RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c91b475cd1fdbbbc4a4b8ac7bd7bbcea6695b4b6
infra/stacks/gitea/README.md
znetsixe 035ac757ae feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source 
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
  DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
  ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
  matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
  post-deploy CLI step; gitea itself doesn't read them.

stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.

stacks/gitea/README.md — full Stage 5 deploy script:
  1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
  2. docker compose up -d gitea
  3. gitea admin user create --admin --random-password
  4. gitea admin auth add-oauth --provider openidConnect
     --auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
  5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"

cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.

.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 14:10:54 +02:00

2.9 KiB
Raw Blame History

gitea

Self-hosted git server for R&D. Cloud-only. Hostname git.wbd-rd.nl (reverse-proxied via nginx-proxy; HTTP internally).

  • Networks: app (nginx → gitea) + data (gitea → postgres)
  • Volume: gitea-data (repos, LFS, hooks, actions runners)
  • SSH ingress: disabled (DISABLE_SSH=true). All clones over HTTPS.
  • Auth: SSO via Keycloak (wbd realm, client gitea). Local registration disabled — users come in via OIDC.

The web installer is skipped (INSTALL_LOCK=true); admin user + OIDC source are provisioned with CLI commands post-deploy.

Stage 5 — deploy

Prereqs (Stages 13, done by hand in Keycloak):

  • sql, nginx-proxy, keycloak, portainer already up
  • Keycloak wbd realm created
  • Keycloak client gitea created with redirect URI https://git.wbd-rd.nl/user/oauth2/keycloak/callback
  • Client secret captured

1. Fill cloud/.env

GITEA_DB_PASSWORD=<from your password manager>
GITEA_OAUTH_CLIENT_SECRET=<from Keycloak → Clients → gitea → Credentials>

2. Bring gitea up

cd /mnt/d/gitea/RnD/infra/cloud
docker compose up -d gitea
docker compose logs -f gitea
# Wait for: "Listen: http://0.0.0.0:3000"

3. Create the initial admin user (one-time)

docker compose exec -u git gitea \
  gitea admin user create \
    --admin --username admin \
    --email admin@wbd-rd.nl \
    --random-password \
    --must-change-password=true

Note the printed random password; sign in once at https://git.wbd-rd.nl/, change it.

4. Add the Keycloak OIDC auth source

docker compose exec -u git gitea sh -c '
  gitea admin auth add-oauth \
    --name keycloak \
    --provider openidConnect \
    --key "$GITEA_OAUTH_CLIENT_ID" \
    --secret "$GITEA_OAUTH_CLIENT_SECRET" \
    --auto-discover-url "$GITEA_OAUTH_DISCOVERY_URL" \
    --scopes "openid email profile"
'

(The env vars are passed through from cloud/.env via the gitea container's environment: block.)

5. Verify

Browse https://git.wbd-rd.nl/ → "Sign in with keycloak" → first OIDC user is auto-created (because oauth2_client.ENABLE_AUTO_REGISTRATION=true).

Mail

GITEA__mailer__ENABLED=false by default. Flip to true (in cloud/.env or here) once the postfix stack is up; Gitea then sends notifications via smtp://postfix:25.

Migrating from Versio Gitea (deferred)

Plan once the new instance is verified working end-to-end:

  1. pg_dump Versio Gitea's database
  2. Restore to the new gitea postgres DB
  3. rsync /data/gitea/{repositories,lfs,avatars} from old to new over the WG tunnel
  4. Restart gitea
  5. DNS cutover: point gitea.wbd-rd.nl at the new cloud IP (or leave both names; git.wbd-rd.nl is the canonical going forward)

TODO

  • Gitea Actions runners (post-cutover)
  • Webhook → Jenkins on push (CI trigger)
  • LFS storage policy + size limits
  • Mirror policy for external GitHub orgs (read-only mirrors)
  • Repo / org templates for new R&D projects
Reference in New Issue View Git Blame Copy Permalink