From b3284536447d3e40cca1f0b26993e083fdb9a88b Mon Sep 17 00:00:00 2001 From: Jonathan Dahan Date: Wed, 4 May 2022 20:14:24 -0400 Subject: [PATCH 1/5] WIP gitea setup - untested --- README.md | 5 +-- env.production | 2 +- gitea/docker-compose.yaml | 26 ++++++++++++ gitea/setup | 54 +++++++++++++++++++++++++ html/index.html | 1 + nginx/nginx/templates/git.conf.template | 42 +++++++++++++++++++ 6 files changed, 125 insertions(+), 5 deletions(-) create mode 100644 gitea/docker-compose.yaml create mode 100755 gitea/setup create mode 100644 nginx/nginx/templates/git.conf.template diff --git a/README.md b/README.md index 3d15e4a..10df55f 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,5 @@ apt install jq docker-compose ``` ./keycloak/setup ./nginx/setup -./hedgedoc/setup -./nextcloud/setup -./mastodon/setup -./grafana/setup +./start-all ``` diff --git a/env.production b/env.production index 69e6b8a..10b3f52 100644 --- a/env.production +++ b/env.production @@ -6,5 +6,5 @@ HEDGEDOC_HOSTNAME=docs.hackerspace.zone MASTODON_HOSTNAME=social.hackerspace.zone NEXTCLOUD_HOSTNAME=cloud.hackerspace.zone GRAFANA_HOSTNAME=dashboard.hackerspace.zone -GITLAB_HOSTNAME=git.hackerspace.zone +GITEA_HOSTNAME=git.hackerspace.zone MATRIX_HOSTNAME=matrix.hackerspace.zone diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml new file mode 100644 index 0000000..b28a7f0 --- /dev/null +++ b/gitea/docker-compose.yaml @@ -0,0 +1,26 @@ +version: "3" + +networks: + gitea: + external: false + +services: + gitea: + image: gitea/gitea:1.16.6 + env_file: + - ../env.production + - env.production + - env.secrets + environment: + - USER_UID=1000 + - USER_GID=1000 + networks: + - gitea + volumes: + - ./data/gitea:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "3030:3000" + - "222:22" + restart: always diff --git a/gitea/setup b/gitea/setup new file mode 100755 index 0000000..1456096 --- /dev/null +++ b/gitea/setup @@ -0,0 +1,54 @@ +#!/bin/bash +set -euo pipefail +die() { echo >&2 "$@" ; exit 1 ; } + +DIRNAME="$(dirname $0)" +cd "$DIRNAME" + +docker-compose down + +../keycloak/client-delete gitea + +GITEA_CLIENT_SECRET="$(openssl rand -hex 32)" + +rm -f env.secrets +cat < env.secrets +# DO NOT CHECK IN +#GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET +EOF + +../keycloak/client-create <>./data/app.ini || die "unable to enable OpenID in app.ini" +;service] +; Only allow registering via OpenID +;DISABLE_REGISTRATION = false +;ALLOW_ONLY_EXTERNAL_REGISTRATION = true +[openid] +; do not allow signin to local users via OpenID +ENABLE_OPENID_SIGNIN = false +; allow creation of new users via OpenID +ENABLE_OPENID_SIGNUP = true +EOF +} + +echo "TODO: Configure openID by visiting login.${DOMAIN_NAME}/ + diff --git a/html/index.html b/html/index.html index 74a71a0..7f71a17 100644 --- a/html/index.html +++ b/html/index.html @@ -8,6 +8,7 @@ An easy to install set of self-hosted, single-sign-on, open-source services.
