# Gitea SSO Prep This is the staged cutover plan for moving the live PD Gitea instance to Authelia-backed sign-in without flipping it live yet. ## Current live shape - stack path: `dev/` - public URL: `https://gitea.paccoco.com` - internal HTTP: `http://gitea:3000` on the `pangolin` network - shared Postgres backend already in use - Gitea version observed live on PD: `1.25.3` ## Safe hardening before SSO - disable public self-registration - keep normal local admin login working until Authelia sign-in is proven - do not change `ROOT_URL` or SSH settings during the auth cutover ## Authelia side Add a dedicated OIDC client for Gitea in the live Authelia `configuration.yml` when ready to test. Recommended values: - `client_id`: `gitea` - `client_name`: `Gitea` - `authorization_policy`: `one_factor` - `scopes`: `openid`, `profile`, `email`, `groups` - `grant_types`: `authorization_code` - `response_types`: `code` - `token_endpoint_auth_method`: `client_secret_basic` Redirect URI guidance: - use the callback URL shown by the Gitea authentication-source form - for standard Gitea OIDC sources this is typically under `/user/oauth2//callback` - validate the exact callback path against the live Gitea UI before committing the Authelia client entry ## Gitea side In Gitea: 1. Sign in as a local admin. 2. Go to `Site Administration` -> `Authentication Sources`. 3. Add a new source of type `OpenID Connect`. 4. Use Authelia discovery if the form supports it, otherwise enter the manual endpoints from `https://auth.paccoco.com/.well-known/openid-configuration`. Recommended source values: - name: `Authelia` - scopes: `openid profile email groups` - required claim mapping priority: email first, then username/login - keep the source enabled only after confirming the callback URL matches the Authelia client entry ## Rollout notes - keep local admin auth available for the first pass - test with one admin account first - after successful sign-in, decide whether to keep local auth as break-glass only - do not disable Pangolin auth in front of Gitea until Authelia login is actually working end-to-end ## Related weak spot The live Gitea app.ini observed on PD had public self-registration enabled. That should stay off for this homelab unless there is a deliberate reason to reopen it.