Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Document Gitea SSO configuration (disabling native auth)
All checks were successful
Deploy to Fighter / Deploy (push) Successful in 6s
Details
Deploy to Fighter / Notify (push) Successful in 2s
Details
Deploy to Druid / Deploy (push) Successful in 11s
Details
Deploy to Druid / Notify (push) Successful in 2s
Details

Browse Source
This commit is contained in:
Joey Hafner 2024-02-17 13:45:52 -08:00
parent 3f3a746a77
commit 1da545dc6e
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
druid/config/gitea/README.md
View File

@ -41,3 +41,24 @@ Apparently a misconfigured Docker-in-Docker runner may sometimes retry registeri
1. `docker exec -it gitea_postgres psql --username "gitea"` To open a terminal inside the container and open a CLI session to the database.
2. `\c gitea` To select the 'gitea' database.
3. `DELETE FROM action_runner WHERE id NOT IN (50, 66);` To delete all entries except those with the IDs I wanted to keep.
# Disable native auth
We don't want to use Gitea's native auth. We want Keycloak to handle all our authentication. So we place a template override in the correct directory, which Gitea picks up on startup to generate the signin page.
The file [`signin_inner.tmpl`](signin_inner.tmpl) must be placed into `/data/gitea/templates/user/auth/` *inside the container*. In our case, that means `~/data/gitea/gitea/gitea/templates/user/auth/` on the host system.
For this to work properly, we use the following `app.ini` snippets:
```ini
[service]
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = true
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
ACCOUNT_LINKING = disabled
```

20
druid/config/gitea/signin_inner.tmpl Normal file
View File

@ -0,0 +1,20 @@
{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn)}}
{{template "base/alert" .}}
{{end}}
<div class="ui attached segment">
{{if .OAuth2Providers}}
<div id="oauth2-login-navigator" class="gt-py-2">
<div class="gt-df gt-fc gt-jc">
<div id="oauth2-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
{{range $provider := .OAuth2Providers}}
<a class="{{$provider.Name}} ui button gt-df gt-ac gt-jc gt-py-3 gt-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName}}">
{{$provider.IconHTML 28}}
{{ctx.Locale.Tr "sign_in_with_provider" $provider.DisplayName}}
</a>
{{end}}
</div>
</div>
</div>
{{end}}
</form>
</div>