RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f69453df99d1f0ecdb26bbba8e9643554c97ed6b
infra/stacks/gitea/README.md
znetsixe 035ac757ae feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source 
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
  DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
  ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
  matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
  post-deploy CLI step; gitea itself doesn't read them.

stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.

stacks/gitea/README.md — full Stage 5 deploy script:
  1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
  2. docker compose up -d gitea
  3. gitea admin user create --admin --random-password
  4. gitea admin auth add-oauth --provider openidConnect
     --auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
  5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"

cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.

.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 14:10:54 +02:00

90 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# gitea
Self-hosted git server for R&D. **Cloud-only.** Hostname `git.wbd-rd.nl` (reverse-proxied via nginx-proxy; HTTP internally).
- **Networks**: `app` (nginx → gitea) + `data` (gitea → postgres)
- **Volume**: `gitea-data` (repos, LFS, hooks, actions runners)
- **SSH ingress**: disabled (`DISABLE_SSH=true`). All clones over HTTPS.
- **Auth**: SSO via Keycloak (`wbd` realm, client `gitea`). Local registration disabled — users come in via OIDC.
The web installer is skipped (`INSTALL_LOCK=true`); admin user + OIDC source are provisioned with CLI commands post-deploy.
## Stage 5 — deploy
Prereqs (Stages 13, done by hand in Keycloak):
- `sql`, `nginx-proxy`, `keycloak`, `portainer` already up
- Keycloak `wbd` realm created
- Keycloak client `gitea` created with redirect URI `https://git.wbd-rd.nl/user/oauth2/keycloak/callback`
- Client secret captured
### 1. Fill cloud/.env
```
GITEA_DB_PASSWORD=<from your password manager>
GITEA_OAUTH_CLIENT_SECRET=<from Keycloak → Clients → gitea → Credentials>
```
### 2. Bring gitea up
```bash
cd /mnt/d/gitea/RnD/infra/cloud
docker compose up -d gitea
docker compose logs -f gitea
# Wait for: "Listen: http://0.0.0.0:3000"
```
### 3. Create the initial admin user (one-time)
```bash
docker compose exec -u git gitea \
gitea admin user create \
--admin --username admin \
--email admin@wbd-rd.nl \
--random-password \
--must-change-password=true
```
Note the printed random password; sign in once at `https://git.wbd-rd.nl/`, change it.
### 4. Add the Keycloak OIDC auth source
```bash
docker compose exec -u git gitea sh -c '
gitea admin auth add-oauth \
--name keycloak \
--provider openidConnect \
--key "$GITEA_OAUTH_CLIENT_ID" \
--secret "$GITEA_OAUTH_CLIENT_SECRET" \
--auto-discover-url "$GITEA_OAUTH_DISCOVERY_URL" \
--scopes "openid email profile"
'
```
(The env vars are passed through from `cloud/.env` via the gitea container's `environment:` block.)
### 5. Verify
Browse `https://git.wbd-rd.nl/` → "Sign in with keycloak" → first OIDC user is auto-created (because `oauth2_client.ENABLE_AUTO_REGISTRATION=true`).
## Mail
`GITEA__mailer__ENABLED=false` by default. Flip to `true` (in cloud/.env or here) once the `postfix` stack is up; Gitea then sends notifications via `smtp://postfix:25`.
## Migrating from Versio Gitea (deferred)
Plan once the new instance is verified working end-to-end:
1. `pg_dump` Versio Gitea's database
2. Restore to the new `gitea` postgres DB
3. `rsync` `/data/gitea/{repositories,lfs,avatars}` from old to new over the WG tunnel
4. Restart gitea
5. DNS cutover: point `gitea.wbd-rd.nl` at the new cloud IP (or leave both names; `git.wbd-rd.nl` is the canonical going forward)
## TODO
- Gitea Actions runners (post-cutover)
- Webhook → Jenkins on push (CI trigger)
- LFS storage policy + size limits
- Mirror policy for external GitHub orgs (read-only mirrors)
- Repo / org templates for new R&D projects
Reference in New Issue View Git Blame Copy Permalink