kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-05 18:01:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Replaced OIDC login for gitea with oauth2 proxy and LDAP to guaranty correct username etc.

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-06-27 02:19:12 +02:00
parent 6d4723b321
commit bb73e948d3
27 changed files with 241 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
roles/docker-gitea/Administration.md
View File

@@ -26,4 +26,13 @@ To access the database execute
docker-compose exec -it database /bin/mysql -u gitea -p
```
## bash in application
docker-compose exec -it application /bin/sh
docker-compose exec -it application /bin/sh
## user management
### Change password
```bash
docker-compose exec --user git application gitea admin user change-password \
--username administrator \
--password "MyNewSecureP@ssw0rd"
```

2
roles/docker-gitea/meta/schema.yml
View File

@@ -1,5 +1,5 @@
credentials:
oauth2_proxy_cookie_secret:
description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
algorithm: "sha256"
algorithm: "random_hex_16"
validation: "^[a-f0-9]{32}$"

7
roles/docker-gitea/tasks/cleanup.yml Normal file
View File

@@ -0,0 +1,7 @@
- name: Execute OIDC Cleanup Routine
include_tasks: cleanup/oidc.yml
when: not (applications | is_feature_enabled('oidc', application_id))
- name: Execute LDAP Cleanup Routine
include_tasks: cleanup/ldap.yml
when: not (applications | is_feature_enabled('ldap', application_id))

22
roles/docker-gitea/tasks/cleanup/ldap.yml Normal file
View File

@@ -0,0 +1,22 @@
- name: "Lookup existing LDAP auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth list \
| awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_source_id_raw
failed_when: false
changed_when: false
- name: "Delete existing LDAP auth source if present"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth delete --id {{ ldap_source_id_raw.stdout }}
args:
chdir: "{{ docker_compose.directories.instance }}"
when: ldap_source_id_raw.stdout != ""
register: ldap_delete
failed_when: ldap_delete.rc != 0

23
roles/docker-gitea/tasks/cleanup/oidc.yml Normal file
View File

@@ -0,0 +1,23 @@
- name: "Lookup existing OIDC auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth list \
| awk -v name="{{ oidc.button_text }}" '$0 ~ name {print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: oidc_source_id_raw
failed_when: false
changed_when: false
- name: "Delete existing OIDC auth source if present"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth delete --id {{ oidc_source_id_raw.stdout }}
args:
chdir: "{{ docker_compose.directories.instance }}"
when: oidc_source_id_raw.stdout != ""
register: oidc_delete
failed_when: oidc_delete.rc != 0

25
roles/docker-gitea/tasks/main.yml
View File

@@ -45,10 +45,21 @@
changed_when: "'has been successfully created' in create_admin.stdout"
failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr
- name: Execute OIDC Routine
include_tasks: oidc.yml
vars:
action: add
register: oidc_add
ignore_errors: true
when: applications | is_feature_enabled('oidc', application_id)
- name: "Wait until Gitea setup and migrations are ready"
uri:
url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
method: GET
status_code: 200
return_content: no
register: gitea_ready
until: gitea_ready.status == 200
retries: 20
delay: 5
when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id)
- name: Execute Setup Routines
include_tasks: setup.yml
- name: Execute Cleanup Routines
include_tasks: cleanup.yml
when: mode_cleanup

7
roles/docker-gitea/tasks/setup.yml Normal file
View File

@@ -0,0 +1,7 @@
- name: Execute OIDC Setup Routine
include_tasks: setup/oidc.yml
when: applications | is_feature_enabled('oidc', application_id)
- name: Execute LDAP Setup Routine
include_tasks: setup/ldap.yml
when: applications | is_feature_enabled('ldap', application_id)

66
roles/docker-gitea/tasks/setup/ldap.yml Normal file
View File

@@ -0,0 +1,66 @@
- name: "Add LDAP Authentication Source"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth add-ldap \
--name "LDAP ({{ primary_domain }})" \
--host "{{ ldap.server.domain }}" \
--port {{ ldap.server.port }} \
--security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
--bind-dn "{{ ldap.dn.administrator }}" \
--bind-password "{{ ldap.bind_credential }}" \
--user-search-base "{{ ldap.dn.users }}" \
--user-filter "{{ ldap.filters.users.login }}" \
--username-attribute "{{ ldap.attributes.user_id }}" \
--firstname-attribute "{{ ldap.attributes.firstname }}" \
--surname-attribute "{{ ldap.attributes.surname }}" \
--email-attribute "{{ ldap.attributes.mail }}" \
--synchronize-users # turns on per-login sync
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_manage
failed_when: ldap_manage.rc != 0 and "login source already exists" not in ldap_manage.stderr
- name: "Lookup existing LDAP auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth list \
| tail -n +2 \
| grep -F "LDAP ({{ primary_domain }})" \
| awk '{print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_source_id_raw
failed_when:
- ldap_source_id_raw.rc != 0
- ldap_source_id_raw.stdout == ""
