Replaced OIDC login for gitea with oauth2 proxy and LDAP to guaranty correct username etc.

roles/docker-gitea/templates/docker-compose.yml.j2

@@ -2,6 +2,8 @@ services:
 
 {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}
 
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
   application:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     image: "{{ applications[application_id].images.gitea }}"

roles/docker-gitea/templates/env.j2

@@ -1,20 +1,29 @@
 # Configuration
 # @see https://docs.gitea.com/next/administration/config-cheat-sheet#repository-repository
 
+# General
+DOMAIN={{domains | get_domain(application_id)}}
+RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
+ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"
+APP_NAME="{{ applications[application_id].title }}"
 USER_UID=1000
 USER_GID=1000
+
+# Logging configuration
+GITEA__log__MODE=console
+GITEA__log__LEVEL={% if enable_debug | bool %}Debug{% else %}Info{% endif %}    
+
+# Database
 DB_TYPE=mysql
 DB_HOST={{database_host}}:{{database_port}}
 DB_NAME={{database_name}}
 DB_USER={{database_username}}
 DB_PASSWD={{database_password}}
+
+# SSH
 SSH_PORT={{ports.public.ssh[application_id]}}
 SSH_LISTEN_PORT=22
-DOMAIN={{domains | get_domain(application_id)}}
 SSH_DOMAIN={{domains | get_domain(application_id)}}
-RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
-ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"
-APP_NAME="{{ applications[application_id].title }}"
 
 # Mail Configuration 
 # @see https://docs.gitea.com/next/installation/install-with-docker#managing-deployments-with-environment-variables
@@ -35,38 +44,18 @@ GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].c
 
 GITEA__security__INSTALL_LOCK=true # Locks the installation page
 
-{% if applications | is_feature_enabled('oidc',application_id) %}
+# (De)activate OIDC
+GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
+GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
 
-GITEA__openid__ENABLE_OPENID_SIGNUP=true
-GITEA__openid__ENABLE_OPENID_SIGNUP=true
+{% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %}
 
-{% endif %}
+EXTERNAL_USER_DISABLE_FEATURES=deletion,manage_credentials,change_username,change_full_name
 
 {% if applications | is_feature_enabled('ldap',application_id) %}
+GITEA__ldap__SYNC_USER_ON_LOGIN=true
+{% endif %}
 
-# ------------------------------------------------
-# LDAP Authentication (via BindDN)
-# ------------------------------------------------
-GITEA__auth__LDAP__ENABLED={{ applications | is_feature_enabled('ldap',application_id) | string | lower }}
-GITEA__auth__LDAP__HOST={{ ldap.server.domain }}
-GITEA__auth__LDAP__PORT={{ ldap.server.port }}
-# security protocol: "", "SSL" or "TLS"
-GITEA__auth__LDAP__SECURITY={{ ldap.server.security | trim or "unencrypted" }}
-GITEA__auth__LDAP__BIND_DN={{ ldap.dn.administrator }}
-GITEA__auth__LDAP__BIND_PASSWORD={{ ldap.bind_credential }}
-GITEA__auth__LDAP__USER_SEARCH_BASE={{ ldap.dn.users }}
-GITEA__auth__LDAP__USER_FILTER={{ ldap.filters.user_filter }}
-# map LDAP attributes to Gitea fields
-GITEA__auth__LDAP__ATTRIBUTE_USERNAME={{ ldap.attributes.user_id }}
-GITEA__auth__LDAP__ATTRIBUTE_FULL_NAME={{ ldap.attributes.name }}
-GITEA__auth__LDAP__ATTRIBUTE_MAIL={{ ldap.attributes.mail }}
-
-# ------------------------------------------------
-# Periodic sync for external LDAP users
-# ------------------------------------------------
-GITEA__cron__SYNC_EXTERNAL_USERS_ENABLED=true
-# default: sync daily at midnight
-GITEA__cron__SYNC_EXTERNAL_USERS_CRON=0 0 * * *
 {% endif %}
 
 # ------------------------------------------------