RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
035ac757aeddf40dfec2e87f4647e8114eb0946c
infra/cloud/.env.example
znetsixe 035ac757ae feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source 
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
  DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
  ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
  matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
  post-deploy CLI step; gitea itself doesn't read them.

stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.

stacks/gitea/README.md — full Stage 5 deploy script:
  1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
  2. docker compose up -d gitea
  3. gitea admin user create --admin --random-password
  4. gitea admin auth add-oauth --provider openidConnect
     --auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
  5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"

cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.

.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 14:10:54 +02:00

73 lines
1.6 KiB
Plaintext
Raw Blame History

# Aggregated env for the cloud composition.
# Copy to .env and fill in real values. Never commit .env.
TZ=Europe/Amsterdam
# Domain / TLS
PRIMARY_DOMAIN=wbd-rd.nl
LETSENCRYPT_EMAIL=r.de.ren@brabantsedelta.nl
# Production CA: https://acme-v02.api.letsencrypt.org/directory
# Staging CA (testing): https://acme-staging-v02.api.letsencrypt.org/directory
ACME_CA_URI=https://acme-v02.api.letsencrypt.org/directory
# WireGuard server
WG_SERVER_PORT=51820
WG_SERVER_PUBLIC_HOST=
# Keycloak (admin bootstrap + DB)
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=
KEYCLOAK_HOSTNAME=auth.wbd-rd.nl
KEYCLOAK_DB_PASSWORD=
# InfluxDB
INFLUX_ADMIN_USER=admin
INFLUX_ADMIN_PASSWORD=
INFLUX_ADMIN_TOKEN=
INFLUX_ORG=wbd
INFLUX_BUCKET=telemetry
# Grafana
GRAFANA_ADMIN_USER=admin
GRAFANA_ADMIN_PASSWORD=
GRAFANA_ROOT_URL=https://dash.wbd-rd.nl
# SQL (postgres — single point of config)
SQL_DB=config
SQL_USER=config
SQL_PASSWORD=
# RabbitMQ
RABBITMQ_USER=admin
RABBITMQ_PASSWORD=
RABBITMQ_VHOST=/
# Postfix
POSTFIX_RELAYHOST=
POSTFIX_FROM_DOMAIN=wbd-rd.nl
# Gitea (HTTPS-only; uses sql backend; OIDC via Keycloak)
GITEA_ROOT_URL=https://git.wbd-rd.nl
GITEA_DOMAIN=git.wbd-rd.nl
GITEA_DB_HOST=sql:5432
GITEA_DB_NAME=gitea
GITEA_DB_USER=gitea
GITEA_DB_PASSWORD=
GITEA_OAUTH_CLIENT_ID=gitea
GITEA_OAUTH_CLIENT_SECRET=
GITEA_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
GITEA_MAIL_FROM=gitea@wbd-rd.nl
# Jenkins
JENKINS_ADMIN_USER=admin
JENKINS_ADMIN_PASSWORD=
# MLflow (uses sql backend)
MLFLOW_DB_NAME=mlflow
MLFLOW_DB_USER=mlflow
MLFLOW_DB_PASSWORD=
# JupyterHub
JUPYTER_NOTEBOOK_IMAGE=jupyter/datascience-notebook:latest
JUPYTERHUB_ADMIN_USERS=
Reference in New Issue View Git Blame Copy Permalink