Replaced OIDC login for gitea with oauth2 proxy and LDAP to guaranty correct username etc.

2025-08-29 15:06:26 +02:00 · 2025-06-27 02:19:12 +02:00
parent 6d4723b321
commit bb73e948d3
27 changed files with 241 additions and 78 deletions
--- a/roles/docker-gitea/tasks/cleanup.yml
+++ b/roles/docker-gitea/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+- name: Execute OIDC Cleanup Routine
+  include_tasks: cleanup/oidc.yml
+  when: not (applications | is_feature_enabled('oidc', application_id))
+
+- name: Execute LDAP Cleanup Routine
+  include_tasks: cleanup/ldap.yml
+  when: not (applications | is_feature_enabled('ldap', application_id))
--- a/roles/docker-gitea/tasks/cleanup/ldap.yml
+++ b/roles/docker-gitea/tasks/cleanup/ldap.yml
@@ -0,0 +1,22 @@
+- name: "Lookup existing LDAP auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_source_id_raw
+  failed_when: false
+  changed_when: false
+
+- name: "Delete existing LDAP auth source if present"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth delete --id {{ ldap_source_id_raw.stdout }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: ldap_source_id_raw.stdout != ""
+  register: ldap_delete
+  failed_when: ldap_delete.rc != 0
--- a/roles/docker-gitea/tasks/cleanup/oidc.yml
+++ b/roles/docker-gitea/tasks/cleanup/oidc.yml
@@ -0,0 +1,23 @@
+
+- name: "Lookup existing OIDC auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | awk -v name="{{ oidc.button_text }}" '$0 ~ name {print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_source_id_raw
+  failed_when: false
+  changed_when: false
+
+- name: "Delete existing OIDC auth source if present"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth delete --id {{ oidc_source_id_raw.stdout }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: oidc_source_id_raw.stdout != ""
+  register: oidc_delete
+  failed_when: oidc_delete.rc != 0
--- a/roles/docker-gitea/tasks/main.yml
+++ b/roles/docker-gitea/tasks/main.yml
@@ -45,10 +45,21 @@
  changed_when: "'has been successfully created' in create_admin.stdout"
  failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr

- name: Execute OIDC Routine
-  include_tasks: oidc.yml
-  vars:
-    action: add
-  register: oidc_add
-  ignore_errors: true
-  when: applications | is_feature_enabled('oidc', application_id)
+- name: "Wait until Gitea setup and migrations are ready"
+  uri:
+    url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
+    method: GET
+    status_code: 200
+    return_content: no
+  register: gitea_ready
+  until: gitea_ready.status == 200
+  retries: 20
+  delay: 5
+  when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id)
+
+- name: Execute Setup Routines
+  include_tasks: setup.yml
+
+- name: Execute Cleanup Routines
+  include_tasks: cleanup.yml 
+  when: mode_cleanup
--- a/roles/docker-gitea/tasks/setup.yml
+++ b/roles/docker-gitea/tasks/setup.yml
@@ -0,0 +1,7 @@
+- name: Execute OIDC Setup Routine
+  include_tasks: setup/oidc.yml
+  when: applications | is_feature_enabled('oidc', application_id)
+
+- name: Execute LDAP Setup Routine
+  include_tasks: setup/ldap.yml
+  when: applications | is_feature_enabled('ldap', application_id)
--- a/roles/docker-gitea/tasks/setup/ldap.yml
+++ b/roles/docker-gitea/tasks/setup/ldap.yml
@@ -0,0 +1,66 @@
+- name: "Add LDAP Authentication Source"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth add-ldap \
+        --name "LDAP ({{ primary_domain }})" \
+        --host "{{ ldap.server.domain }}" \
+        --port {{ ldap.server.port }} \
+        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
+        --bind-dn "{{ ldap.dn.administrator }}" \
+        --bind-password "{{ ldap.bind_credential }}" \
+        --user-search-base "{{ ldap.dn.users }}" \
+        --user-filter "{{ ldap.filters.users.login }}" \
+        --username-attribute "{{ ldap.attributes.user_id }}" \
+        --firstname-attribute "{{ ldap.attributes.firstname }}" \
+        --surname-attribute "{{ ldap.attributes.surname }}" \
+        --email-attribute "{{ ldap.attributes.mail }}" \
+        --synchronize-users      # turns on per-login sync
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_manage
+  failed_when: ldap_manage.rc != 0 and "login source already exists" not in ldap_manage.stderr
+
+- name: "Lookup existing LDAP auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | tail -n +2 \
+      | grep -F "LDAP ({{ primary_domain }})" \
+      | awk '{print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_source_id_raw
+  failed_when:
+    - ldap_source_id_raw.rc != 0
+    - ldap_source_id_raw.stdout == ""
+  changed_when: false
+
+- name: "Set LDAP source ID fact"
+  set_fact:
+    ldap_source_id: "{{ ldap_source_id_raw.stdout }}"
+
+- name: "Update LDAP Authentication Source"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth update-ldap \
+        --id {{ ldap_source_id }} \
+        --name "LDAP ({{ primary_domain }})" \
+        --host "{{ ldap.server.domain }}" \
+        --port {{ ldap.server.port }} \
+        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
+        --bind-dn "{{ ldap.dn.administrator }}" \
+        --bind-password "{{ ldap.bind_credential }}" \
+        --user-search-base "{{ ldap.dn.users }}" \
+        --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \
+        --username-attribute "{{ ldap.attributes.user_id }}" \
+        --firstname-attribute "{{ ldap.attributes.firstname }}" \
+        --surname-attribute "{{ ldap.attributes.surname }}" \
+        --email-attribute "{{ ldap.attributes.mail }}" \
+        --synchronize-users
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_manage
+  failed_when: ldap_manage.rc != 0
--- a/roles/docker-gitea/tasks/setup/oidc.yml
+++ b/roles/docker-gitea/tasks/setup/oidc.yml
@@ -1,14 +1,3 @@
- name: "Wait until Gitea setup and migrations are ready"
-  uri:
-    url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
-    method: GET
-    status_code: 200
-    return_content: no
-  register: gitea_ready
-  until: gitea_ready.status == 200
-  retries: 20
-  delay: 5
-
 - name: "Add Keycloak OIDC Provider"
  shell: |
    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \