Files
truenas-stacks/docs/operations/GITEA_SSO_PREP.md

2.3 KiB

Gitea SSO Prep

This is the staged cutover plan for moving the live PD Gitea instance to Authelia-backed sign-in without flipping it live yet.

Current live shape

  • stack path: dev/
  • public URL: https://gitea.paccoco.com
  • internal HTTP: http://gitea:3000 on the pangolin network
  • shared Postgres backend already in use
  • Gitea version observed live on PD: 1.25.3

Safe hardening before SSO

  • disable public self-registration
  • keep normal local admin login working until Authelia sign-in is proven
  • do not change ROOT_URL or SSH settings during the auth cutover

Authelia side

Add a dedicated OIDC client for Gitea in the live Authelia configuration.yml when ready to test.

Recommended values:

  • client_id: gitea
  • client_name: Gitea
  • authorization_policy: one_factor
  • scopes: openid, profile, email, groups
  • grant_types: authorization_code
  • response_types: code
  • token_endpoint_auth_method: client_secret_basic

Redirect URI guidance:

  • use the callback URL shown by the Gitea authentication-source form
  • for standard Gitea OIDC sources this is typically under /user/oauth2/<source-name>/callback
  • validate the exact callback path against the live Gitea UI before committing the Authelia client entry

Gitea side

In Gitea:

  1. Sign in as a local admin.
  2. Go to Site Administration -> Authentication Sources.
  3. Add a new source of type OpenID Connect.
  4. Use Authelia discovery if the form supports it, otherwise enter the manual endpoints from https://auth.paccoco.com/.well-known/openid-configuration.

Recommended source values:

  • name: Authelia
  • scopes: openid profile email groups
  • required claim mapping priority: email first, then username/login
  • keep the source enabled only after confirming the callback URL matches the Authelia client entry

Rollout notes

  • keep local admin auth available for the first pass
  • test with one admin account first
  • after successful sign-in, decide whether to keep local auth as break-glass only
  • do not disable Pangolin auth in front of Gitea until Authelia login is actually working end-to-end

The live Gitea app.ini observed on PD had public self-registration enabled. That should stay off for this homelab unless there is a deliberate reason to reopen it.