  • mastodon: federated social media
  • nextcloud: self hosted documents and calendaring
  • grafana: dashboards and statistic collection +
  • gitea: git repository hosting
  • keycloak: user management and single sign on for the domain diff --git a/nginx/nginx/templates/git.conf.template b/nginx/nginx/templates/git.conf.template new file mode 100644 index 0000000..4814d33 --- /dev/null +++ b/nginx/nginx/templates/git.conf.template @@ -0,0 +1,42 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + server_name ${GITEA_HOSTNAME}; + client_max_body_size 128m; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + gzip on; + gzip_disable "msie6"; + + proxy_read_timeout 1800s; + + location / { + proxy_pass http://host.docker.internal:3030; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # login with OIDC + location /user/login { + return 302 https://login.hackerspace.zone/; + } + + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; + include /etc/nginx/includes/options-ssl-nginx.conf; + include /etc/nginx/includes/challenge.conf; + ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; +} + + From d23ff66f6d9bbfaa10e5b2af92c79007d1781b35 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 5 May 2022 07:31:47 +0000 Subject: [PATCH 2/5] gitea: rework setup for new file layout --- gitea/docker-compose.yaml | 4 +- gitea/env.production | 1 + gitea/setup | 49 +++++++++++++++++-------- nginx/certbot-renew | 2 +- nginx/nginx/templates/git.conf.template | 11 ++---- 5 files changed, 40 insertions(+), 27 deletions(-) create mode 100644 gitea/env.production diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml index b28a7f0..7a3d204 100644 --- a/gitea/docker-compose.yaml +++ b/gitea/docker-compose.yaml @@ -10,14 +10,14 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/gitea/env.secrets environment: - USER_UID=1000 - USER_GID=1000 networks: - gitea volumes: - - ./data/gitea:/data + - ../data/gitea:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: diff --git a/gitea/env.production b/gitea/env.production new file mode 100644 index 0000000..8db9978 --- /dev/null +++ b/gitea/env.production @@ -0,0 +1 @@ +# gitea config diff --git a/gitea/setup b/gitea/setup index 1456096..39777c6 100755 --- a/gitea/setup +++ b/gitea/setup @@ -1,43 +1,59 @@ #!/bin/bash -set -euo pipefail -die() { echo >&2 "$@" ; exit 1 ; } +die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; } +info() { echo >&2 "gitea: $*" ; } DIRNAME="$(dirname $0)" cd "$DIRNAME" -docker-compose down +source ../env.production || die "no top level environment" +source ./env.production || die "no local environment" + +DATA="../data/gitea" +SECRETS="$DATA/env.secrets" +INI="$DATA/gitea/conf/app.ini" + +if [ -r "$SECRETS" ]; then + docker-compose up -d || die "unable to start" + exit 0 +fi -../keycloak/client-delete gitea GITEA_CLIENT_SECRET="$(openssl rand -hex 32)" -rm -f env.secrets -cat < env.secrets +info "creating new secrets $SECRETS" + +mkdir -p "$DATA" +cat < "$SECRETS" # DO NOT CHECK IN -#GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET +GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET EOF + +docker-compose down 2>/dev/null + +../keycloak/client-delete gitea 2>/dev/null ../keycloak/client-create <>./data/app.ini || die "unable to enable OpenID in app.ini" +info "enabling OpenID in $INI" +grep --quiet '\[openid\]' "$INI" || { + echo <> "$INI" || die "unable to enable OpenID in $INI" ;service] ; Only allow registering via OpenID ;DISABLE_REGISTRATION = false @@ -50,5 +66,6 @@ ENABLE_OPENID_SIGNUP = true EOF } -echo "TODO: Configure openID by visiting login.