gerd.forgejo: now uses authelia for authentication + patches for signin
This commit is contained in:
eyjhb
parent
d459fa895e
commit
5d94967c48
GPG key ID:
609F508E3239F920
11 changed files with 243 additions and 118 deletions
119
machines/gerd/services/forgejo/auth_sources.nix
Normal file
119
machines/gerd/services/forgejo/auth_sources.nix
Normal file
|
|
@ -0,0 +1,119 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
AUTHELIA_AUTH_NAME = "authelia";
|
||||
|
||||
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
|
||||
#!/usr/bin/env sh
|
||||
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
|
||||
FORGEJO_AUTH_NAME="lldap"
|
||||
|
||||
# get auth id if any
|
||||
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
|
||||
|
||||
ACTION=""
|
||||
EXTRA_ARG=""
|
||||
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
|
||||
echo "PRERUN-LDAP: Authentication source exists, updating..."
|
||||
ACTION="update-ldap"
|
||||
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
|
||||
else
|
||||
echo "PRERUN-LDAP: Authentication source does not exists, adding..."
|
||||
ACTION="add-ldap"
|
||||
fi
|
||||
|
||||
BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
|
||||
|
||||
${pkgs.forgejo}/bin/gitea \
|
||||
--work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
|
||||
admin auth "$ACTION" $EXTRA_ARG \
|
||||
--name "$FORGEJO_AUTH_NAME" \
|
||||
--active \
|
||||
--security-protocol unencrypted \
|
||||
--skip-tls-verify \
|
||||
--host ${config.mine.settings.ldap.host} \
|
||||
--port ${builtins.toString config.mine.settings.ldap.port} \
|
||||
--bind-dn "${config.mine.settings.ldap.bind_dn}" \
|
||||
--bind-password "$BIND_USERPASS" \
|
||||
--user-filter '(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}=%[1]s)(${config.mine.settings.ldap.attr.email}=%[1]s)))' \
|
||||
--admin-filter '${config.mine.settings.ldap.admin_filter}' \
|
||||
--username-attribute ${config.mine.settings.ldap.attr.uid} \
|
||||
--firstname-attribute ${config.mine.settings.ldap.attr.firstname} \
|
||||
--surname-attribute ${config.mine.settings.ldap.attr.lastname} \
|
||||
--email-attribute ${config.mine.settings.ldap.attr.email} \
|
||||
--avatar-attribute ${config.mine.settings.ldap.attr.avatar} \
|
||||
--synchronize-users \
|
||||
--user-search-base '${config.mine.settings.ldap.search_base}' \
|
||||
|
||||
echo "PRERUN-LDAP: Finished adding/updating..."
|
||||
'';
|
||||
|
||||
|
||||
scriptAddOAuth = pkgs.writeShellScript "forgejo-add-update-oauth.sh" ''
|
||||
#!/usr/bin/env sh
|
||||
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
|
||||
FORGEJO_AUTH_NAME="${AUTHELIA_AUTH_NAME}"
|
||||
|
||||
# get auth id if any
|
||||
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
|
||||
|
||||
ACTION=""
|
||||
EXTRA_ARG=""
|
||||
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
|
||||
echo "PRERUN-AUTH: Authentication source exists, updating..."
|
||||
ACTION="update-oauth"
|
||||
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
|
||||
else
|
||||
echo "PRERUN-AUTH: Authentication source does not exists, adding..."
|
||||
ACTION="add-oauth"
|
||||
fi
|
||||
|
||||
SECRET="$(cat $CREDENTIALS_DIRECTORY/authelia-secret)"
|
||||
|
||||
${pkgs.forgejo}/bin/gitea \
|
||||
--work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
|
||||
admin auth "$ACTION" $EXTRA_ARG \
|
||||
--name "$FORGEJO_AUTH_NAME" \
|
||||
--provider openidConnect \
|
||||
--key forgejo \
|
||||
--secret "$SECRET" \
|
||||
--auto-discover-url "https://${config.mine.settings.authelia.domain}/.well-known/openid-configuration" \
|
||||
--skip-local-2fa true \
|
||||
--scopes "email" \
|
||||
--scopes "profile" \
|
||||
|
||||
echo "PRERUN-AUTH: Finished adding/updating..."
|
||||
'';
|
||||
in {
|
||||
|
||||
systemd.services.forgejo.preStart = lib.mkAfter ''
|
||||
${scriptAddLDAPAuth}
|
||||
${scriptAddOAuth}
|
||||
'';
|
||||
|
||||
systemd.services.forgejo.serviceConfig.LoadCredential = [
|
||||
"authelia-secret:${config.age.secrets.forgejo-authelia-secret.path}"
|
||||
"lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}"
|
||||
];
|
||||
|
||||
|
||||
# example configuration for forgejo. Should live in forgejo.nix if needed
|
||||
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
|
||||
id = "forgejo";
|
||||
description = "Forgejo";
|
||||
|
||||
# authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
|
||||
secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q";
|
||||
|
||||
public = false;
|
||||
# authorization_policy = "one_factor";
|
||||
redirect_uris = [ "https://${config.mine.settings.forgejo.domain}/user/oauth2/${AUTHELIA_AUTH_NAME}/callback" ];
|
||||
scopes = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
|
||||
userinfo_signing_algorithm = "none";
|
||||
}];
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue