2024-08-12 11:56:34 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
AUTHELIA_AUTH_NAME = "authelia";
|
|
|
|
|
|
|
|
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
|
|
|
|
#!/usr/bin/env sh
|
|
|
|
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
|
|
|
|
FORGEJO_AUTH_NAME="lldap"
|
|
|
|
|
|
|
|
# get auth id if any
|
|
|
|
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
|
|
|
|
|
|
|
|
ACTION=""
|
|
|
|
EXTRA_ARG=""
|
|
|
|
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
|
|
|
|
echo "PRERUN-LDAP: Authentication source exists, updating..."
|
|
|
|
ACTION="update-ldap"
|
|
|
|
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
|
|
|
|
else
|
|
|
|
echo "PRERUN-LDAP: Authentication source does not exists, adding..."
|
|
|
|
ACTION="add-ldap"
|
|
|
|
fi
|
|
|
|
|
|
|
|
BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
|
|
|
|
|
|
|
|
${pkgs.forgejo}/bin/gitea \
|
|
|
|
--work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
|
|
|
|
admin auth "$ACTION" $EXTRA_ARG \
|
|
|
|
--name "$FORGEJO_AUTH_NAME" \
|
|
|
|
--active \
|
|
|
|
--security-protocol unencrypted \
|
|
|
|
--skip-tls-verify \
|
|
|
|
--host ${config.mine.settings.ldap.host} \
|
|
|
|
--port ${builtins.toString config.mine.settings.ldap.port} \
|
|
|
|
--bind-dn "${config.mine.settings.ldap.bind_dn}" \
|
|
|
|
--bind-password "$BIND_USERPASS" \
|
|
|
|
--user-filter '(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}=%[1]s)(${config.mine.settings.ldap.attr.email}=%[1]s)))' \
|
|
|
|
--admin-filter '${config.mine.settings.ldap.admin_filter}' \
|
|
|
|
--username-attribute ${config.mine.settings.ldap.attr.uid} \
|
|
|
|
--firstname-attribute ${config.mine.settings.ldap.attr.firstname} \
|
|
|
|
--surname-attribute ${config.mine.settings.ldap.attr.lastname} \
|
|
|
|
--email-attribute ${config.mine.settings.ldap.attr.email} \
|
|
|
|
--avatar-attribute ${config.mine.settings.ldap.attr.avatar} \
|
|
|
|
--synchronize-users \
|
|
|
|
--user-search-base '${config.mine.settings.ldap.search_base}' \
|
|
|
|
|
|
|
|
echo "PRERUN-LDAP: Finished adding/updating..."
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
scriptAddOAuth = pkgs.writeShellScript "forgejo-add-update-oauth.sh" ''
|
|
|
|
#!/usr/bin/env sh
|
|
|
|
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
|
|
|
|
FORGEJO_AUTH_NAME="${AUTHELIA_AUTH_NAME}"
|
|
|
|
|
|
|
|
# get auth id if any
|
|
|
|
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
|
|
|
|
|
|
|
|
ACTION=""
|
|
|
|
EXTRA_ARG=""
|
|
|
|
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
|
|
|
|
echo "PRERUN-AUTH: Authentication source exists, updating..."
|
|
|
|
ACTION="update-oauth"
|
|
|
|
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
|
|
|
|
else
|
|
|
|
echo "PRERUN-AUTH: Authentication source does not exists, adding..."
|
|
|
|
ACTION="add-oauth"
|
|
|
|
fi
|
|
|
|
|
|
|
|
SECRET="$(cat $CREDENTIALS_DIRECTORY/authelia-secret)"
|
|
|
|
|
|
|
|
${pkgs.forgejo}/bin/gitea \
|
|
|
|
--work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
|
|
|
|
admin auth "$ACTION" $EXTRA_ARG \
|
|
|
|
--name "$FORGEJO_AUTH_NAME" \
|
|
|
|
--provider openidConnect \
|
|
|
|
--key forgejo \
|
|
|
|
--secret "$SECRET" \
|
|
|
|
--auto-discover-url "https://${config.mine.settings.authelia.domain}/.well-known/openid-configuration" \
|
|
|
|
--skip-local-2fa true \
|
|
|
|
--scopes "email" \
|
|
|
|
--scopes "profile" \
|
|
|
|
|
|
|
|
echo "PRERUN-AUTH: Finished adding/updating..."
|
|
|
|
'';
|
|
|
|
in {
|
|
|
|
|
|
|
|
systemd.services.forgejo.preStart = lib.mkAfter ''
|
|
|
|
${scriptAddLDAPAuth}
|
|
|
|
${scriptAddOAuth}
|
|
|
|
'';
|
|
|
|
|
|
|
|
systemd.services.forgejo.serviceConfig.LoadCredential = [
|
|
|
|
"authelia-secret:${config.age.secrets.forgejo-authelia-secret.path}"
|
|
|
|
"lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}"
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
# example configuration for forgejo. Should live in forgejo.nix if needed
|
|
|
|
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
|
|
|
|
id = "forgejo";
|
|
|
|
description = "Forgejo";
|
|
|
|
|
|
|
|
# authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
|
|
|
|
secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q";
|
|
|
|
|
|
|
|
public = false;
|
2024-08-12 12:36:14 +00:00
|
|
|
authorization_policy = "one_factor";
|
2024-08-12 11:56:34 +00:00
|
|
|
redirect_uris = [ "https://${config.mine.settings.forgejo.domain}/user/oauth2/${AUTHELIA_AUTH_NAME}/callback" ];
|
|
|
|
scopes = [
|
|
|
|
"openid"
|
|
|
|
"email"
|
|
|
|
"profile"
|
|
|
|
];
|
|
|
|
|
|
|
|
userinfo_signing_algorithm = "none";
|
|
|
|
}];
|
|
|
|
}
|