From d32217f4227736730d4ecfe98e2f54c78c44038a Mon Sep 17 00:00:00 2001
From: Joey Hafner <jafner425@gmail.com>
Date: Sat, 17 Feb 2024 13:45:52 -0800
Subject: [PATCH] Document Gitea SSO configuration (disabling native auth)

---
 homelab/druid/config/gitea/README.md         | 21 ++++++++++++++++++++
 homelab/druid/config/gitea/signin_inner.tmpl | 20 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 homelab/druid/config/gitea/signin_inner.tmpl

diff --git a/homelab/druid/config/gitea/README.md b/homelab/druid/config/gitea/README.md
index b07c0f88..95f1dd3f 100644
--- a/homelab/druid/config/gitea/README.md
+++ b/homelab/druid/config/gitea/README.md
@@ -41,3 +41,24 @@ Apparently a misconfigured Docker-in-Docker runner may sometimes retry registeri
 1. `docker exec -it gitea_postgres psql --username "gitea"` To open a terminal inside the container and open a CLI session to the database.
 2. `\c gitea` To select the 'gitea' database.
 3. `DELETE FROM action_runner WHERE id NOT IN (50, 66);` To delete all entries except those with the IDs I wanted to keep.
+
+# Disable native auth
+We don't want to use Gitea's native auth. We want Keycloak to handle all our authentication. So we place a template override in the correct directory, which Gitea picks up on startup to generate the signin page. 
+
+The file [`signin_inner.tmpl`](signin_inner.tmpl) must be placed into `/data/gitea/templates/user/auth/` *inside the container*. In our case, that means `~/data/gitea/gitea/gitea/templates/user/auth/` on the host system. 
+
+For this to work properly, we use the following `app.ini` snippets:
+
+```ini
+[service]
+DISABLE_REGISTRATION = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[oauth2_client]
+ENABLE_AUTO_REGISTRATION = true
+ACCOUNT_LINKING = disabled
+```
\ No newline at end of file
diff --git a/homelab/druid/config/gitea/signin_inner.tmpl b/homelab/druid/config/gitea/signin_inner.tmpl
new file mode 100644
index 00000000..8daa7608
--- /dev/null
+++ b/homelab/druid/config/gitea/signin_inner.tmpl
@@ -0,0 +1,20 @@
+{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn)}}
+{{template "base/alert" .}}
+{{end}}
+<div class="ui attached segment">
+        {{if .OAuth2Providers}}
+        <div id="oauth2-login-navigator" class="gt-py-2">
+                <div class="gt-df gt-fc gt-jc">
+                        <div id="oauth2-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
+                                {{range $provider := .OAuth2Providers}}
+                                        <a class="{{$provider.Name}} ui button gt-df gt-ac gt-jc gt-py-3 gt-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName}}">
+                                                {{$provider.IconHTML 28}}
+                                                {{ctx.Locale.Tr "sign_in_with_provider" $provider.DisplayName}}
+                                        </a>
+                                {{end}}
+                        </div>
+                </div>
+        </div>
+        {{end}}
+        </form>
+</div>
\ No newline at end of file