Replaced OIDC login for gitea with oauth2 proxy and LDAP to guaranty correct username etc.

This commit is contained in:
2025-06-27 02:19:12 +02:00
parent 6d4723b321
commit bb73e948d3
27 changed files with 241 additions and 78 deletions

View File

@@ -0,0 +1,7 @@
- name: Execute OIDC Cleanup Routine
include_tasks: cleanup/oidc.yml
when: not (applications | is_feature_enabled('oidc', application_id))
- name: Execute LDAP Cleanup Routine
include_tasks: cleanup/ldap.yml
when: not (applications | is_feature_enabled('ldap', application_id))

View File

@@ -0,0 +1,22 @@
- name: "Lookup existing LDAP auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth list \
| awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_source_id_raw
failed_when: false
changed_when: false
- name: "Delete existing LDAP auth source if present"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth delete --id {{ ldap_source_id_raw.stdout }}
args:
chdir: "{{ docker_compose.directories.instance }}"
when: ldap_source_id_raw.stdout != ""
register: ldap_delete
failed_when: ldap_delete.rc != 0

View File

@@ -0,0 +1,23 @@
- name: "Lookup existing OIDC auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth list \
| awk -v name="{{ oidc.button_text }}" '$0 ~ name {print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: oidc_source_id_raw
failed_when: false
changed_when: false
- name: "Delete existing OIDC auth source if present"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth delete --id {{ oidc_source_id_raw.stdout }}
args:
chdir: "{{ docker_compose.directories.instance }}"
when: oidc_source_id_raw.stdout != ""
register: oidc_delete
failed_when: oidc_delete.rc != 0

View File

@@ -45,10 +45,21 @@
changed_when: "'has been successfully created' in create_admin.stdout"
failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr
- name: Execute OIDC Routine
include_tasks: oidc.yml
vars:
action: add
register: oidc_add
ignore_errors: true
when: applications | is_feature_enabled('oidc', application_id)
- name: "Wait until Gitea setup and migrations are ready"
uri:
url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
method: GET
status_code: 200
return_content: no
register: gitea_ready
until: gitea_ready.status == 200
retries: 20
delay: 5
when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id)
- name: Execute Setup Routines
include_tasks: setup.yml
- name: Execute Cleanup Routines
include_tasks: cleanup.yml
when: mode_cleanup

View File

@@ -0,0 +1,7 @@
- name: Execute OIDC Setup Routine
include_tasks: setup/oidc.yml
when: applications | is_feature_enabled('oidc', application_id)
- name: Execute LDAP Setup Routine
include_tasks: setup/ldap.yml
when: applications | is_feature_enabled('ldap', application_id)

View File

@@ -0,0 +1,66 @@
- name: "Add LDAP Authentication Source"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth add-ldap \
--name "LDAP ({{ primary_domain }})" \
--host "{{ ldap.server.domain }}" \
--port {{ ldap.server.port }} \
--security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
--bind-dn "{{ ldap.dn.administrator }}" \
--bind-password "{{ ldap.bind_credential }}" \
--user-search-base "{{ ldap.dn.users }}" \
--user-filter "{{ ldap.filters.users.login }}" \
--username-attribute "{{ ldap.attributes.user_id }}" \
--firstname-attribute "{{ ldap.attributes.firstname }}" \
--surname-attribute "{{ ldap.attributes.surname }}" \
--email-attribute "{{ ldap.attributes.mail }}" \
--synchronize-users # turns on per-login sync
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_manage
failed_when: ldap_manage.rc != 0 and "login source already exists" not in ldap_manage.stderr
- name: "Lookup existing LDAP auth source ID"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth list \
| tail -n +2 \
| grep -F "LDAP ({{ primary_domain }})" \
| awk '{print $1; exit}'
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_source_id_raw
failed_when:
- ldap_source_id_raw.rc != 0
- ldap_source_id_raw.stdout == ""
changed_when: false
- name: "Set LDAP source ID fact"
set_fact:
ldap_source_id: "{{ ldap_source_id_raw.stdout }}"
- name: "Update LDAP Authentication Source"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
exec -T --user git application \
gitea admin auth update-ldap \
--id {{ ldap_source_id }} \
--name "LDAP ({{ primary_domain }})" \
--host "{{ ldap.server.domain }}" \
--port {{ ldap.server.port }} \
--security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
--bind-dn "{{ ldap.dn.administrator }}" \
--bind-password "{{ ldap.bind_credential }}" \
--user-search-base "{{ ldap.dn.users }}" \
--user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \
--username-attribute "{{ ldap.attributes.user_id }}" \
--firstname-attribute "{{ ldap.attributes.firstname }}" \
--surname-attribute "{{ ldap.attributes.surname }}" \
--email-attribute "{{ ldap.attributes.mail }}" \
--synchronize-users
args:
chdir: "{{ docker_compose.directories.instance }}"
register: ldap_manage
failed_when: ldap_manage.rc != 0

View File

@@ -1,14 +1,3 @@
- name: "Wait until Gitea setup and migrations are ready"
uri:
url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
method: GET
status_code: 200
return_content: no
register: gitea_ready
until: gitea_ready.status == 200
retries: 20
delay: 5
- name: "Add Keycloak OIDC Provider"
shell: |
docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \