2.3 KiB
2.3 KiB
Gitea SSO Prep
This is the staged cutover plan for moving the live PD Gitea instance to Authelia-backed sign-in without flipping it live yet.
Current live shape
- stack path:
dev/ - public URL:
https://gitea.paccoco.com - internal HTTP:
http://gitea:3000on thepangolinnetwork - shared Postgres backend already in use
- Gitea version observed live on PD:
1.25.3
Safe hardening before SSO
- disable public self-registration
- keep normal local admin login working until Authelia sign-in is proven
- do not change
ROOT_URLor SSH settings during the auth cutover
Authelia side
Add a dedicated OIDC client for Gitea in the live Authelia configuration.yml when ready to test.
Recommended values:
client_id:giteaclient_name:Giteaauthorization_policy:one_factorscopes:openid,profile,email,groupsgrant_types:authorization_coderesponse_types:codetoken_endpoint_auth_method:client_secret_basic
Redirect URI guidance:
- use the callback URL shown by the Gitea authentication-source form
- for standard Gitea OIDC sources this is typically under
/user/oauth2/<source-name>/callback - validate the exact callback path against the live Gitea UI before committing the Authelia client entry
Gitea side
In Gitea:
- Sign in as a local admin.
- Go to
Site Administration->Authentication Sources. - Add a new source of type
OpenID Connect. - Use Authelia discovery if the form supports it, otherwise enter the manual endpoints from
https://auth.paccoco.com/.well-known/openid-configuration.
Recommended source values:
- name:
Authelia - scopes:
openid profile email groups - required claim mapping priority: email first, then username/login
- keep the source enabled only after confirming the callback URL matches the Authelia client entry
Rollout notes
- keep local admin auth available for the first pass
- test with one admin account first
- after successful sign-in, decide whether to keep local auth as break-glass only
- do not disable Pangolin auth in front of Gitea until Authelia login is actually working end-to-end
Related weak spot
The live Gitea app.ini observed on PD had public self-registration enabled. That should stay off for this homelab unless there is a deliberate reason to reopen it.