# gitea

Self-hosted git server for R&D. **Cloud-only.** Hostname `git.wbd-rd.nl` (reverse-proxied via nginx-proxy; HTTP internally).

- **Networks**: `app` (nginx → gitea) + `data` (gitea → postgres)
- **Volume**: `gitea-data` (repos, LFS, hooks, actions runners)
- **SSH ingress**: disabled (`DISABLE_SSH=true`). All clones over HTTPS.
- **Auth**: SSO via Keycloak (`wbd` realm, client `gitea`). Local registration disabled — users come in via OIDC.

The web installer is skipped (`INSTALL_LOCK=true`); admin user + OIDC source are provisioned with CLI commands post-deploy.

## Stage 5 — deploy

Prereqs (Stages 1–3, done by hand in Keycloak):
- `sql`, `nginx-proxy`, `keycloak`, `portainer` already up
- Keycloak `wbd` realm created
- Keycloak client `gitea` created with redirect URI `https://git.wbd-rd.nl/user/oauth2/keycloak/callback`
- Client secret captured

### 1. Fill cloud/.env

```
GITEA_DB_PASSWORD=<from your password manager>
GITEA_OAUTH_CLIENT_SECRET=<from Keycloak → Clients → gitea → Credentials>
```

### 2. Bring gitea up

```bash
cd /mnt/d/gitea/RnD/infra/cloud
docker compose up -d gitea
docker compose logs -f gitea
# Wait for: "Listen: http://0.0.0.0:3000"
```

### 3. Create the initial admin user (one-time)

```bash
docker compose exec -u git gitea \
  gitea admin user create \
    --admin --username admin \
    --email admin@wbd-rd.nl \
    --random-password \
    --must-change-password=true
```

Note the printed random password; sign in once at `https://git.wbd-rd.nl/`, change it.

### 4. Add the Keycloak OIDC auth source

```bash
docker compose exec -u git gitea sh -c '
  gitea admin auth add-oauth \
    --name keycloak \
    --provider openidConnect \
    --key "$GITEA_OAUTH_CLIENT_ID" \
    --secret "$GITEA_OAUTH_CLIENT_SECRET" \
    --auto-discover-url "$GITEA_OAUTH_DISCOVERY_URL" \
    --scopes "openid email profile"
'
```

(The env vars are passed through from `cloud/.env` via the gitea container's `environment:` block.)

### 5. Verify

Browse `https://git.wbd-rd.nl/` → "Sign in with keycloak" → first OIDC user is auto-created (because `oauth2_client.ENABLE_AUTO_REGISTRATION=true`).

## Mail

`GITEA__mailer__ENABLED=false` by default. Flip to `true` (in cloud/.env or here) once the `postfix` stack is up; Gitea then sends notifications via `smtp://postfix:25`.

## Migrating from Versio Gitea (deferred)

Plan once the new instance is verified working end-to-end:

1. `pg_dump` Versio Gitea's database
2. Restore to the new `gitea` postgres DB
3. `rsync` `/data/gitea/{repositories,lfs,avatars}` from old to new over the WG tunnel
4. Restart gitea
5. DNS cutover: point `gitea.wbd-rd.nl` at the new cloud IP (or leave both names; `git.wbd-rd.nl` is the canonical going forward)

## TODO

- Gitea Actions runners (post-cutover)
- Webhook → Jenkins on push (CI trigger)
- LFS storage policy + size limits
- Mirror policy for external GitHub orgs (read-only mirrors)
- Repo / org templates for new R&D projects