Gitea
Gitea is a community managed lightweight code hosting solution written in Go. It's the best self hosted Github alternative in my opinion.
Installation⚑
Gitea provides automatically updated Docker images within its Docker Hub organisation.
Disable the regular login, use only Oauth⚑
Inside your custom
directory which may be /var/lib/gitea/custom
:
- Create the directories
templates/user/auth
, - Create the
signin_inner.tmpl
file with the next contents:{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn)}} {{template "base/alert" .}} {{end}} <h4 class="ui top attached header center"> {{if .LinkAccountMode}} {{.locale.Tr "auth.oauth_signin_title"}} {{else}} {{.locale.Tr "auth.login_userpass"}} {{end}} </h4> <div class="ui attached segment"> <form class="ui form" action="{{.SignInLink}}" method="post"> {{.CsrfTokenHtml}} {{if and .OrderedOAuth2Names .OAuth2Providers}} <div class="ui attached segment"> <div class="oauth2 center"> <div id="oauth2-login-loader" class="ui disabled centered loader"></div> <div> <div id="oauth2-login-navigator"> <p>Sign in with </p> {{range $key := .OrderedOAuth2Names}} {{$provider := index $.OAuth2Providers $key}} <a href="{{AppSubUrl}}/user/oauth2/{{$key}}"> <img alt="{{$provider.DisplayName}}{{if eq $provider.Name "openidConnect"}} ({{$key}}){{end}}" title="{{$provider.DisplayName}}{{if eq $provider.Name "openidConnect"}} ({{$key}}){{end}}" class="{{$provider.Name}} oauth-login-image" src="{{AppSubUrl}}{{$provider.Image}}" ></a> {{end}} </div> </div> </div> </div> {{end}} </form> </div>
- Download the
signin_inner.tmpl
Configure it with terraform⚑
Gitea can be configured through terraform too. There is an official provider that doesn't work, there's a fork that does though. Sadly it doesn't yet support configuring Oauth Authentication sources. Be careful gitea_oauth2_app
looks to be the right resource to do that, but instead it configures Gitea to be the Oauth provider, not a consumer.
To configure the provider you need to specify the url and a Gitea API token, keeping in mind that whoever gets access to this information will have access and full permissions on your Gitea instance it's critical that you store this information well. We'll use sops
to encrypt the token with GPG..
First create a Gitea user under Site Administration/User Accounts/
with the terraform
name (use your Oauth2 provider if you have one!).
Then log in with that user and create a token with name Terraform
under Settings/Applications
, copy it to your clipboard.
Configure sops
by defining the gpg keys in a .sops.yaml
file at the top of your repository:
---
creation_rules:
- pgp: >-
2829BASDFHWEGWG23WDSLKGL323534J35LKWERQS,
2GEFDBW349YHEDOH2T0GE9RH0NEORIG342RFSLHH
Then create the secrets file with the command sops secrets.enc.json
somewhere in your terraform repository. For example:
{
"gitea_token": "paste the token here"
}
terraform {
required_providers {
gitea = {
source = "Lerentis/gitea"
version = "~> 0.12.1"
}
sops = {
source = "carlpett/sops"
version = "~> 0.5"
}
}
}
provider "gitea" {
base_url = "https://gitea.your-domain.org"
token = data.sops_file.secrets.data["gitea_token"]
}
Create an organization⚑
If you manage your users externally for example with an Oauth2 provider like Authentik you don't need to create a resource for the users, use a data
instead:
resource "gitea_org" "docker_compose" {
name = "docker-compose"
}
resource "gitea_team" "docker_compose" {
name = "Developers"
organisation = gitea_org.docker_compose.name
permission = "owner"
members = [
data.gitea_user.lyz.username,
]
}
If you have many organizations that share the same users you can use variables.
resource "gitea_org" "docker_compose" {
name = "docker-compose"
}
resource "gitea_team" "docker_compose" {
name = "Developers"
organisation = gitea_org.docker_compose.name
permission = "owner"
members = [
data.gitea_user.lyz.username,
]
}
Create an admin user through the command line⚑
gitea --config /etc/gitea/app.ini admin user create --admin --email email --username user_name --password password
Or you can change the admin's password:
gitea --config /etc/gitea/app.ini admin user change-password -u username -p password