diff --git a/gitea/README.md b/gitea/README.md new file mode 100644 index 0000000..0a57c16 --- /dev/null +++ b/gitea/README.md @@ -0,0 +1,9 @@ +# gitea + +OpenID setup doesn't work out of the box. The open id provider must be configured: + +* Authentication name: `keycloak` +* OAuth2 Provider: `OpenID Connect` +* Client key: `gitea` +* Client secret: (copy from `../data/gitea/env.secrets`) +* Discovery URL: https://login.hackerspace.zone/realms/hackerspace/.well-known/openid-configuration diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml index 7a3d204..df66dbf 100644 --- a/gitea/docker-compose.yaml +++ b/gitea/docker-compose.yaml @@ -14,6 +14,11 @@ services: environment: - USER_UID=1000 - USER_GID=1000 + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=db:5432 + - GITEA__database__NAME=gitea + - GITEA__database__USER=gitea + - GITEA__database__PASSWD=gitea networks: - gitea volumes: @@ -24,3 +29,17 @@ services: - "3030:3000" - "222:22" restart: always + depends_on: + - db + + db: + image: postgres:13.4-alpine + restart: always + environment: + - POSTGRES_USER=gitea + - POSTGRES_PASSWORD=gitea + - POSTGRES_DB=gitea + volumes: + - ../data/gitea/postgres:/var/lib/postgresql/data + networks: + - gitea diff --git a/gitea/env.production b/gitea/env.production index 8db9978..f7920e2 100644 --- a/gitea/env.production +++ b/gitea/env.production @@ -1 +1,6 @@ -# gitea config +# gitea config for keycloak integration +# only allow open id sign-in, turn off all other registrations +GITEA__openid__ENABLE_OPENID_SIGNIN=true +GITEA__openid__ENABLE_OPENID_SIGNUP=false +#GITEA__service__DISABLE_REGISTRATION=true +GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true diff --git a/gitea/setup b/gitea/setup index 39777c6..d22cbc3 100755 --- a/gitea/setup +++ b/gitea/setup @@ -26,6 +26,7 @@ mkdir -p "$DATA" cat < "$SECRETS" # DO NOT CHECK IN GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET +GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/ EOF @@ -45,27 +46,3 @@ docker-compose down 2>/dev/null EOF docker-compose up -d || die "unable to start container" - -echo SLEEPING -sleep 10 - -test -f "$INI" || die "missing $INI" - -info "enabling OpenID in $INI" -grep --quiet '\[openid\]' "$INI" || { - echo <> "$INI" || die "unable to enable OpenID in $INI" -;service] -; Only allow registering via OpenID -;DISABLE_REGISTRATION = false -;ALLOW_ONLY_EXTERNAL_REGISTRATION = true -[openid] -; do not allow signin to local users via OpenID -ENABLE_OPENID_SIGNIN = false -; allow creation of new users via OpenID -ENABLE_OPENID_SIGNUP = true -EOF -} - -info "restarting" -docker-compose down -docker-compose up -d || die "unable to start container" diff --git a/nginx/nginx/templates/git.conf.template b/nginx/nginx/templates/git.conf.template index 67a49dd..5c96a3a 100644 --- a/nginx/nginx/templates/git.conf.template +++ b/nginx/nginx/templates/git.conf.template @@ -21,10 +21,10 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } - # login with OIDC -# location /user/login { -# return 302 https://login.hackerspace.zone/; -# } + # force login with OIDC + location /user/login { + return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak; + } listen 443 ssl; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;