65 lines
2.3 KiB
Markdown
65 lines
2.3 KiB
Markdown
# Gitea SSO Prep
|
|
|
|
This is the staged cutover plan for moving the live PD Gitea instance to Authelia-backed sign-in without flipping it live yet.
|
|
|
|
## Current live shape
|
|
|
|
- stack path: `dev/`
|
|
- public URL: `https://gitea.paccoco.com`
|
|
- internal HTTP: `http://gitea:3000` on the `pangolin` network
|
|
- shared Postgres backend already in use
|
|
- Gitea version observed live on PD: `1.25.3`
|
|
|
|
## Safe hardening before SSO
|
|
|
|
- disable public self-registration
|
|
- keep normal local admin login working until Authelia sign-in is proven
|
|
- do not change `ROOT_URL` or SSH settings during the auth cutover
|
|
|
|
## Authelia side
|
|
|
|
Add a dedicated OIDC client for Gitea in the live Authelia `configuration.yml` when ready to test.
|
|
|
|
Recommended values:
|
|
|
|
- `client_id`: `gitea`
|
|
- `client_name`: `Gitea`
|
|
- `authorization_policy`: `one_factor`
|
|
- `scopes`: `openid`, `profile`, `email`, `groups`
|
|
- `grant_types`: `authorization_code`
|
|
- `response_types`: `code`
|
|
- `token_endpoint_auth_method`: `client_secret_basic`
|
|
|
|
Redirect URI guidance:
|
|
|
|
- use the callback URL shown by the Gitea authentication-source form
|
|
- for standard Gitea OIDC sources this is typically under `/user/oauth2/<source-name>/callback`
|
|
- validate the exact callback path against the live Gitea UI before committing the Authelia client entry
|
|
|
|
## Gitea side
|
|
|
|
In Gitea:
|
|
|
|
1. Sign in as a local admin.
|
|
2. Go to `Site Administration` -> `Authentication Sources`.
|
|
3. Add a new source of type `OpenID Connect`.
|
|
4. Use Authelia discovery if the form supports it, otherwise enter the manual endpoints from `https://auth.paccoco.com/.well-known/openid-configuration`.
|
|
|
|
Recommended source values:
|
|
|
|
- name: `Authelia`
|
|
- scopes: `openid profile email groups`
|
|
- required claim mapping priority: email first, then username/login
|
|
- keep the source enabled only after confirming the callback URL matches the Authelia client entry
|
|
|
|
## Rollout notes
|
|
|
|
- keep local admin auth available for the first pass
|
|
- test with one admin account first
|
|
- after successful sign-in, decide whether to keep local auth as break-glass only
|
|
- do not disable Pangolin auth in front of Gitea until Authelia login is actually working end-to-end
|
|
|
|
## Related weak spot
|
|
|
|
The live Gitea app.ini observed on PD had public self-registration enabled. That should stay off for this homelab unless there is a deliberate reason to reopen it.
|