From f636de02b1080a0361ced3b901ce4da7f151db1c Mon Sep 17 00:00:00 2001
From: uttarayan21 <email@uttarayan.me>
Date: Thu, 14 Aug 2025 03:36:12 +0530
Subject: [PATCH] feat: Fixed oauth in gitea

---
 nixos/mirai/services/default.nix |  5 +--
 nixos/mirai/services/gitea.nix   | 61 +++++++++++++++++++++++++++++---
 secrets/secrets.yaml             |  7 ++--
 3 files changed, 62 insertions(+), 11 deletions(-)

diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix
index f5175dcb..1fce02f4 100644
--- a/nixos/mirai/services/default.nix
+++ b/nixos/mirai/services/default.nix
@@ -1,11 +1,12 @@
-{...}: {
+{ ... }:
+{
   imports = [
     ./atuin.nix
     ./authelia.nix
     ./caddy.nix
     ./fail2ban.nix
     ./flaresolverr.nix
-    # ./gitea.nix
+    ./gitea.nix
     ./homepage.nix
     ./immich.nix
     ./llama.nix
diff --git a/nixos/mirai/services/gitea.nix b/nixos/mirai/services/gitea.nix
index 11f7dec3..e964197f 100644
--- a/nixos/mirai/services/gitea.nix
+++ b/nixos/mirai/services/gitea.nix
@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }:
 {
@@ -16,10 +17,22 @@
         "authelia-darksailor.service"
       ];
     };
+    secrets."authelia/oidc/gitea/client_id" = {
+      owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+      mode = "0440";
+      restartUnits = [
+        "gitea.service"
+        "authelia-darksailor.service"
+      ];
+    };
     templates = {
       "GITEA_REGISTRATION_TOKEN.env".content = ''
         TOKEN=${config.sops.placeholder."gitea/registration"}
       '';
+      "GITEA_OAUTH_SETUP.env".content = ''
+        CLIENT_ID=${config.sops.placeholder."authelia/oidc/gitea/client_id"}
+        CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/gitea/client_secret"}
+      '';
     };
   };
   services = {
@@ -31,8 +44,9 @@
           DISABLE_REGISTRATION = false;
           ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
           SHOW_REGISTRATION_BUTTON = false;
-          ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
-          ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true;
+          ENABLE_REVERSE_PROXY_AUTHENTICATION = false;
+          ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false;
+          ENABLE_PASSWORD_SIGNIN_FORM = false;
         };
         mailer = {
           ENABLED = true;
@@ -52,12 +66,17 @@
           ACCOUNT_LINKING = "auto";
           OPENID_CONNECT_SCOPES = "openid profile email";
         };
+        openid = {
+          ENABLE_OPENID_SIGNIN = false;
+          ENABLE_OPENID_SIGNUP = true;
+          WHITELISTED_URIS = "auth.darksailor.dev";
+        };
       };
     };
     gitea-actions-runner = {
       instances = {
         mirai = {
-          enable = false;
+          enable = true;
           name = "mirai";
           url = "https://git.darksailor.dev";
           labels = [
@@ -95,7 +114,7 @@
               clients = [
                 {
                   client_name = "Gitea: Darksailor";
-                  client_id = "gitea";
+                  client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_id".path}" }}'';
                   client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}'';
                   public = false;
                   authorization_policy = "one_factor";
@@ -112,7 +131,7 @@
                   response_types = [ "code" ];
                   grant_types = [ "authorization_code" ];
                   userinfo_signed_response_alg = "none";
-                  token_endpoint_auth_method = "client_secret_basic";
+                  token_endpoint_auth_method = "client_secret_post";