${DOMAIN_NAME}/ - +info "restarting" +docker-compose down +docker-compose up -d || die "unable to start container" diff --git a/nginx/certbot-renew b/nginx/certbot-renew index 25b4873..7a5ed08 100755 --- a/nginx/certbot-renew +++ b/nginx/certbot-renew @@ -7,7 +7,7 @@ cd "$DIRNAME" source ../env.production source ./env.production -domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME" +domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME" rsa_key_size=2048 set -x diff --git a/nginx/nginx/templates/git.conf.template b/nginx/nginx/templates/git.conf.template index 4814d33..67a49dd 100644 --- a/nginx/nginx/templates/git.conf.template +++ b/nginx/nginx/templates/git.conf.template @@ -1,8 +1,3 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - server { server_name ${GITEA_HOSTNAME}; client_max_body_size 128m; @@ -27,9 +22,9 @@ server { } # login with OIDC - location /user/login { - return 302 https://login.hackerspace.zone/; - } +# location /user/login { +# return 302 https://login.hackerspace.zone/; +# } listen 443 ssl; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; From 6d3cf7a4d6765308464b8c95acddadc410c54148 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 5 May 2022 08:03:07 +0000 Subject: [PATCH 3/5] gitea: force oauth login, pre-configure database connection, notes on configuring login --- gitea/README.md | 9 +++++++++ gitea/docker-compose.yaml | 19 +++++++++++++++++++ gitea/env.production | 7 ++++++- gitea/setup | 25 +------------------------ nginx/nginx/templates/git.conf.template | 8 ++++---- 5 files changed, 39 insertions(+), 29 deletions(-) create mode 100644 gitea/README.md diff --git a/gitea/README.md b/gitea/README.md new file mode 100644 index 0000000..0a57c16 --- /dev/null +++ b/gitea/README.md @@ -0,0 +1,9 @@ +# gitea + +OpenID setup doesn't work out of the box. The open id provider must be configured: + +* Authentication name: `keycloak` +* OAuth2 Provider: `OpenID Connect` +* Client key: `gitea` +* Client secret: (copy from `../data/gitea/env.secrets`) +* Discovery URL: https://login.hackerspace.zone/realms/hackerspace/.well-known/openid-configuration diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml index 7a3d204..df66dbf 100644 --- a/gitea/docker-compose.yaml +++ b/gitea/docker-compose.yaml @@ -14,6 +14,11 @@ services: environment: - USER_UID=1000 - USER_GID=1000 + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=db:5432 + - GITEA__database__NAME=gitea + - GITEA__database__USER=gitea + - GITEA__database__PASSWD=gitea networks: - gitea volumes: @@ -24,3 +29,17 @@ services: - "3030:3000" - "222:22" restart: always + depends_on: + - db + + db: + image: postgres:13.4-alpine + restart: always + environment: + - POSTGRES_USER=gitea + - POSTGRES_PASSWORD=gitea + - POSTGRES_DB=gitea + volumes: + - ../data/gitea/postgres:/var/lib/postgresql/data + networks: + - gitea diff --git a/gitea/env.production b/gitea/env.production index 8db9978..f7920e2 100644 --- a/gitea/env.production +++ b/gitea/env.production @@ -1 +1,6 @@ -# gitea config +# gitea config for keycloak integration +# only allow open id sign-in, turn off all other registrations +GITEA__openid__ENABLE_OPENID_SIGNIN=true +GITEA__openid__ENABLE_OPENID_SIGNUP=false +#GITEA__service__DISABLE_REGISTRATION=true +GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true diff --git a/gitea/setup b/gitea/setup index 39777c6..d22cbc3 100755 --- a/gitea/setup +++ b/gitea/setup @@ -26,6 +26,7 @@ mkdir -p "$DATA" cat < "$SECRETS" # DO NOT CHECK IN GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET +GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/ EOF @@ -45,27 +46,3 @@ docker-compose down 2>/dev/null EOF docker-compose up -d || die "unable to start container" - -echo SLEEPING -sleep 10 - -test -f "$INI" || die "missing $INI" - -info "enabling OpenID in $INI" -grep --quiet '\[openid\]' "$INI" || { - echo <> "$INI" || die "unable to enable OpenID in $INI" -;service] -; Only allow registering via OpenID -;DISABLE_REGISTRATION = false -;ALLOW_ONLY_EXTERNAL_REGISTRATION = true -[openid] -; do not allow signin to local users via OpenID -ENABLE_OPENID_SIGNIN = false -; allow creation of new users via OpenID -ENABLE_OPENID_SIGNUP = true -EOF -} - -info "restarting" -docker-compose down -docker-compose up -d || die "unable to start container" diff --git a/nginx/nginx/templates/git.conf.template b/nginx/nginx/templates/git.conf.template index 67a49dd..5c96a3a 100644 --- a/nginx/nginx/templates/git.conf.template +++ b/nginx/nginx/templates/git.conf.template @@ -21,10 +21,10 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } - # login with OIDC -# location /user/login { -# return 302 https://login.hackerspace.zone/; -# } + # force login with OIDC + location /user/login { + return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak; + } listen 443 ssl; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; From 84edb86a342b6ba98614537bb931fed365f535af Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 5 May 2022 09:23:42 +0000 Subject: [PATCH 4/5] gitea: document OIDC setup step --- README.md | 2 ++ gitea/README.md | 12 ++++----- gitea/add-auth | 66 +++++++++++++++++++++++++++++++++++++++++++++++++ gitea/setup | 57 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 131 insertions(+), 6 deletions(-) create mode 100644 gitea/add-auth diff --git a/README.md b/README.md index 10df55f..1123d5f 100644 --- a/README.md +++ b/README.md @@ -17,3 +17,5 @@ apt install jq docker-compose ./nginx/setup ./start-all ``` + +* gitea requires some manual configuration; see [gitea/README][gitea/README.md] for more info diff --git a/gitea/README.md b/gitea/README.md index 0a57c16..3e56968 100644 --- a/gitea/README.md +++ b/gitea/README.md @@ -1,9 +1,9 @@ # gitea -OpenID setup doesn't work out of the box. The open id provider must be configured: +After the `setup` script has run, the website *still* requires a click to finish the installation. +Once that is done it will break since the OpenID login has not yet been configured. Run this to +fix it. -* Authentication name: `keycloak` -* OAuth2 Provider: `OpenID Connect` -* Client key: `gitea` -* Client secret: (copy from `../data/gitea/env.secrets`) -* Discovery URL: https://login.hackerspace.zone/realms/hackerspace/.well-known/openid-configuration +``` +./add-auth +``` diff --git a/gitea/add-auth b/gitea/add-auth new file mode 100644 index 0000000..0af8add --- /dev/null +++ b/gitea/add-auth @@ -0,0 +1,66 @@ +#!/bin/bash +# run this *after* initializing the database by clicking on the ok +# issue filed https://github.com/go-gitea/gitea/issues/19616 +source ../env.production +source ./env.production +source ../data/gitea/env.secrets + + +true || curl "https://${GITEA_HOSTNAME}/" \ + -v \ + -X POST \ + -H 'Origin: null' \ + -H 'Connection: keep-alive' \ + -H 'Upgrade-Insecure-Requests: 1' \ + -H 'Sec-Fetch-Dest: document' \ + -H 'Sec-Fetch-Mode: navigate' \ + -H 'Sec-Fetch-Site: same-origin' \ + -H 'Sec-Fetch-User: ?1' \ + -H 'TE: trailers' \ + -H 'Cookie: i_like_gitea=ac81483e536b3641' \ + -F "db_type=postgres" \ + -F "db_host=db:5432" \ + -F "db_user=gitea" \ + -F "db_passwd=gitea" \ + -F "db_name=gitea" \ + -F "ssl_mode=disable" \ + -F "db_schema=" \ + -F "charset=utf8" \ + -F "db_path=/data/gitea/gitea.db" \ + -F "app_name=${REALM} Gitea" \ + -F "repo_root_path=/data/git/repositories" \ + -F "lfs_root_path=/data/git/lfs" \ + -F "run_user=git" \ + -F "domain=${GITEA_HOSTNAME}" \ + -F "ssh_port=22" \ + -F "http_port=3000" \ + -F "app_url=https://${GITEA_HOSTNAME}/" \ + -F "log_root_path=/data/gitea/log" \ + -F "smtp_host=" \ + -F "smtp_from=" \ + -F "smtp_user=" \ + -F "smtp_passwd=" \ + -F "enable_federated_avatar=on" \ + -F "enable_open_id_sign_in=on" \ + -F "allow_only_external_registration=on" \ + -F "default_allow_create_organization=on" \ + -F "default_enable_timetracking=on" \ + -F "no_reply_address=noreply.