servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: Added oidc for gitea

Browse Source
This commit is contained in:
uttarayan21
2025-08-08 00:44:58 +05:30
parent bf4bb794c5
commit f07bc9f11b
1 changed files with 43 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
nixos/mirai/services/gitea.nix
View File

@@ -7,6 +7,18 @@
sops = { sops = {
# secrets."gitea/registration".owner = config.systemd.services.gitea-actions-mirai.serviceConfig.User; # secrets."gitea/registration".owner = config.systemd.services.gitea-actions-mirai.serviceConfig.User;
secrets."gitea/registration" = {}; secrets."gitea/registration" = {};
secrets."authelia/oidc/gitea/client_id" = {
owner = config.services.gitea.user;
group = config.services.gitea.group;
mode = "0440";
restartUnits = ["gitea.service" "authelia-darksailor.service"];
};
secrets."authelia/oidc/gitea/client_secret" = {
owner = config.services.gitea.user;
group = config.services.gitea.group;
mode = "0440";
restartUnits = ["gitea.service" "authelia-darksailor.service"];
};
templates = { templates = {
"GITEA_REGISTRATION_TOKEN.env".content = '' "GITEA_REGISTRATION_TOKEN.env".content = ''
TOKEN=${config.sops.placeholder."gitea/registration"} TOKEN=${config.sops.placeholder."gitea/registration"}
@@ -18,16 +30,20 @@
enable = true; enable = true;
settings = { settings = {
service = { service = {
ENABLE_REVERSE_PROXY_AUTHENTICATION = true; DISABLE_REGISTRATION = true;
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true; };
"auth/authelia" = {
AUTO_DISCOVER_URL = "https://auth.darksailor.dev/.well-known/openid-configuration";
CLIENT_ID = config.sops.placeholder."authelia/oidc/gitea/client_id";
CLIENT_SECRET_FILE = config.sops.secrets."authelia/oidc/gitea/client_secret".path;
ICON_URL = "https://www.authelia.com/images/branding/logo-light.png";
NAME = "authelia";
PROVIDER = "openidConnect";
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
PROTOCOL = "sendmail"; PROTOCOL = "sendmail";
}; };
security = {
REVERSE_PROXY_AUTHENTICATION_USER = "REMOTE-USER";
};
server = { server = {
ROOT_URL = "https://git.darksailor.dev"; ROOT_URL = "https://git.darksailor.dev";
DOMAIN = "git.darksailor.dev"; DOMAIN = "git.darksailor.dev";
@@ -49,25 +65,39 @@
}; };
caddy = { caddy = {
virtualHosts."git.darksailor.dev".extraConfig = '' virtualHosts."git.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:3000 reverse_proxy localhost:3000
''; '';
}; };
authelia = { authelia = {
instances.darksailor = { instances.darksailor = {
settings = { settings = {
identity_providers = {
oidc = {
clients = [
{
client_name = "gitea";
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_id".path}" }}'';
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = true;
redirect_uris = [
"https://git.darksailor.dev/user/oauth2/authelia/callback"
];
scopes = ["openid" "profile" "email" "groups"];
response_types = ["code"];
grant_types = ["authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
access_control = { access_control = {
rules = [ rules = [
{ {
domain = "git.darksailor.dev"; domain = "git.darksailor.dev";
policy = "bypass"; policy = "bypass";
resources = [
"^/api([/?].*)?$"
];
}
{
domain = "git.darksailor.dev";
policy = "one_factor";
} }
]; ];
}; };