feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source

stacks/gitea/compose.yml — full production-grade env: - Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl, DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard). - Postgres backend (DB+role auto-provisioned by sql/config/init.d/). - Local registration disabled; users provisioned via Keycloak OIDC with ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto). - Mail stub via postfix on app network (ENABLED=false until postfix is up). - Repos default to private. - GITEA_OAUTH_* env vars are pass-through values consumed only by the post-deploy CLI step; gitea itself doesn't read them. stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery URL, mail-from. Empty placeholders for secrets. stacks/gitea/README.md — full Stage 5 deploy script: 1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env 2. docker compose up -d gitea 3. gitea admin user create --admin --random-password 4. gitea admin auth add-oauth --provider openidConnect --auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration 5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak" cloud/compose.yml — uncomment gitea include. cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM. .gitignore line 2 (`.env`) already catches .env files at any depth (verified with `git check-ignore`). Secrets won't be committed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 14:10:54 +02:00
parent af354a4b9e
commit 035ac757ae
5 changed files with 155 additions and 13 deletions
--- a/cloud/.env.example
+++ b/cloud/.env.example
@@ -46,12 +46,17 @@ RABBITMQ_VHOST=/
 POSTFIX_RELAYHOST=
 POSTFIX_FROM_DOMAIN=wbd-rd.nl

-# Gitea (HTTPS-only; uses sql backend)
+# Gitea (HTTPS-only; uses sql backend; OIDC via Keycloak)
 GITEA_ROOT_URL=https://git.wbd-rd.nl
+GITEA_DOMAIN=git.wbd-rd.nl
 GITEA_DB_HOST=sql:5432
 GITEA_DB_NAME=gitea
 GITEA_DB_USER=gitea
 GITEA_DB_PASSWORD=
+GITEA_OAUTH_CLIENT_ID=gitea
+GITEA_OAUTH_CLIENT_SECRET=
+GITEA_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
+GITEA_MAIL_FROM=gitea@wbd-rd.nl

 # Jenkins
 JENKINS_ADMIN_USER=admin