mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

chore: try enabling oidc in forgejo, but there is an issue with token endpoint authentication

Browse source
This commit is contained in:
oddlama 2023-08-28 00:22:50 +02:00
parent 7f2315fc1d
commit 55b51ea631
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
1 changed files with 32 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

53
hosts/ward/microvms/forgejo.nix
View file

@ -32,7 +32,7 @@ in {
services.nginx = { services.nginx = {
upstreams.forgejo = { upstreams.forgejo = {
servers."${config.services.gitea.settings.server.HTTP_ADDR}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {};
extraConfig = '' extraConfig = ''
zone forgejo 64k; zone forgejo 64k;
keepalive 2; keepalive 2;
@ -131,27 +131,38 @@ in {
}; };
}; };
# XXX: PKCE is currently not supported by gitea/forgejo,
# see https://github.com/go-gitea/gitea/issues/21376.
# Disable PKCE manually in kanidm for now.
# `kanidm system oauth2 warning-insecure-client-disable-pkce forgejo`
systemd.services.gitea = { systemd.services.gitea = {
serviceConfig.RestartSec = "600"; # Retry every 10 minutes serviceConfig.RestartSec = "600"; # Retry every 10 minutes
#preStart = let preStart = let
# exe = lib.getExe config.services.gitea.package; exe = lib.getExe config.services.gitea.package;
# providerName = "PrivateVoidAccount"; providerName = "kanidm";
# args = lib.escapeShellArgs [ clientId = "forgejo";
# "--name" providerName args = lib.escapeShellArgs [
# "--provider" "openidConnect" "--name"
# "--key" "net.privatevoid.forge1" providerName
# "--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration" "--provider"
# "--group-claim-name" "groups" "openidConnect"
# "--admin-group" "/forge_admins@${domain}" "--key"
# "--skip-local-2fa" clientId
# ]; "--auto-discover-url"
#in lib.mkAfter /* bash */ '' "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"
# provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) #"--required-claim-name" "groups"
# if [[ -z "$provider_id" ]]; then #"--group-claim-name" "groups"
# FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args} #"--admin-group" "/forge_admins@${domain}"
# else "--skip-local-2fa"
# FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args} ];
# fi in
#''; lib.mkAfter ''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth add-oauth ${args}
else
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
} }