feat: Disable gitea

nixos/mirai/services/default.nix

@@ -1,11 +1,12 @@
-{...}: {
+{ ... }:
+{
   imports = [
     ./atuin.nix
     ./authelia.nix
     ./caddy.nix
     ./fail2ban.nix
     ./flaresolverr.nix
-    ./gitea.nix
+    # ./gitea.nix
     ./homepage.nix
     ./immich.nix
     ./llama.nix

nixos/mirai/services/gitea.nix

@@ -2,15 +2,25 @@
   lib,
   config,
   ...
-}: {
+}:
+{
   virtualisation.docker.enable = true;
   sops = {
     # secrets."gitea/registration".owner = config.systemd.services.gitea-actions-mirai.serviceConfig.User;
     secrets."gitea/registration" = { };
+    secrets."authelia/oidc/gitea/client_secret" = {
+      owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+      mode = "0440";
+      restartUnits = [
+        "gitea.service"
+        "authelia-darksailor.service"
+      ];
+    };
     templates = {
       "GITEA_REGISTRATION_TOKEN.env".content = ''
         TOKEN=${config.sops.placeholder."gitea/registration"}
       '';
+
     };
   };
   services = {
@@ -35,6 +45,11 @@
           # LFS_START_SERVER = true;
           LFS_ALLOW_PURE_SSH = true;
         };
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          ACCOUNT_LINKING = "auto";
+          OPENID_CONNECT_SCOPES = "openid profile email";
+        };
       };
     };
     gitea-actions-runner = {
@@ -52,25 +67,50 @@
     };
     caddy = {
       virtualHosts."git.darksailor.dev".extraConfig = ''
-        import auth
+        # import auth
         reverse_proxy localhost:3000
       '';
     };
     authelia = {
       instances.darksailor = {
         settings = {
-          access_control = {
+          # access_control = {
-            rules = [
+          #   rules = [
+          #     {
+          #       domain = "git.darksailor.dev";
+          #       policy = "bypass";
+          #       resources = [
+          #         "^/api([/?].*)?$"
+          #       ];
+          #     }
+          #     {
+          #       domain = "git.darksailor.dev";
+          #       policy = "one_factor";
+          #     }
+          #   ];
+          # };
+          identity_providers = {
+            oidc = {
+              clients = [
                 {
-                domain = "git.darksailor.dev";
+                  client_name = "gitea";
-                policy = "bypass";
+                  client_id = "gitea";
-                resources = [
+                  client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}'';
-                  "^/api([/?].*)?$"
+                  public = false;
+                  authorization_policy = "one_factor";
+                  require_pkce = false;
+                  redirect_uris = [
+                    "https://git.darksailor.dev/user/oauth2/authelia/callback"
                   ];
-              }
+                  scopes = [
-              {
+                    "openid"
-                domain = "git.darksailor.dev";
+                    "profile"
-                policy = "one_factor";
+                    "email"
+                  ];
+                  response_types = [ "code" ];
+                  grant_types = [ "authorization_code" ];
+                  userinfo_signed_response_alg = "none";
+                  token_endpoint_auth_method = "client_secret_post";
                 }
               ];
             };
@@ -78,4 +118,5 @@
         };
       };
     };
+  };
 }

secrets/secrets.yaml

@@ -31,6 +31,9 @@ authelia:
             client_secret: ENC[AES256_GCM,data:aQylVYsqDExbavjGsVAXPlf/rxileM3xLM0EXCKHfiNYxwzXck/f/bvwZl7ChQZ/AHDvZ8mkMkZHyTdyap25Hg==,iv:swSrM8MvhLcq7Gw/lV36j//8fnTzBcs5wU8aj+n9obE=,tag:neaHG+UCVhmZ2HLqVa/jGA==,type:str]
         nextcloud:
             client_secret: ENC[AES256_GCM,data:5SZ0A0OVK3emOobuI4KYv4E3l0Q/LwVWExCg1gPoG8AKcf4Pd04SnZE7aDoFnWTv1YhEY4sRaYQW/dn2pl4zsg==,iv:p0qmeYXTqqqX0NI2YK4fpGOK8NArFCMzoSGb/lc3L4w=,tag:Ob6/FyJP1LOkvBcOh6GOJA==,type:str]
+        gitea:
+            client_id: ENC[AES256_GCM,data:wxC4eYM=,iv:Opd7H7B5SiEiL7O8bXuy1u/mGRRMRPpxKu9aPZVK62U=,tag:SY2nwph8whqqdVnAh/vOGg==,type:str]
+            client_secret: ENC[AES256_GCM,data:vhFs7U5KyzWe5hM+H1TFMhw/0QcBWNGE0W6qtWVkVlcL16coAmubMJvRrDEfv8wzbrSXCj6fdyZOuHFb5bTO7A==,iv:529/LBYE6+C65jDLr3IAT4tCz8wH/EG55NQ/feh2Cp0=,tag:mhMFvPatQeiB/tkPfLyZ4A==,type:str]
         jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str]
 lldap:
     jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str]
@@ -62,7 +65,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-31T19:58:41Z"
+    lastmodified: "2025-08-13T19:39:42Z"
-    mac: ENC[AES256_GCM,data:B6xCuuzH90mnnpVjRtYOMRuFACvAvEodPs/sYI0BCdrD05eHB/t3BB1y/kI65J41Tj1AY8+3zTBJU1VdhmN1dusu3G6dMqVEiG+09CfjfaSVk6k1zw9IkYCBn0CeovXAZfOjyTbOnVILHriIofsHS7l+F2F0Jo2Nx8OdY7Gy0fY=,iv:wi/1YJVU1OwvzooFHHxt/jSvBafGa9orAYLH66psmfc=,tag:umj/NOtqW/9jLmUZZX2hPA==,type:str]
+    mac: ENC[AES256_GCM,data:tMVQqyaXz8zsdQEVWXNaPPon7ee/YqnRYSAc+kr/Ku7aDsq1aaBE32x3/GgtgQ4tgNfbd+EWiSX8OPU2BDV9JmS98m9KVz5VzjCdSmtg5VG4hO1E+oBlH9rHKAtbQQA8JnRZQ7IfHTkfzCNk1MOteundW/8Sr1xAYEph+O9GPTM=,iv:spCAzV5Q71bQ5NxM17vNUAAsA5kqtWkoYxCWnr9ehsw=,tag:OqX3XnDi0A5w3iGcPH5AyA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2