changed_when: false
- name: "Set LDAP source ID fact"
set_fact:
ldap_source_id: "{{ ldap_source_id_raw.stdout }}"
- name: "Update LDAP Authentication Source"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth update-ldap \
--id {{ ldap_source_id }} \
--name "LDAP ({{ primary_domain }})" \
--host "{{ ldap.server.domain }}" \
--port {{ ldap.server.port }} \
--security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
--bind-dn "{{ ldap.dn.administrator }}" \
--bind-password "{{ ldap.bind_credential }}" \
--user-search-base "{{ ldap.dn.users }}" \
--user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \
--username-attribute "{{ ldap.attributes.user_id }}" \
--firstname-attribute "{{ ldap.attributes.firstname }}" \
--surname-attribute "{{ ldap.attributes.surname }}" \
--email-attribute "{{ ldap.attributes.mail }}" \
--synchronize-users
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_manage
failed_when: ldap_manage.rc != 0

11
roles/docker-gitea/tasks/oidc.yml → roles/docker-gitea/tasks/setup/oidc.yml
View File

@@ -1,14 +1,3 @@
- name: "Wait until Gitea setup and migrations are ready"
uri:
url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
method: GET
status_code: 200
return_content: no
register: gitea_ready
until: gitea_ready.status == 200
retries: 20
delay: 5
- name: "Add Keycloak OIDC Provider"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \

2
roles/docker-gitea/templates/docker-compose.yml.j2
View File

@@ -2,6 +2,8 @@ services:
{% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}
{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
application:
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
image: "{{ applications[application_id].images.gitea }}"

51
roles/docker-gitea/templates/env.j2
View File

@@ -1,20 +1,29 @@
# Configuration
# @see https://docs.gitea.com/next/administration/config-cheat-sheet#repository-repository
# General
DOMAIN={{domains | get_domain(application_id)}}
RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"
APP_NAME="{{ applications[application_id].title }}"
USER_UID=1000
USER_GID=1000
# Logging configuration
GITEA__log__MODE=console
GITEA__log__LEVEL={% if enable_debug | bool %}Debug{% else %}Info{% endif %}
# Database
DB_TYPE=mysql
DB_HOST={{database_host}}:{{database_port}}
DB_NAME={{database_name}}
DB_USER={{database_username}}
DB_PASSWD={{database_password}}
# SSH
SSH_PORT={{ports.public.ssh[application_id]}}
SSH_LISTEN_PORT=22
DOMAIN={{domains | get_domain(application_id)}}
SSH_DOMAIN={{domains | get_domain(application_id)}}
RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"
APP_NAME="{{ applications[application_id].title }}"
# Mail Configuration
# @see https://docs.gitea.com/next/installation/install-with-docker#managing-deployments-with-environment-variables
@@ -35,38 +44,18 @@ GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].c
GITEA__security__INSTALL_LOCK=true # Locks the installation page
{% if applications | is_feature_enabled('oidc',application_id) %}
# (De)activate OIDC
GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
GITEA__openid__ENABLE_OPENID_SIGNUP=true
GITEA__openid__ENABLE_OPENID_SIGNUP=true
{% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %}
{% endif %}
EXTERNAL_USER_DISABLE_FEATURES=deletion,manage_credentials,change_username,change_full_name
{% if applications | is_feature_enabled('ldap',application_id) %}
GITEA__ldap__SYNC_USER_ON_LOGIN=true
{% endif %}
# ------------------------------------------------
# LDAP Authentication (via BindDN)
# ------------------------------------------------
GITEA__auth__LDAP__ENABLED={{ applications | is_feature_enabled('ldap',application_id) | string | lower }}
GITEA__auth__LDAP__HOST={{ ldap.server.domain }}
GITEA__auth__LDAP__PORT={{ ldap.server.port }}
# security protocol: "", "SSL" or "TLS"
GITEA__auth__LDAP__SECURITY={{ ldap.server.security | trim or "unencrypted" }}
GITEA__auth__LDAP__BIND_DN={{ ldap.dn.administrator }}
GITEA__auth__LDAP__BIND_PASSWORD={{ ldap.bind_credential }}
GITEA__auth__LDAP__USER_SEARCH_BASE={{ ldap.dn.users }}
GITEA__auth__LDAP__USER_FILTER={{ ldap.filters.user_filter }}
# map LDAP attributes to Gitea fields
GITEA__auth__LDAP__ATTRIBUTE_USERNAME={{ ldap.attributes.user_id }}
GITEA__auth__LDAP__ATTRIBUTE_FULL_NAME={{ ldap.attributes.name }}
GITEA__auth__LDAP__ATTRIBUTE_MAIL={{ ldap.attributes.mail }}
# ------------------------------------------------
# Periodic sync for external LDAP users
# ------------------------------------------------
GITEA__cron__SYNC_EXTERNAL_USERS_ENABLED=true
# default: sync daily at midnight
GITEA__cron__SYNC_EXTERNAL_USERS_CRON=0 0 * * *
{% endif %}
# ------------------------------------------------

8
roles/docker-gitea/vars/configuration.yml
View File

@@ -11,12 +11,12 @@ features:
css: false
portfolio_iframe: true
central_database: true
ldap: false # Deactivated because OIDC is implemented
oauth2: false # Deactivated. Use OIDC instead.
oidc: true
ldap: true
oauth2: true
oidc: false # Deactivated because users aren't auto-created.
oauth2_proxy:
application: "application"
port: "80"
port: "3000"
acl:
blacklist:
- "/user/login"