035ac757ae
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
post-deploy CLI step; gitea itself doesn't read them.
stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.
stacks/gitea/README.md — full Stage 5 deploy script:
1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
2. docker compose up -d gitea
3. gitea admin user create --admin --random-password
4. gitea admin auth add-oauth --provider openidConnect
--auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"
cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.
.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.8 KiB
2.8 KiB