diff --git a/site.yml b/site.yml index 6d89934acd043a3830694ec049476e37296d2f2e..bf53d8a6e7b94cce63825fcb21e72d626fd223ab 100644 --- a/site.yml +++ b/site.yml @@ -378,7 +378,9 @@ - { role: verwaltung/docker_gitea, tags: [ gitea, docker_services ], servicename: "gitea", - domain: "verwaltung-git.warpzone.ms" + basedir: /srv/gitea, + domain: "verwaltung-git.warpzone.ms", + git_ssh_port: 444 } - { role: verwaltung/cryptdata, tags: cryptdata, diff --git a/verwaltung/docker_gitea/Documentation.md b/verwaltung/docker_gitea/Documentation.md new file mode 100644 index 0000000000000000000000000000000000000000..bc2c753e38dc78947d128d45a4d5717ad490b9af --- /dev/null +++ b/verwaltung/docker_gitea/Documentation.md @@ -0,0 +1,41 @@ + +# Overview + +* Authentication to Gitea is possible with an account in uffd, regular authentication is only used for initial admin user +* All users with group 'gitea_access' can access Gitea, the user in Gitea is created on first login +* Users with group 'gitea_admin' are added to the Administrators group in Gitea +* Additional groups are assigned if the name of the group matches in uffd and Gitea + +# Setup OIDC Authentication via uffd + +Schritt 1: OpenID Connect Konfiguration in Uffd + + 1. neuen Dienst erstellen + 2. OAuth2 Client-ID erstellen + - Client-ID: gitea + - Client-Secret: <geheim> + - Redirect-URIs: https://<gitea-domain>/user/oauth2/uffd/callback + +Schritt 2: Gitea für OpenID Connect konfigurieren + + 1. login in gitea als admin + 2. Administratoreinstellungen > Indentität & Zugriff > Authentifizierungsquellen : Authentifizierungsquelle hinzufügen + - Authentifizierungstyp: OAuth2 + - Authentifizierungsname: <uffd> + - OAuth2-Anbieter: OpenID Connect + - Client-ID: gitea + - Client-Secret: <geheim> + - OpenID-Connect-Auto-Discovery-URL: https://<Uffd-Server>/.well-known/openid-configuration + - Claim-Name: groups + - Gruppen-Claim-Wert für Administratoren: gitea_admin + - Map claimed groups to Organization teams: <s. unten> + - Remove users from synchronized teams: Ja + - This Authentication Source is activated: Ja + + 3. Mapping von Gruppen zu Organisationen / Teams: Das folgende Beispiel fügt alle benutzer mit der Gruppe 'gitea_testgroup' in uffd in die Organisation 'testgroup_org' und dort in das Team 'Owners' ein. Die Organisation und das Team müssen in Gitea vorher erstellt werden. + ``` + { + "gitea_testgroup": { "testgroup_org": [ "Owners" ] } + } + ``` + diff --git a/verwaltung/docker_gitea/templates/docker-compose.yml b/verwaltung/docker_gitea/templates/docker-compose.yml index 38908d72896d05448e10a8a33353683368150625..373c451f2407429a316c3f1f9930d31354b605d5 100644 --- a/verwaltung/docker_gitea/templates/docker-compose.yml +++ b/verwaltung/docker_gitea/templates/docker-compose.yml @@ -12,9 +12,9 @@ services: environment: APP_NAME: "Warpzone Verwaltung" RUN_MODE: "prod" - SSH_DOMAIN: "verwaltung-git.warpzone.ms" - SSH_PORT: "444" - ROOT_URL: "https://verwaltung-git.warpzone.ms" + SSH_DOMAIN: "{{ domain }}" + SSH_PORT: "{{ git_ssh_port}}" + ROOT_URL: "https://{{ domain }}" HTTP_PORT: "42001" USER_UID: "1000" USER_GID: "1000" @@ -23,6 +23,14 @@ services: DB_NAME: "gitea" DB_USER: "gitea" DB_PASSWD: "{{ mysql_user_pw }}" + GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true" + GITEA__openid__ENABLE_OPENID_SIGNUP: "true" + GITEA__oauth2_client__REGISTER_EMAIL_CONFIRM: "false" + GITEA__oauth2_client__OPENID_CONNECT_SCOPES: "openid profile email groups" + GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION: "true" + GITEA__oauth2_client__USERNAME: "prefered_username" + GITEA__oauth2_client__UPDATE_AVATAR: "true" + GITEA__oauth2_client__ACCOUNT_LINKING: "login" labels: - traefik.enable=true - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) @@ -59,4 +67,4 @@ networks: driver: default config: # must be a ULA range - - subnet: fd00:dead:beef:444::/64 + - subnet: fd00:dead:beef:{{ git_ssh_port }}::/64