${GITEA_HOSTNAME}" \ + -F "password_algorithm=pbkdf2" \ + -F "admin_name=root" \ + -F "admin_passwd=${GITEA_ADMIN_PASSWORD}" \ + -F "admin_confirm_passwd=${GITEA_ADMIN_PASSWORD}" \ + -F "admin_email=" \ +|| die "unable to initiate install" + + +docker-compose exec -u git gitea \ + gitea admin auth add-oauth \ + --name "keycloak" \ + --provider "openidConnect" \ + --key "gitea" \ + --secret "$GITEA_CLIENT_SECRET" \ + --auto-discover-url "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/.well-known/openid-configuration" \ + --group-claim-name "groups" \ + --admin-group "admin" \ +|| die "unable to add oauth interface" diff --git a/gitea/setup b/gitea/setup index d22cbc3..87a2c3b 100755 --- a/gitea/setup +++ b/gitea/setup @@ -19,6 +19,7 @@ fi GITEA_CLIENT_SECRET="$(openssl rand -hex 32)" +GITEA_ADMIN_PASSWORD="$(openssl rand -hex 8)" info "creating new secrets $SECRETS" @@ -26,6 +27,7 @@ mkdir -p "$DATA" cat < "$SECRETS" # DO NOT CHECK IN GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET +GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/ EOF @@ -46,3 +48,58 @@ docker-compose down 2>/dev/null EOF docker-compose up -d || die "unable to start container" + +info "waiting for startup..." +sleep 5 + +info "attempting to finish install" +curl "https://${GITEA_HOSTNAME}/" \ + -X POST \ + -f "db_type=postgres" \ + -f "db_host=db:5432" \ + -f "db_user=gitea" \ + -f "db_passwd=gitea" \ + -f "db_name=gitea" \ + -f "ssl_mode=disable" \ + -f "db_schema=" \ + -f "charset=utf8" \ + -f "db_path=/data/gitea/gitea.db" \ + -f "app_name=${REALM} Gitea" \ + -f "repo_root_path=/data/git/repositories" \ + -f "lfs_root_path=/data/git/lfs" \ + -f "run_user=git" \ + -f "domain=${GITEA_HOSTNAME}" \ + -f "ssh_port=22" \ + -f "http_port=3000" \ + -f "app_url=https://${GITEA_HOSTNAME}/" \ + -f "log_root_path=/data/gitea/log" \ + -f "smtp_host=" \ + -f "smtp_from=" \ + -f "smtp_user=" \ + -f "smtp_passwd=" \ + -f "enable_federated_avatar=on" \ + -f "enable_open_id_sign_in=on" \ + -f "allow_only_external_registration=on" \ + -f "default_allow_create_organization=on" \ + -f "default_enable_timetracking=on" \ + -f "no_reply_address=noreply.${GITEA_HOSTNAME}" \ + -f "password_algorithm=pbkdf2" \ + -f "admin_name=root" \ + -f "admin_passwd=${GITEA_ADMIN_PASSWORD}" \ + -f "admin_confirm_passwd=${GITEA_ADMIN_PASSWORD}" \ + -f "admin_email=" \ +|| die "unable to initiate install" + +sleep 10 + +info "adding oauth login" +docker-compose exec -u git gitea \ + gitea admin auth add-oauth \ + --name "keycloak" \ + --provider "openidConnect" \ + --key "gitea" \ + --secret "$GITEA_CLIENT_SECRET" \ + --auto-discover-url "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/.well-known/openid-configuration" \ + --group-claim-name "groups" \ + --admin-group "admin" \ +|| die "unable to add oauth interface" From 85b600afc9b23383a18bc486d6ef60e8fe853f3c Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 5 May 2022 09:32:07 +0000 Subject: [PATCH 5/5] gitea: automatically complete install and enable OIDC --- README.md | 2 -- gitea/README.md | 8 +----- gitea/add-auth | 66 ------------------------------------------------- gitea/setup | 42 ++----------------------------- 4 files changed, 3 insertions(+), 115 deletions(-) delete mode 100644 gitea/add-auth diff --git a/README.md b/README.md index 1123d5f..10df55f 100644 --- a/README.md +++ b/README.md @@ -17,5 +17,3 @@ apt install jq docker-compose ./nginx/setup ./start-all ``` - -* gitea requires some manual configuration; see [gitea/README][gitea/README.md] for more info diff --git a/gitea/README.md b/gitea/README.md index 3e56968..ef1b0be 100644 --- a/gitea/README.md +++ b/gitea/README.md @@ -1,9 +1,3 @@ # gitea -After the `setup` script has run, the website *still* requires a click to finish the installation. -Once that is done it will break since the OpenID login has not yet been configured. Run this to -fix it. - -``` -./add-auth -``` +OIDC setup is now automated diff --git a/gitea/add-auth