RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
035ac757aeddf40dfec2e87f4647e8114eb0946c
infra/stacks/gitea/compose.yml
znetsixe 035ac757ae feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source 
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
  DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
  ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
  matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
  post-deploy CLI step; gitea itself doesn't read them.

stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.

stacks/gitea/README.md — full Stage 5 deploy script:
  1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
  2. docker compose up -d gitea
  3. gitea admin user create --admin --random-password
  4. gitea admin auth add-oauth --provider openidConnect
     --auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
  5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"

cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.

.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 14:10:54 +02:00

74 lines
2.8 KiB
YAML
Raw Blame History

# gitea — self-hosted git server (cloud only)
# Hostname: git.wbd-rd.nl (reverse-proxied via nginx-proxy; HTTP internally)
# Networks: app (UI) + data (postgres backend)
# Auth: SSO via Keycloak (`wbd` realm, client `gitea`)
# OIDC auth source is added via CLI post-deploy — see README.
services:
gitea:
image: gitea/gitea:1.22
restart: unless-stopped
networks: [app, data]
environment:
# User / TZ
USER_UID: "1000"
USER_GID: "1000"
TZ: ${TZ:-Europe/Amsterdam}
# Server posture — nginx terminates TLS, gitea speaks HTTP on 3000
GITEA__server__ROOT_URL: ${GITEA_ROOT_URL}
GITEA__server__DOMAIN: ${GITEA_DOMAIN:-git.wbd-rd.nl}
GITEA__server__PROTOCOL: http
GITEA__server__DISABLE_SSH: "true"
GITEA__server__OFFLINE_MODE: "false"
# Skip web installer (admin user + OIDC source provisioned via CLI)
GITEA__security__INSTALL_LOCK: "true"
# Database — postgres on sql stack (DB+role auto-provisioned)
GITEA__database__DB_TYPE: postgres
GITEA__database__HOST: ${GITEA_DB_HOST:-sql:5432}
GITEA__database__NAME: ${GITEA_DB_NAME:-gitea}
GITEA__database__USER: ${GITEA_DB_USER:-gitea}
GITEA__database__PASSWD: ${GITEA_DB_PASSWORD}
# Disable local registration; users come in via Keycloak OIDC
GITEA__service__DISABLE_REGISTRATION: "true"
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
GITEA__service__SHOW_REGISTRATION_BUTTON: "false"
GITEA__service__REQUIRE_SIGNIN_VIEW: "true"
GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
GITEA__openid__ENABLE_OPENID_SIGNUP: "false"
# OIDC client behavior — auth source itself added via CLI (see README)
GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
GITEA__oauth2_client__UPDATE_AVATAR: "true"
GITEA__oauth2_client__USERNAME: nickname
GITEA__oauth2_client__ACCOUNT_LINKING: auto
# Mail (flip ENABLED to true after postfix stack is up)
GITEA__mailer__ENABLED: "false"
GITEA__mailer__SMTP_ADDR: postfix
GITEA__mailer__SMTP_PORT: "25"
GITEA__mailer__FROM: ${GITEA_MAIL_FROM:-gitea@wbd-rd.nl}
# Repo defaults
GITEA__repository__DEFAULT_PRIVATE: private
GITEA__repository__DEFAULT_PUSH_CREATE_PRIVATE: "true"
# Exposed inside the container so the OIDC-source CLI command can pick them up
# (gitea itself doesn't read these — they're only for the post-deploy CLI step)
GITEA_OAUTH_CLIENT_ID: ${GITEA_OAUTH_CLIENT_ID:-gitea}
GITEA_OAUTH_CLIENT_SECRET: ${GITEA_OAUTH_CLIENT_SECRET}
GITEA_OAUTH_DISCOVERY_URL: ${GITEA_OAUTH_DISCOVERY_URL:-https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration}
volumes:
- gitea-data:/data
networks:
app:
data:
volumes:
gitea-data:
Reference in New Issue View Git Blame Copy Permalink