From 3332bf5c53c244eae3867449c7b2ec8908798231 Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Wed, 1 Apr 2026 13:43:47 -0700
Subject: [PATCH] Fix Forgejo OIDC account linking

---
 nixos/modules/burrow-forge.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/nixos/modules/burrow-forge.nix b/nixos/modules/burrow-forge.nix
index e2a57e0..d238f2e 100644
--- a/nixos/modules/burrow-forge.nix
+++ b/nixos/modules/burrow-forge.nix
@@ -121,6 +121,24 @@ in
       description = "OIDC group that is required to log into Forgejo.";
     };
 
+    oidcAutoRegistration = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether Forgejo should automatically create users for new OIDC sign-ins.";
+    };
+
+    oidcAccountLinking = lib.mkOption {
+      type = lib.types.enum [ "disabled" "login" "auto" ];
+      default = "auto";
+      description = "How Forgejo should link existing local accounts for OIDC sign-ins.";
+    };
+
+    oidcUsernameSource = lib.mkOption {
+      type = lib.types.enum [ "userid" "nickname" "email" ];
+      default = "email";
+      description = "Which OIDC claim Forgejo should use to derive usernames for auto-registration.";
+    };
+
     authorizedKeys = lib.mkOption {
       type = with lib.types; listOf str;
       default = [ ];
@@ -201,6 +219,13 @@ in
           ENABLE_OPENID_SIGNUP = false;
         };
 
+        oauth2_client = {
+          OPENID_CONNECT_SCOPES = lib.concatStringsSep " " (lib.subtractLists [ "openid" ] cfg.oidcScopes);
+          ENABLE_AUTO_REGISTRATION = cfg.oidcAutoRegistration;
+          ACCOUNT_LINKING = cfg.oidcAccountLinking;
+          USERNAME = cfg.oidcUsernameSource;
+        };
+
         actions = {
           ENABLED = true;
         };