b/gitea/add-auth deleted file mode 100644 index 0af8add..0000000 --- a/gitea/add-auth +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# run this *after* initializing the database by clicking on the ok -# issue filed https://github.com/go-gitea/gitea/issues/19616 -source ../env.production -source ./env.production -source ../data/gitea/env.secrets - - -true || curl "https://${GITEA_HOSTNAME}/" \ - -v \ - -X POST \ - -H 'Origin: null' \ - -H 'Connection: keep-alive' \ - -H 'Upgrade-Insecure-Requests: 1' \ - -H 'Sec-Fetch-Dest: document' \ - -H 'Sec-Fetch-Mode: navigate' \ - -H 'Sec-Fetch-Site: same-origin' \ - -H 'Sec-Fetch-User: ?1' \ - -H 'TE: trailers' \ - -H 'Cookie: i_like_gitea=ac81483e536b3641' \ - -F "db_type=postgres" \ - -F "db_host=db:5432" \ - -F "db_user=gitea" \ - -F "db_passwd=gitea" \ - -F "db_name=gitea" \ - -F "ssl_mode=disable" \ - -F "db_schema=" \ - -F "charset=utf8" \ - -F "db_path=/data/gitea/gitea.db" \ - -F "app_name=${REALM} Gitea" \ - -F "repo_root_path=/data/git/repositories" \ - -F "lfs_root_path=/data/git/lfs" \ - -F "run_user=git" \ - -F "domain=${GITEA_HOSTNAME}" \ - -F "ssh_port=22" \ - -F "http_port=3000" \ - -F "app_url=https://${GITEA_HOSTNAME}/" \ - -F "log_root_path=/data/gitea/log" \ - -F "smtp_host=" \ - -F "smtp_from=" \ - -F "smtp_user=" \ - -F "smtp_passwd=" \ - -F "enable_federated_avatar=on" \ - -F "enable_open_id_sign_in=on" \ - -F "allow_only_external_registration=on" \ - -F "default_allow_create_organization=on" \ - -F "default_enable_timetracking=on" \ - -F "no_reply_address=noreply.${GITEA_HOSTNAME}" \ - -F "password_algorithm=pbkdf2" \ - -F "admin_name=root" \ - -F "admin_passwd=${GITEA_ADMIN_PASSWORD}" \ - -F "admin_confirm_passwd=${GITEA_ADMIN_PASSWORD}" \ - -F "admin_email=" \ -|| die "unable to initiate install" - - -docker-compose exec -u git gitea \ - gitea admin auth add-oauth \ - --name "keycloak" \ - --provider "openidConnect" \ - --key "gitea" \ - --secret "$GITEA_CLIENT_SECRET" \ - --auto-discover-url "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/.well-known/openid-configuration" \ - --group-claim-name "groups" \ - --admin-group "admin" \ -|| die "unable to add oauth interface" diff --git a/gitea/setup b/gitea/setup index 87a2c3b..d05db79 100755 --- a/gitea/setup +++ b/gitea/setup @@ -29,6 +29,8 @@ cat < "$SECRETS" GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/ +GITEA__security__INSTALL_LOCK=true +GITEA__security__SECRET_KEY=$(openssl rand -hex 32) EOF @@ -52,46 +54,6 @@ docker-compose up -d || die "unable to start container" info "waiting for startup..." sleep 5 -info "attempting to finish install" -curl "https://${GITEA_HOSTNAME}/" \ - -X POST \ - -f "db_type=postgres" \ - -f "db_host=db:5432" \ - -f "db_user=gitea" \ - -f "db_passwd=gitea" \ - -f "db_name=gitea" \ - -f "ssl_mode=disable" \ - -f "db_schema=" \ - -f "charset=utf8" \ - -f "db_path=/data/gitea/gitea.db" \ - -f "app_name=${REALM} Gitea" \ - -f "repo_root_path=/data/git/repositories" \ - -f "lfs_root_path=/data/git/lfs" \ - -f "run_user=git" \ - -f "domain=${GITEA_HOSTNAME}" \ - -f "ssh_port=22" \ - -f "http_port=3000" \ - -f "app_url=https://${GITEA_HOSTNAME}/" \ - -f "log_root_path=/data/gitea/log" \ - -f "smtp_host=" \ - -f "smtp_from=" \ - -f "smtp_user=" \ - -f "smtp_passwd=" \ - -f "enable_federated_avatar=on" \ - -f "enable_open_id_sign_in=on" \ - -f "allow_only_external_registration=on" \ - -f "default_allow_create_organization=on" \ - -f "default_enable_timetracking=on" \ - -f "no_reply_address=noreply.${GITEA_HOSTNAME}" \ - -f "password_algorithm=pbkdf2" \ - -f "admin_name=root" \ - -f "admin_passwd=${GITEA_ADMIN_PASSWORD}" \ - -f "admin_confirm_passwd=${GITEA_ADMIN_PASSWORD}" \ - -f "admin_email=" \ -|| die "unable to initiate install" - -sleep 10 - info "adding oauth login" docker-compose exec -u git gitea \ gitea admin auth add-oauth \