servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: Fixed oauth in gitea
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details

Browse Source
This commit is contained in:
uttarayan21
2025-08-14 03:36:12 +05:30
parent 042bf432d8
commit f636de02b1
3 changed files with 62 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/mirai/services/default.nix
View File

@@ -1,11 +1,12 @@
{...}: {
{ ... }:
{
imports = [
./atuin.nix
./authelia.nix
./caddy.nix
./fail2ban.nix
./flaresolverr.nix
# ./gitea.nix
./gitea.nix
./homepage.nix
./immich.nix
./llama.nix

61
nixos/mirai/services/gitea.nix
View File

@@ -1,6 +1,7 @@
{
lib,
config,
pkgs,
...
}:
{
@@ -16,10 +17,22 @@
"authelia-darksailor.service"
];
};
secrets."authelia/oidc/gitea/client_id" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = [
"gitea.service"
"authelia-darksailor.service"
];
};
templates = {
"GITEA_REGISTRATION_TOKEN.env".content = ''
TOKEN=${config.sops.placeholder."gitea/registration"}
'';
"GITEA_OAUTH_SETUP.env".content = ''
CLIENT_ID=${config.sops.placeholder."authelia/oidc/gitea/client_id"}
CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/gitea/client_secret"}
'';
};
};
services = {
@@ -31,8 +44,9 @@
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = false;
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false;
ENABLE_PASSWORD_SIGNIN_FORM = false;
};
mailer = {
ENABLED = true;
@@ -52,12 +66,17 @@
ACCOUNT_LINKING = "auto";
OPENID_CONNECT_SCOPES = "openid profile email";
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.darksailor.dev";
};
};
};
gitea-actions-runner = {
instances = {
mirai = {
enable = false;
enable = true;
name = "mirai";
url = "https://git.darksailor.dev";
labels = [
@@ -95,7 +114,7 @@
clients = [
{
client_name = "Gitea: Darksailor";
client_id = "gitea";
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_id".path}" }}'';
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
@@ -112,7 +131,7 @@
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
token_endpoint_auth_method = "client_secret_post";
}
];
};
@@ -121,4 +140,36 @@
};
};
};
systemd.services.gitea-oauth-setup =
let
name = "authelia";
gitea_oauth_script = pkgs.writeShellApplication {
name = "gitea_oauth2_script";
runtimeInputs = [ config.services.gitea.package ];
text = ''
gitea admin auth delete --id "$(gitea admin auth list | grep "${name}" | cut -d "$(printf '\t')" -f1)"
gitea admin auth add-oauth --provider=openidConnect --name=${name} --key="$CLIENT_ID" --secret="$CLIENT_SECRET" --auto-discover-url=https://auth.darksailor.dev/.well-known/openid-configuration --scopes='openid email profile'
'';
};
in
{
description = "Configure Gitea OAuth with Authelia";
after = [ "gitea.service" ];
wants = [ "gitea.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
User = config.services.gitea.user;
Group = config.services.gitea.group;
RemainAfterExit = true;
ExecStart = "${lib.getExe gitea_oauth_script}";
WorkingDirectory = config.services.gitea.stateDir;
EnvironmentFile = config.sops.templates."GITEA_OAUTH_SETUP.env".path;
};
environment = {
GITEA_WORK_DIR = config.services.gitea.stateDir;
GITEA_CUSTOM = config.services.gitea.customDir;
};
};
}

7
secrets/secrets.yaml
View File

@@ -4,8 +4,7 @@ paperless:
adminpass: ENC[AES256_GCM,data:SkW+uh8/WlpJOgEF5GIIt5UygLU=,iv:KaKAmqJxSs822be6FsthJZ3dactgOckwrXLNa3dx350=,tag:40kSGe1O5d6killRdZiSYQ==,type:str]
secret_key: ENC[AES256_GCM,data:9OkJ/WRLHCQXA0a/FqMieoUX5Lk=,iv:br2OSWU6uQ4/JAEvYeRlA1buhF2PGyPCdGYx0OwROek=,tag:cgnmTTWgkga6E0krWXFIdw==,type:str]
gitea:
token: ENC[AES256_GCM,data:6vcGrOlxFxrsCEq3Mu9s3deOnXNpwgc6marpx90+FrU=,iv:3CNdT6P58Wy2/anaucvl9KVLTZ7z4MyDImXNxQVIAcI=,tag:YQboEG8R6G2MCZzDLaZ4wg==,type:str]
registration: ENC[AES256_GCM,data:gxnqE0aYxkyIrq6lRuzQK0T2edgJP8Xb/3PaKJLxA2W/NZ1TeRFsTA==,iv:dqsoDLfgZaLj0ut5T3V0+THdvRGYsNPBT8wG9cZeFVI=,tag:IC4nP10tvJpvRn2Dc4KgwA==,type:str]
registration: ENC[AES256_GCM,data:2czx/AhyAuC0TjrozA/K3VLDBpSuGODLpJLCs5oWNgusZcehW2aL0w==,iv:Xqe3bKTfHGbO/XYFhAdG7OiB3L0cfcNeehuzCKZ7SGw=,tag:57Say1JMrEIvleDk/26ZZg==,type:str]
llama:
user: ENC[AES256_GCM,data:qWbhnc/XLotWzqbEa6ekuMe5kD/GwC9SW8omXvgWqCG1BPPCOI3DtlS4YqKxsIhYmw8MQw+4DPnaWHqjrbIsVSrQ79M=,iv:VeqkKb1N9NSKfuilG6dzYdha8cO4JqJ+YUzmkjrPU+0=,tag:SYwR1oU6VWzNoCBPsMg0uQ==,type:str]
api_key: ENC[AES256_GCM,data:wib+xbb25sTY2K9pacc1mU5eVSyQRurHiCMZyDVSqCAmG4yjkzEykvBevpThNbTZlsk6GZuK4hH0SYJM,iv:GTU6CQ83chXHAuuL0bFMf4L+UWqlcVfXnEE0/SxLzj4=,tag:0LkOSQsuuQd6TK3KHE95TA==,type:str]
@@ -65,7 +64,7 @@ sops:
VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-13T19:39:42Z"
mac: ENC[AES256_GCM,data:tMVQqyaXz8zsdQEVWXNaPPon7ee/YqnRYSAc+kr/Ku7aDsq1aaBE32x3/GgtgQ4tgNfbd+EWiSX8OPU2BDV9JmS98m9KVz5VzjCdSmtg5VG4hO1E+oBlH9rHKAtbQQA8JnRZQ7IfHTkfzCNk1MOteundW/8Sr1xAYEph+O9GPTM=,iv:spCAzV5Q71bQ5NxM17vNUAAsA5kqtWkoYxCWnr9ehsw=,tag:OqX3XnDi0A5w3iGcPH5AyA==,type:str]
lastmodified: "2025-08-13T22:05:00Z"
mac: ENC[AES256_GCM,data:AG+mAd8MwPuOj2tch2hHfFrzmtf/ccZVFB4uX/zSST0NQLDERw4u1YdGTparzYzQZMSC0ncnjLvTd9h92XVx5ze/RlSb/4yfSG9Kod8cbgQyY/rxOr7nVkysk7TMYuVDH2aWjD58IdNZ4jmgfYv/S7okI2YNnG2rdFjXZ7DmL5g=,iv:a2qj+lGfOxvZsUWwNrFqLSCCh908w6NOsPWIPXR4W8s=,tag:TDPRlxFzlzVF6LEF1BQI6w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2