kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-05 18:01:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implemented OIDC für LDAP

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-06-26 21:16:07 +02:00
parent f86568fb85
commit 6d4723b321
18 changed files with 187 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/docker-gitea/meta/schema.yml
View File

@@ -1 +1,5 @@
credentials:
oauth2_proxy_cookie_secret:
description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
algorithm: "sha256"
validation: "^[a-f0-9]{32}$"

41
roles/docker-gitea/tasks/main.yml
View File

@@ -11,3 +11,44 @@
http_port: "{{ ports.localhost.http[application_id] }}"
- include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml"
- name: Wait for Gitea HTTP endpoint
wait_for:
host: "127.0.0.1"
port: "{{ ports.localhost.http[application_id] }}"
delay: 5
timeout: 300
- name: "Run DB migrations inside Gitea container"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
/app/gitea/gitea migrate
args:
chdir: "{{ docker_compose.directories.instance }}"
register: migrate
changed_when: "'migrations completed' in migrate.stdout"
- name: "Create initial admin user"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
/app/gitea/gitea admin user create \
--admin \
--username "{{ users.administrator.username }}" \
--password "{{ users.administrator.password }}" \
--email "{{ users.administrator.email }}" \
-c /data/gitea/conf/app.ini
args:
chdir: "{{ docker_compose.directories.instance }}"
register: create_admin
changed_when: "'has been successfully created' in create_admin.stdout"
failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr
- name: Execute OIDC Routine
include_tasks: oidc.yml
vars:
action: add
register: oidc_add
ignore_errors: true
when: applications | is_feature_enabled('oidc', application_id)

63
roles/docker-gitea/tasks/oidc.yml Normal file
View File

@@ -0,0 +1,63 @@
- name: "Wait until Gitea setup and migrations are ready"
uri:
url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
method: GET
status_code: 200
return_content: no
register: gitea_ready
until: gitea_ready.status == 200
retries: 20
delay: 5
- name: "Add Keycloak OIDC Provider"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth add-oauth \
--provider openidConnect \
--name "{{ oidc.button_text }}" \
--key "{{ oidc.client.id }}" \
--secret "{{ oidc.client.secret }}" \
--auto-discover-url "{{ oidc.client.discovery_document }}" \
--scopes "openid profile email"
args:
chdir: "{{ docker_compose.directories.instance }}"
register: oidc_manage
failed_when: oidc_manage.rc != 0 and "login source already exists" not in oidc_manage.stderr
- name: "Lookup existing Keycloak auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
/app/gitea/gitea admin auth list \
| tail -n +2 \
| grep -F "{{ oidc.button_text }}" \
| awk '{print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: oidc_source_id_raw
failed_when:
- oidc_source_id_raw.rc != 0
- oidc_source_id_raw.stdout == ""
changed_when: false
- name: "Set Keycloak source ID fact"
set_fact:
oidc_source_id: "{{ oidc_source_id_raw.stdout }}"
- name: "Update Keycloak OIDC Provider"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth update-oauth \
--id {{ oidc_source_id }}\
--provider openidConnect \
--name "{{ oidc.button_text }}" \
--key "{{ oidc.client.id }}" \
--secret "{{ oidc.client.secret }}" \
--auto-discover-url "{{ oidc.client.discovery_document }}" \
--scopes "openid profile email"
args:
chdir: "{{ docker_compose.directories.instance }}"
register: oidc_manage
failed_when: oidc_manage.rc != 0

46
roles/docker-gitea/templates/env.j2
View File

@@ -14,6 +14,7 @@ DOMAIN={{domains | get_domain(application_id)}}
SSH_DOMAIN={{domains | get_domain(application_id)}}
RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"
APP_NAME="{{ applications[application_id].title }}"
# Mail Configuration
# @see https://docs.gitea.com/next/installation/install-with-docker#managing-deployments-with-environment-variables
@@ -30,4 +31,47 @@ GITEA__mailer__PASSWD={{ users['no-reply'].mailu_token }}
# @see https://github.com/go-gitea/gitea/issues/17619
GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications[application_id].configuration.repository.enable_push_create_user | lower }}
GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications[application_id].configuration.repository.default_private | lower }}
GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].configuration.repository.default_push_create_private | lower }}
GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].configuration.repository.default_push_create_private | lower }}
GITEA__security__INSTALL_LOCK=true # Locks the installation page
{% if applications | is_feature_enabled('oidc',application_id) %}
GITEA__openid__ENABLE_OPENID_SIGNUP=true
GITEA__openid__ENABLE_OPENID_SIGNUP=true
{% endif %}
{% if applications | is_feature_enabled('ldap',application_id) %}
# ------------------------------------------------
# LDAP Authentication (via BindDN)
# ------------------------------------------------
GITEA__auth__LDAP__ENABLED={{ applications | is_feature_enabled('ldap',application_id) | string | lower }}
GITEA__auth__LDAP__HOST={{ ldap.server.domain }}
GITEA__auth__LDAP__PORT={{ ldap.server.port }}
# security protocol: "", "SSL" or "TLS"
GITEA__auth__LDAP__SECURITY={{ ldap.server.security | trim or "unencrypted" }}
GITEA__auth__LDAP__BIND_DN={{ ldap.dn.administrator }}
GITEA__auth__LDAP__BIND_PASSWORD={{ ldap.bind_credential }}
GITEA__auth__LDAP__USER_SEARCH_BASE={{ ldap.dn.users }}
GITEA__auth__LDAP__USER_FILTER={{ ldap.filters.user_filter }}
# map LDAP attributes to Gitea fields
GITEA__auth__LDAP__ATTRIBUTE_USERNAME={{ ldap.attributes.user_id }}
GITEA__auth__LDAP__ATTRIBUTE_FULL_NAME={{ ldap.attributes.name }}
GITEA__auth__LDAP__ATTRIBUTE_MAIL={{ ldap.attributes.mail }}
# ------------------------------------------------
# Periodic sync for external LDAP users
# ------------------------------------------------
GITEA__cron__SYNC_EXTERNAL_USERS_ENABLED=true
# default: sync daily at midnight
GITEA__cron__SYNC_EXTERNAL_USERS_CRON=0 0 * * *
{% endif %}
# ------------------------------------------------
# Disable user self-registration
# ------------------------------------------------
# After this only admins can create accounts
GITEA__service__DISABLE_REGISTRATION=false

12
roles/docker-gitea/vars/configuration.yml
View File

@@ -1,3 +1,4 @@
title: "CyMaIS Code Hub"
images:
gitea: "gitea/gitea:latest"
configuration:
@@ -7,9 +8,18 @@ configuration:
default_push_create_private: True # Default private when creating a new repository with push-to-create.
features:
matomo: true
css: true
css: false
portfolio_iframe: true
central_database: true
ldap: false # Deactivated because OIDC is implemented
oauth2: false # Deactivated. Use OIDC instead.
oidc: true
oauth2_proxy:
application: "application"
port: "80"
acl:
blacklist:
- "/user/login"
csp:
flags:
script-src-elem: