feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
post-deploy CLI step; gitea itself doesn't read them.
stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.
stacks/gitea/README.md — full Stage 5 deploy script:
1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
2. docker compose up -d gitea
3. gitea admin user create --admin --random-password
4. gitea admin auth add-oauth --provider openidConnect
--auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"
cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.
.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
znetsixe
@@ -18,7 +18,7 @@ include:
|
||||
# Apps
|
||||
# - ../stacks/node-red/compose.yml
|
||||
# - ../stacks/grafana/compose.yml
|
||||
# - ../stacks/gitea/compose.yml
|
||||
- ../stacks/gitea/compose.yml
|
||||
# - ../stacks/jenkins/compose.yml
|
||||
# Messaging + mail
|
||||
# - ../stacks/rabbitmq/compose.yml
|
||||
|
||||
Reference in New Issue
Block a user