From b3e82fa457ea9265588140ecd8aa1ab69c924554 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 27 Jun 2025 17:25:12 +0200
Subject: [PATCH] Added SSH Pub Key implementation in Gitea

---
 group_vars/all/12_iam.yml               |  1 +
 roles/docker-gitea/tasks/setup/ldap.yml | 30 +++----------------------
 roles/docker-gitea/vars/main.yml        | 17 +++++++++++++-
 3 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/group_vars/all/12_iam.yml b/group_vars/all/12_iam.yml
index 8ea63989..076899c5 100644
--- a/group_vars/all/12_iam.yml
+++ b/group_vars/all/12_iam.yml
@@ -93,6 +93,7 @@ ldap:
     fullname:           "cn"
     firstname:          "givenname"
     surname:            "sn"
+    ssh_public_key:     "sshPublicKey"
   # Password to access dn.bind
   bind_credential:      "{{applications.ldap.credentials.administrator_database_password}}"
   server:
diff --git a/roles/docker-gitea/tasks/setup/ldap.yml b/roles/docker-gitea/tasks/setup/ldap.yml
index d65e301f..d4fc95f2 100644
--- a/roles/docker-gitea/tasks/setup/ldap.yml
+++ b/roles/docker-gitea/tasks/setup/ldap.yml
@@ -3,19 +3,7 @@
     docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
       exec -T --user git application \
       gitea admin auth add-ldap \
-        --name "LDAP ({{ primary_domain }})" \
-        --host "{{ ldap.server.domain }}" \
-        --port {{ ldap.server.port }} \
-        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
-        --bind-dn "{{ ldap.dn.administrator.data }}" \
-        --bind-password "{{ ldap.bind_credential }}" \
-        --user-search-base "{{ ldap.dn.users }}" \
-        --user-filter "{{ ldap.filters.users.login }}" \
-        --username-attribute "{{ ldap.attributes.user_id }}" \
-        --firstname-attribute "{{ ldap.attributes.firstname }}" \
-        --surname-attribute "{{ ldap.attributes.surname }}" \
-        --email-attribute "{{ ldap.attributes.mail }}" \
-        --synchronize-users      # turns on per-login sync
+      {{ gitea_ldap_auth_args | join(' ') }}
   args:
     chdir: "{{ docker_compose.directories.instance }}"
   register: ldap_manage
@@ -46,20 +34,8 @@
     docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
       exec -T --user git application \
       gitea admin auth update-ldap \
-        --id {{ ldap_source_id }} \
-        --name "LDAP ({{ primary_domain }})" \
-        --host "{{ ldap.server.domain }}" \
-        --port {{ ldap.server.port }} \
-        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
-        --bind-dn "{{ ldap.dn.administrator.data }}" \
-        --bind-password "{{ ldap.bind_credential }}" \
-        --user-search-base "{{ ldap.dn.users }}" \
-        --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \
-        --username-attribute "{{ ldap.attributes.user_id }}" \
-        --firstname-attribute "{{ ldap.attributes.firstname }}" \
-        --surname-attribute "{{ ldap.attributes.surname }}" \
-        --email-attribute "{{ ldap.attributes.mail }}" \
-        --synchronize-users
+      --id {{ ldap_source_id }} \
+      {{ gitea_ldap_auth_args | join(' ') }}
   args:
     chdir: "{{ docker_compose.directories.instance }}"
   register: ldap_manage
diff --git a/roles/docker-gitea/vars/main.yml b/roles/docker-gitea/vars/main.yml
index 25d7dc20..799e9649 100644
--- a/roles/docker-gitea/vars/main.yml
+++ b/roles/docker-gitea/vars/main.yml
@@ -1,2 +1,17 @@
 application_id:     "gitea"
-database_type:      "mariadb"
\ No newline at end of file
+database_type:      "mariadb"
+gitea_ldap_auth_args:
+  - '--name "LDAP ({{ primary_domain }})"'
+  - '--host "{{ ldap.server.domain }}"'
+  - '--port {{ ldap.server.port }}'
+  - '--security-protocol "{{ ldap.server.security | trim or "unencrypted" }}"'
+  - '--bind-dn "{{ ldap.dn.administrator.data }}"'
+  - '--bind-password "{{ ldap.bind_credential }}"'
+  - '--user-search-base "{{ ldap.dn.users }}"'
+  - '--user-filter  "(&(objectClass=inetOrgPerson)(uid=%s))"'
+  - '--username-attribute "{{ ldap.attributes.user_id }}"'
+  - '--firstname-attribute "{{ ldap.attributes.firstname }}"'
+  - '--surname-attribute "{{ ldap.attributes.surname }}"'
+  - '--email-attribute "{{ ldap.attributes.mail }}"'
+  - '--public-ssh-key-attribute "{{ ldap.attributes.ssh_public_key }}"'
+  - '--synchronize-users'