pixelfed/Todo.md
@@ -1,2 +1,2 @@
 # Todo
-- Integrate OIDC as soon as possible
\ No newline at end of file
+- [Integrate OIDC as soon as possible](https://github.com/pixelfed/pixelfed/pull/5608)
\ No newline at end of file
diff --git a/roles/docker-pixelfed/templates/docker-compose.yml.j2 b/roles/docker-pixelfed/templates/docker-compose.yml.j2
index d0e208ec..b715b1cc 100644
--- a/roles/docker-pixelfed/templates/docker-compose.yml.j2
+++ b/roles/docker-pixelfed/templates/docker-compose.yml.j2
@@ -5,7 +5,7 @@ services:
 {% include 'templates/docker/services/redis.yml.j2' %}
 
   application:
-    image: zknt/pixelfed:{{applications.pixelfed.version}}
+    image: "{{ applications[application_id].images.pixelfed }}"
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "data:/var/www/storage"
@@ -15,7 +15,7 @@ services:
 {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
   worker:
-    image: zknt/pixelfed:{{applications.pixelfed.version}}
+    image: "{{ applications[application_id].images.pixelfed }}"
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "data:/var/www/storage"
diff --git a/roles/docker-pixelfed/templates/env.j2 b/roles/docker-pixelfed/templates/env.j2
index 3763ff53..bc7676e0 100644
--- a/roles/docker-pixelfed/templates/env.j2
+++ b/roles/docker-pixelfed/templates/env.j2
@@ -131,4 +131,24 @@ TRUST_PROXIES="*"
 #PASSPORT_PRIVATE_KEY=
 #PASSPORT_PUBLIC_KEY=
 
-ENABLE_CONFIG_CACHE=true
\ No newline at end of file
+ENABLE_CONFIG_CACHE=true
+
+{% if applications | is_feature_enabled('oidc',application_id) %}
+
+################################### 
+# OpenID Connect settings
+###################################
+# @see https://github.com/pixelfed/pixelfed/commit/b3c27815788e4b47e7eb3fca727d817512cf26c2#diff-66e408190a301e81b5f1c079463487c54a6452c4944dc5ae80770f50101283ff
+
+PF_OIDC_ENABLED={{ applications[application_id].features.oidc | string | lower }}
+PF_OIDC_AUTHORIZE_URL="{{oidc.client.authorize_url}}"
+PF_OIDC_TOKEN_URL="{{oidc.client.token_url}}"
+PF_OIDC_PROFILE_URL="{{ oidc.client.user_info_url }}"
+PF_OIDC_LOGOUT_URL="{{oidc.client.logout_url}}"
+PF_OIDC_USERNAME_FIELD="{{oidc.attributes.username}}"
+PF_OIDC_FIELD_ID="{{oidc.attributes.username}}"
+PF_OIDC_CLIENT_SECRET={{oidc.client.secret}}
+PF_OIDC_CLIENT_ID={{oidc.client.id}}
+PF_OIDC_SCOPES="openid,profile,email"
+
+{% endif %}
\ No newline at end of file
diff --git a/roles/docker-pixelfed/vars/configuration.yml b/roles/docker-pixelfed/vars/configuration.yml
index 52e26c38..91969d1a 100644
--- a/roles/docker-pixelfed/vars/configuration.yml
+++ b/roles/docker-pixelfed/vars/configuration.yml
@@ -1,5 +1,7 @@
 titel:                "Pictures on {{primary_domain}}"
-version:              "latest"
+#version:              "latest"
+images:
+  pixelfed:           "ghcr.io/pixelfed/pixelfed:latest"
 features:
   matomo:             true
   css:                true
@@ -7,6 +9,8 @@ features:
   central_database:   true
 csp:
   flags:
+    script-src:
+      unsafe-eval:   true
     script-src-elem:
       unsafe-inline: true
       unsafe-eval:   true