                 }
               ];
             };
@@ -121,4 +140,36 @@
       };
     };
   };
+
+  systemd.services.gitea-oauth-setup =
+    let
+      name = "authelia";
+      gitea_oauth_script = pkgs.writeShellApplication {
+        name = "gitea_oauth2_script";
+        runtimeInputs = [ config.services.gitea.package ];
+        text = ''
+          gitea admin auth delete --id "$(gitea admin auth list | grep "${name}" | cut -d "$(printf '\t')" -f1)"
+          gitea admin auth add-oauth --provider=openidConnect --name=${name} --key="$CLIENT_ID" --secret="$CLIENT_SECRET" --auto-discover-url=https://auth.darksailor.dev/.well-known/openid-configuration --scopes='openid email profile'
+        '';
+      };
+    in
+    {
+      description = "Configure Gitea OAuth with Authelia";
+      after = [ "gitea.service" ];
+      wants = [ "gitea.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = config.services.gitea.user;
+        Group = config.services.gitea.group;
+        RemainAfterExit = true;
+        ExecStart = "${lib.getExe gitea_oauth_script}";
+        WorkingDirectory = config.services.gitea.stateDir;
+        EnvironmentFile = config.sops.templates."GITEA_OAUTH_SETUP.env".path;
+      };
+      environment = {
+        GITEA_WORK_DIR = config.services.gitea.stateDir;
+        GITEA_CUSTOM = config.services.gitea.customDir;
+      };
+    };
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 01c4d590..c962c444 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -4,8 +4,7 @@ paperless:
     adminpass: ENC[AES256_GCM,data:SkW+uh8/WlpJOgEF5GIIt5UygLU=,iv:KaKAmqJxSs822be6FsthJZ3dactgOckwrXLNa3dx350=,tag:40kSGe1O5d6killRdZiSYQ==,type:str]
     secret_key: ENC[AES256_GCM,data:9OkJ/WRLHCQXA0a/FqMieoUX5Lk=,iv:br2OSWU6uQ4/JAEvYeRlA1buhF2PGyPCdGYx0OwROek=,tag:cgnmTTWgkga6E0krWXFIdw==,type:str]
 gitea:
-    token: ENC[AES256_GCM,data:6vcGrOlxFxrsCEq3Mu9s3deOnXNpwgc6marpx90+FrU=,iv:3CNdT6P58Wy2/anaucvl9KVLTZ7z4MyDImXNxQVIAcI=,tag:YQboEG8R6G2MCZzDLaZ4wg==,type:str]
-    registration: ENC[AES256_GCM,data:gxnqE0aYxkyIrq6lRuzQK0T2edgJP8Xb/3PaKJLxA2W/NZ1TeRFsTA==,iv:dqsoDLfgZaLj0ut5T3V0+THdvRGYsNPBT8wG9cZeFVI=,tag:IC4nP10tvJpvRn2Dc4KgwA==,type:str]
+    registration: ENC[AES256_GCM,data:2czx/AhyAuC0TjrozA/K3VLDBpSuGODLpJLCs5oWNgusZcehW2aL0w==,iv:Xqe3bKTfHGbO/XYFhAdG7OiB3L0cfcNeehuzCKZ7SGw=,tag:57Say1JMrEIvleDk/26ZZg==,type:str]
 llama:
     user: ENC[AES256_GCM,data:qWbhnc/XLotWzqbEa6ekuMe5kD/GwC9SW8omXvgWqCG1BPPCOI3DtlS4YqKxsIhYmw8MQw+4DPnaWHqjrbIsVSrQ79M=,iv:VeqkKb1N9NSKfuilG6dzYdha8cO4JqJ+YUzmkjrPU+0=,tag:SYwR1oU6VWzNoCBPsMg0uQ==,type:str]
     api_key: ENC[AES256_GCM,data:wib+xbb25sTY2K9pacc1mU5eVSyQRurHiCMZyDVSqCAmG4yjkzEykvBevpThNbTZlsk6GZuK4hH0SYJM,iv:GTU6CQ83chXHAuuL0bFMf4L+UWqlcVfXnEE0/SxLzj4=,tag:0LkOSQsuuQd6TK3KHE95TA==,type:str]
@@ -65,7 +64,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-13T19:39:42Z"
-    mac: ENC[AES256_GCM,data:tMVQqyaXz8zsdQEVWXNaPPon7ee/YqnRYSAc+kr/Ku7aDsq1aaBE32x3/GgtgQ4tgNfbd+EWiSX8OPU2BDV9JmS98m9KVz5VzjCdSmtg5VG4hO1E+oBlH9rHKAtbQQA8JnRZQ7IfHTkfzCNk1MOteundW/8Sr1xAYEph+O9GPTM=,iv:spCAzV5Q71bQ5NxM17vNUAAsA5kqtWkoYxCWnr9ehsw=,tag:OqX3XnDi0A5w3iGcPH5AyA==,type:str]
+    lastmodified: "2025-08-13T22:05:00Z"
+    mac: ENC[AES256_GCM,data:AG+mAd8MwPuOj2tch2hHfFrzmtf/ccZVFB4uX/zSST0NQLDERw4u1YdGTparzYzQZMSC0ncnjLvTd9h92XVx5ze/RlSb/4yfSG9Kod8cbgQyY/rxOr7nVkysk7TMYuVDH2aWjD58IdNZ4jmgfYv/S7okI2YNnG2rdFjXZ7DmL5g=,iv:a2qj+lGfOxvZsUWwNrFqLSCCh908w6NOsPWIPXR4W8s=,tag:TDPRlxFzlzVF6LEF1BQI6w==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2