gitea: force oauth login, pre-configure database connection, notes on configuring login

3 years ago · 6d3cf7a4d6
parent d23ff66f6d
commit 6d3cf7a4d6
5 changed files with 39 additions and 29 deletions
--- a/gitea/README.md
+++ b/gitea/README.md
@ -0,0 +1,9 @@
+# gitea
+
+OpenID setup doesn't work out of the box.  The open id provider must be configured:
+
+* Authentication name: `keycloak`
+* OAuth2 Provider: `OpenID Connect`
+* Client key: `gitea`
+* Client secret: (copy from `../data/gitea/env.secrets`)
+* Discovery URL: https://login.hackerspace.zone/realms/hackerspace/.well-known/openid-configuration
--- a/gitea/docker-compose.yaml
+++ b/gitea/docker-compose.yaml
@ -14,6 +14,11 @@ services:
    environment:
      - USER_UID=1000
      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=gitea
    networks:
      - gitea
    volumes:
@ -24,3 +29,17 @@ services:
      - "3030:3000"
      - "222:22"
    restart: always
+    depends_on:
+      - db
+ 
+  db:
+    image: postgres:13.4-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=gitea
+      - POSTGRES_DB=gitea
+    volumes:
+      - ../data/gitea/postgres:/var/lib/postgresql/data
+    networks:
+      - gitea
--- a/gitea/env.production
+++ b/gitea/env.production
@ -1 +1,6 @@
-# gitea config
+# gitea config for keycloak integration
+# only allow open id sign-in, turn off all other registrations
+GITEA__openid__ENABLE_OPENID_SIGNIN=true
+GITEA__openid__ENABLE_OPENID_SIGNUP=false
+#GITEA__service__DISABLE_REGISTRATION=true
+GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
--- a/gitea/setup
+++ b/gitea/setup
@ -26,6 +26,7 @@ mkdir -p "$DATA"
 cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
 GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
+GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
 EOF


@ -45,27 +46,3 @@ docker-compose down 2>/dev/null
 EOF

 docker-compose up -d || die "unable to start container"
-
-echo SLEEPING
-sleep 10
-
-test -f "$INI" || die "missing $INI"
-
-info "enabling OpenID in $INI"
-grep --quiet '\[openid\]' "$INI" || {
-  echo <<EOF >> "$INI" || die "unable to enable OpenID in $INI"
-;service]
-; Only allow registering via OpenID
-;DISABLE_REGISTRATION = false
-;ALLOW_ONLY_EXTERNAL_REGISTRATION = true
-[openid]
-; do not allow signin to local users via OpenID
-ENABLE_OPENID_SIGNIN = false
-; allow creation of new users via OpenID
-ENABLE_OPENID_SIGNUP = true
-EOF
-}
-
-info "restarting"
-docker-compose down
-docker-compose up -d || die "unable to start container"
--- a/nginx/nginx/templates/git.conf.template
+++ b/nginx/nginx/templates/git.conf.template
@ -21,10 +21,10 @@ server {
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}

-  # login with OIDC
-#  location /user/login {
-#    return 302 https://login.hackerspace.zone/;
-#  }
+  # force login with OIDC
+  location /user/login {
+    return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak;
+  }

 	listen 443 ssl;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;