Skip to content
Snippets Groups Projects
Commit 39197890 authored by Christian Elberfeld's avatar Christian Elberfeld
Browse files

Umstellung gitea auf oauth/uffd #45

parent 643fbecc
No related branches found
No related tags found
No related merge requests found
......@@ -378,7 +378,9 @@
- {
role: verwaltung/docker_gitea, tags: [ gitea, docker_services ],
servicename: "gitea",
domain: "verwaltung-git.warpzone.ms"
basedir: /srv/gitea,
domain: "verwaltung-git.warpzone.ms",
git_ssh_port: 444
}
- {
role: verwaltung/cryptdata, tags: cryptdata,
......
# Overview
* Authentication to Gitea is possible with an account in uffd, regular authentication is only used for initial admin user
* All users with group 'gitea_access' can access Gitea, the user in Gitea is created on first login
* Users with group 'gitea_admin' are added to the Administrators group in Gitea
* Additional groups are assigned if the name of the group matches in uffd and Gitea
# Setup OIDC Authentication via uffd
Schritt 1: OpenID Connect Konfiguration in Uffd
1. neuen Dienst erstellen
2. OAuth2 Client-ID erstellen
- Client-ID: gitea
- Client-Secret: <geheim>
- Redirect-URIs: https://<gitea-domain>/user/oauth2/uffd/callback
Schritt 2: Gitea für OpenID Connect konfigurieren
1. login in gitea als admin
2. Administratoreinstellungen > Indentität & Zugriff > Authentifizierungsquellen : Authentifizierungsquelle hinzufügen
- Authentifizierungstyp: OAuth2
- Authentifizierungsname: <uffd>
- OAuth2-Anbieter: OpenID Connect
- Client-ID: gitea
- Client-Secret: <geheim>
- OpenID-Connect-Auto-Discovery-URL: https://<Uffd-Server>/.well-known/openid-configuration
- Claim-Name: groups
- Gruppen-Claim-Wert für Administratoren: gitea_admin
- Map claimed groups to Organization teams: <s. unten>
- Remove users from synchronized teams: Ja
- This Authentication Source is activated: Ja
3. Mapping von Gruppen zu Organisationen / Teams: Das folgende Beispiel fügt alle benutzer mit der Gruppe 'gitea_testgroup' in uffd in die Organisation 'testgroup_org' und dort in das Team 'Owners' ein. Die Organisation und das Team müssen in Gitea vorher erstellt werden.
```
{
"gitea_testgroup": { "testgroup_org": [ "Owners" ] }
}
```
......@@ -12,9 +12,9 @@ services:
environment:
APP_NAME: "Warpzone Verwaltung"
RUN_MODE: "prod"
SSH_DOMAIN: "verwaltung-git.warpzone.ms"
SSH_PORT: "444"
ROOT_URL: "https://verwaltung-git.warpzone.ms"
SSH_DOMAIN: "{{ domain }}"
SSH_PORT: "{{ git_ssh_port}}"
ROOT_URL: "https://{{ domain }}"
HTTP_PORT: "42001"
USER_UID: "1000"
USER_GID: "1000"
......@@ -23,6 +23,14 @@ services:
DB_NAME: "gitea"
DB_USER: "gitea"
DB_PASSWD: "{{ mysql_user_pw }}"
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
GITEA__openid__ENABLE_OPENID_SIGNUP: "true"
GITEA__oauth2_client__REGISTER_EMAIL_CONFIRM: "false"
GITEA__oauth2_client__OPENID_CONNECT_SCOPES: "openid profile email groups"
GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
GITEA__oauth2_client__USERNAME: "prefered_username"
GITEA__oauth2_client__UPDATE_AVATAR: "true"
GITEA__oauth2_client__ACCOUNT_LINKING: "login"
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
......@@ -59,4 +67,4 @@ networks:
driver: default
config:
# must be a ULA range
- subnet: fd00:dead:beef:444::/64
- subnet: fd00:dead:beef:{{ git_ssh_port }}::/64
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment