add kanidm

2026-05-02 12:52:47 -04:00
parent f42d031f4f
commit 6a6f5a1e9d
14 changed files with 288 additions and 53 deletions
--- a/systems/palatine-hill/gitea.nix
+++ b/systems/palatine-hill/gitea.nix
@@ -37,6 +37,10 @@ in
      service = {
        DISABLE_REGISTRATION = true;
      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = false;
+      };
      log = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
@@ -71,6 +75,45 @@ in
    after = [ "docker.service" ];
  };

+  systemd.services.gitea-kanidm-oidc-bootstrap = {
+    description = "Bootstrap Gitea Kanidm OIDC auth source";
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "gitea.service" ];
+    after = [ "gitea.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+      Group = "root";
+    };
+    path = [
+      config.services.gitea.package
+      pkgs.coreutils
+      pkgs.gnugrep
+    ];
+    script = ''
+      set -eu
+
+      APP_INI="${config.services.gitea.customDir}/conf/app.ini"
+
+      if gitea admin auth list --config "$APP_INI" | grep -Fq "Kanidm OIDC"; then
+        exit 0
+      fi
+
+      gitea admin auth add-oauth \
+        --config "$APP_INI" \
+        --name "Kanidm OIDC" \
+        --provider openidConnect \
+        --key "gitea" \
+        --secret "$(<${config.sops.secrets."kanidm/gitea_oidc_client_secret".path})" \
+        --auto-discover-url "https://auth.nayeonie.com/oauth2/openid/gitea/.well-known/openid-configuration" \
+        --scopes openid \
+        --scopes profile \
+        --scopes email \
+        --group-claim-name groups \
+        --admin-group gitea-users
+    '';
+  };
+
  networking.firewall.allowedTCPPorts = [ 6443 ];

  sops.secrets = {