gitea: force oauth login, pre-configure database connection, notes on configuring login

single-dockerfile
Trammell Hudson 3 years ago
parent d23ff66f6d
commit 6d3cf7a4d6
  1. 9
      gitea/README.md
  2. 19
      gitea/docker-compose.yaml
  3. 7
      gitea/env.production
  4. 25
      gitea/setup
  5. 8
      nginx/nginx/templates/git.conf.template

@ -0,0 +1,9 @@
# gitea
OpenID setup doesn't work out of the box. The open id provider must be configured:
* Authentication name: `keycloak`
* OAuth2 Provider: `OpenID Connect`
* Client key: `gitea`
* Client secret: (copy from `../data/gitea/env.secrets`)
* Discovery URL: https://login.hackerspace.zone/realms/hackerspace/.well-known/openid-configuration

@ -14,6 +14,11 @@ services:
environment: environment:
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=gitea
networks: networks:
- gitea - gitea
volumes: volumes:
@ -24,3 +29,17 @@ services:
- "3030:3000" - "3030:3000"
- "222:22" - "222:22"
restart: always restart: always
depends_on:
- db
db:
image: postgres:13.4-alpine
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
volumes:
- ../data/gitea/postgres:/var/lib/postgresql/data
networks:
- gitea

@ -1 +1,6 @@
# gitea config # gitea config for keycloak integration
# only allow open id sign-in, turn off all other registrations
GITEA__openid__ENABLE_OPENID_SIGNIN=true
GITEA__openid__ENABLE_OPENID_SIGNUP=false
#GITEA__service__DISABLE_REGISTRATION=true
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true

@ -26,6 +26,7 @@ mkdir -p "$DATA"
cat <<EOF > "$SECRETS" cat <<EOF > "$SECRETS"
# DO NOT CHECK IN # DO NOT CHECK IN
GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
EOF EOF
@ -45,27 +46,3 @@ docker-compose down 2>/dev/null
EOF EOF
docker-compose up -d || die "unable to start container" docker-compose up -d || die "unable to start container"
echo SLEEPING
sleep 10
test -f "$INI" || die "missing $INI"
info "enabling OpenID in $INI"
grep --quiet '\[openid\]' "$INI" || {
echo <<EOF >> "$INI" || die "unable to enable OpenID in $INI"
;service]
; Only allow registering via OpenID
;DISABLE_REGISTRATION = false
;ALLOW_ONLY_EXTERNAL_REGISTRATION = true
[openid]
; do not allow signin to local users via OpenID
ENABLE_OPENID_SIGNIN = false
; allow creation of new users via OpenID
ENABLE_OPENID_SIGNUP = true
EOF
}
info "restarting"
docker-compose down
docker-compose up -d || die "unable to start container"

@ -21,10 +21,10 @@ server {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
# login with OIDC # force login with OIDC
# location /user/login { location /user/login {
# return 302 https://login.hackerspace.zone/; return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak;
# } }
listen 443 ssl; listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;

Loading…
Cancel
Save