Document Gitea SSO configuration (disabling native auth)

docs/Set up the repository.md

@@ -0,0 +1,14 @@
+# Setting Up the Repository
+1. Create a new Gitlab [Personal Access Token](https://gitlab.jafner.net/-/profile/personal_access_tokens) named after the host on which it will be used. It should have the scopes `read_api`, `read_user`, `read_repository`, and, optionally, `write_repository` if the host will be pushing commits back to the origin. Development hosts should have the `write_repository` permission. Note the *token name* and *token key* for step 6.
+2. `mkdir ~/homelab ~/data && cd ~/homelab` Create the `~/homelab` and `~/data` directories. This should be under the `admin` user's home directory, or equivalent. *It should not be owned by root.*
+3. `git init` Initialize the git repo. It should be empty at this point. We must init the repo empty in order to configure sparse checkout. 
+4. `git config core.sparseCheckout true && git config core.fileMode false && git config pull.ff only && git config init.defaultBranch main` Configure the repo to use sparse checkout and ignore file mode changes. Also configure default branch and pull behavior. 
+5. (Optional) `echo "$HOSTNAME/" > .git/info/sparse-checkout` Configure the repo to checkout only the files relevant to the host (e.g. fighter). Development hosts should not use this. 
+6. `git remote add -f origin https://<token name>:<token key>@gitlab.jafner.net/Jafner/homelab.git` Add the origin with authentication via personal access token and fetch. Remember to replace the placeholder token name and token key with the values from step 1.
+7. `git checkout main` Checkout the main branch to fetch the latest files. 
+
+## Disabling Sparse Checkout
+To disable sparse checkout, simply run `git sparse-checkout disable`. 
+With this, it can also be re-eneabled with `git sparse-checkout init`.
+You can use these two commands to toggle sparse checkout.
+Per: https://stackoverflow.com/questions/36190800/how-to-disable-sparse-checkout-after-enabled

docs/Upgrade from Debian 11 (Bullseye) to 12 (Bookworm).md

@@ -0,0 +1,8 @@
+1. Update existing packages. Run `sudo apt-get update && sudo apt-get upgrade` to fetch and install the latest versions of existing packages from the Debian 11 release channel. 
+2. Reboot the system. Follow the appropriate shutdown procedure for the host. 
+3. Edit the `sources.list` file to point to the new release channels. Run `sudo nano /etc/apt/sources.list`, then replace the release channel names for bullseye with those for bookworm. 
+4. Update and upgrade packages minimally. Run `sudo apt update && sudo apt upgrade --without-new-pkgs`. 
+5. Fully upgrade the system. Run `sudo apt full-upgrade`.
+6. Validate the SSHD config file. Run `sudo sshd -t`. 
+
+[CyberCiti.biz](https://www.cyberciti.biz/faq/update-upgrade-debian-11-to-debian-12-bookworm/)

druid/config/gitea/README.md

@@ -41,3 +41,24 @@ Apparently a misconfigured Docker-in-Docker runner may sometimes retry registeri
 1. `docker exec -it gitea_postgres psql --username "gitea"` To open a terminal inside the container and open a CLI session to the database.
 2. `\c gitea` To select the 'gitea' database.
 3. `DELETE FROM action_runner WHERE id NOT IN (50, 66);` To delete all entries except those with the IDs I wanted to keep.
+
+# Disable native auth
+We don't want to use Gitea's native auth. We want Keycloak to handle all our authentication. So we place a template override in the correct directory, which Gitea picks up on startup to generate the signin page. 
+
+The file [`signin_inner.tmpl`](signin_inner.tmpl) must be placed into `/data/gitea/templates/user/auth/` *inside the container*. In our case, that means `~/data/gitea/gitea/gitea/templates/user/auth/` on the host system. 
+
+For this to work properly, we use the following `app.ini` snippets:
+
+```ini
+[service]
+DISABLE_REGISTRATION = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[oauth2_client]
+ENABLE_AUTO_REGISTRATION = true
+ACCOUNT_LINKING = disabled
+```

druid/config/gitea/signin_inner.tmpl

@@ -0,0 +1,20 @@
+{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn)}}
+{{template "base/alert" .}}
+{{end}}
+<div class="ui attached segment">
+        {{if .OAuth2Providers}}
+        <div id="oauth2-login-navigator" class="gt-py-2">
+                <div class="gt-df gt-fc gt-jc">
+                        <div id="oauth2-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
+                                {{range $provider := .OAuth2Providers}}
+                                        <a class="{{$provider.Name}} ui button gt-df gt-ac gt-jc gt-py-3 gt-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName}}">
+                                                {{$provider.IconHTML 28}}
+                                                {{ctx.Locale.Tr "sign_in_with_provider" $provider.DisplayName}}
+                                        </a>
+                                {{end}}
+                        </div>
+                </div>
+        </div>
+        {{end}}
+        </form>
+</div>

fighter/scripts/startup.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Check for network mounted devices
+# NAS SMB
+if ! mount -t cifs | grep -q '/mnt/nas'; then
+    echo "NAS SMB shares not mounted"
+    exit 1
+fi
+
+# NAS iSCSI
+if ! sudo iscsiadm -m session | grep -q 'iqn.2020-03.net.jafner:fighter'; then 
+    echo "NAS iSCSI share not mounted"
+    exit 1
+fi
+
+for stack in /home/admin/homelab/fighter/config/*; do
+    cd $stack 
+    docker compose up -d 
+    cd /home/admin/homelab/fighter/config/
+done