Merge branch 'master' of ssh://gitlab.warpzone.ms:444/infrastruktur/ansible-warpzone

site.yml

@@ -378,7 +378,9 @@
     - { 
         role: verwaltung/docker_gitea, tags: [ gitea, docker_services ],
         servicename: "gitea",
-        domain: "verwaltung-git.warpzone.ms"
+        basedir: /srv/gitea,
+        domain: "verwaltung-git.warpzone.ms",
+        git_ssh_port: 444
       }
     - { 
         role: verwaltung/cryptdata, tags: cryptdata,

verwaltung/docker_gitea/Documentation.md

+
+# Overview 
+
+* Authentication to Gitea is possible with an account in uffd, regular authentication is only used for initial admin user  
+* All users with group 'gitea_access' can access Gitea, the user in Gitea is created on first login 
+* Users with group 'gitea_admin' are added to the Administrators group in Gitea 
+* Additional groups are assigned if the name of the group matches in uffd and Gitea
+
+# Setup OIDC Authentication via uffd 
+
+Schritt 1: OpenID Connect Konfiguration in Uffd
+
+    1. neuen Dienst erstellen
+    2. OAuth2 Client-ID erstellen
+        - Client-ID: gitea
+        - Client-Secret: <geheim>
+        - Redirect-URIs: https://<gitea-domain>/user/oauth2/uffd/callback
+
+Schritt 2: Gitea für OpenID Connect konfigurieren
+
+    1. login in gitea als admin
+    2. Administratoreinstellungen > Indentität & Zugriff > Authentifizierungsquellen : Authentifizierungsquelle hinzufügen
+        - Authentifizierungstyp: OAuth2
+        - Authentifizierungsname: <uffd>
+        - OAuth2-Anbieter: OpenID Connect
+        - Client-ID: gitea
+        - Client-Secret: <geheim>
+        - OpenID-Connect-Auto-Discovery-URL: https://<Uffd-Server>/.well-known/openid-configuration
+        - Claim-Name: groups
+        - Gruppen-Claim-Wert für Administratoren: gitea_admin
+        - Map claimed groups to Organization teams: <s. unten>
+        - Remove users from synchronized teams: Ja
+        - This Authentication Source is activated: Ja
+
+    3. Mapping von Gruppen zu Organisationen / Teams: Das folgende Beispiel fügt alle benutzer mit der Gruppe 'gitea_testgroup' in uffd in die Organisation 'testgroup_org' und dort in das Team 'Owners' ein. Die Organisation und das Team müssen in Gitea vorher erstellt werden. 
+        ```
+        {
+            "gitea_testgroup": { "testgroup_org": [ "Owners" ] }
+        }
+        ```
+

verwaltung/docker_gitea/templates/docker-compose.yml

@@ -12,9 +12,9 @@ services:
     environment:
       APP_NAME: "Warpzone Verwaltung"
       RUN_MODE: "prod"
-      SSH_DOMAIN: "verwaltung-git.warpzone.ms"
-      SSH_PORT: "444"
-      ROOT_URL: "https://verwaltung-git.warpzone.ms"
+      SSH_DOMAIN: "{{ domain }}"
+      SSH_PORT: "{{ git_ssh_port}}"
+      ROOT_URL: "https://{{ domain }}"
       HTTP_PORT: "42001"
       USER_UID: "1000"
       USER_GID: "1000"
@@ -23,6 +23,14 @@ services:
       DB_NAME: "gitea"
       DB_USER: "gitea"
       DB_PASSWD: "{{ mysql_user_pw }}"
+      GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
+      GITEA__openid__ENABLE_OPENID_SIGNUP: "true"
+      GITEA__oauth2_client__REGISTER_EMAIL_CONFIRM: "false"
+      GITEA__oauth2_client__OPENID_CONNECT_SCOPES: "openid profile email groups"
+      GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
+      GITEA__oauth2_client__USERNAME: "prefered_username"
+      GITEA__oauth2_client__UPDATE_AVATAR: "true"
+      GITEA__oauth2_client__ACCOUNT_LINKING: "login"      
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
@@ -59,4 +67,4 @@ networks:
       driver: default
       config:
         # must be a ULA range
-        - subnet: fd00:dead:beef:444::/64
+        - subnet: fd00:dead:beef:{{ git_ssh_port }}::/64