server-configs/machines/gerd/services/forgejo/auth_sources.nix

{ config, lib, pkgs, ... }:

let
  AUTHELIA_AUTH_NAME = "authelia";

  scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
    #!/usr/bin/env sh
    FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
    FORGEJO_AUTH_NAME="lldap"
    
    # get auth id if any
    FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
    
    ACTION=""
    EXTRA_ARG=""
    if [ -n "''${FORGEJO_AUTH_ID}" ]; then
        echo "PRERUN-LDAP: Authentication source exists, updating..."
        ACTION="update-ldap"
        EXTRA_ARG="--id $FORGEJO_AUTH_ID"
    else
        echo "PRERUN-LDAP: Authentication source does not exists, adding..."
        ACTION="add-ldap"
    fi

    BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
    
    ${pkgs.forgejo}/bin/gitea \
      --work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
      admin auth "$ACTION" $EXTRA_ARG \
      --name "$FORGEJO_AUTH_NAME" \
      --active \
      --security-protocol unencrypted \
      --skip-tls-verify \
      --host ${config.mine.settings.ldap.host} \
      --port ${builtins.toString config.mine.settings.ldap.port} \
      --bind-dn "${config.mine.settings.ldap.bind_dn}" \
      --bind-password "$BIND_USERPASS" \
      --user-filter '(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}=%[1]s)(${config.mine.settings.ldap.attr.email}=%[1]s)))' \
      --admin-filter '${config.mine.settings.ldap.admin_filter}' \
      --username-attribute ${config.mine.settings.ldap.attr.uid} \
      --firstname-attribute ${config.mine.settings.ldap.attr.firstname}  \
      --surname-attribute ${config.mine.settings.ldap.attr.lastname} \
      --email-attribute ${config.mine.settings.ldap.attr.email} \
      --avatar-attribute ${config.mine.settings.ldap.attr.avatar} \
      --synchronize-users \
      --user-search-base '${config.mine.settings.ldap.search_base}' \

    echo "PRERUN-LDAP: Finished adding/updating..."
  '';


  scriptAddOAuth = pkgs.writeShellScript "forgejo-add-update-oauth.sh" ''
    #!/usr/bin/env sh
    FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
    FORGEJO_AUTH_NAME="${AUTHELIA_AUTH_NAME}"
    
    # get auth id if any
    FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
    
    ACTION=""
    EXTRA_ARG=""
    if [ -n "''${FORGEJO_AUTH_ID}" ]; then
        echo "PRERUN-AUTH: Authentication source exists, updating..."
        ACTION="update-oauth"
        EXTRA_ARG="--id $FORGEJO_AUTH_ID"
    else
        echo "PRERUN-AUTH: Authentication source does not exists, adding..."
        ACTION="add-oauth"
    fi

    SECRET="$(cat $CREDENTIALS_DIRECTORY/authelia-secret)"
    
    ${pkgs.forgejo}/bin/gitea \
      --work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
      admin auth "$ACTION" $EXTRA_ARG \
      --name "$FORGEJO_AUTH_NAME" \
      --provider openidConnect \
      --key forgejo \
      --secret "$SECRET" \
      --auto-discover-url "https://${config.mine.settings.authelia.domain}/.well-known/openid-configuration" \
      --skip-local-2fa true \
      --scopes "email" \
      --scopes "profile" \

    echo "PRERUN-AUTH: Finished adding/updating..."
  '';
in {

  systemd.services.forgejo.preStart = lib.mkAfter ''
    ${scriptAddLDAPAuth}
    ${scriptAddOAuth}
  '';

  systemd.services.forgejo.serviceConfig.LoadCredential = [
    "authelia-secret:${config.age.secrets.forgejo-authelia-secret.path}"
    "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}"
  ];


  # example configuration for forgejo. Should live in forgejo.nix if needed
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
    id = "forgejo";
    description = "Forgejo";

    # authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
    secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q";

    public = false;
    authorization_policy = "one_factor";
    redirect_uris = [ "https://${config.mine.settings.forgejo.domain}/user/oauth2/${AUTHELIA_AUTH_NAME}/callback" ];
    scopes = [
      "openid"
      "email"
      "profile"
    ];

    userinfo_signing_algorithm = "none";
  }];
}