Configure Gitea as private OAuth-enabled Git server with email support
Major Changes: - Configure private Git server with OAuth-preferred authentication - Integrate Titan Email for notifications and OAuth workflows - Enable CI/CD Actions and repository mirroring - Implement enhanced security hardening Authentication & Access Control: - Require sign-in for all access (unauthorized users blocked) - OAuth via Authentik as primary login method (password form hidden) - Password authentication still functional as backup via direct URL - Registration disabled (admin-only user creation) - Auto-registration for OAuth users with account linking support Email Configuration (Titan Email): - SMTP: smtp.titan.email:587 (STARTTLS) - From address: hello@jnss.me - Used for: OAuth account linking, notifications, confirmations - Subject prefix: [Gitea] Repository Privacy & Features: - Private repositories by default (public repos allowed) - Unauthorized users cannot view any content (must sign in) - External integrations disabled (ext_issues, ext_wiki) - Manual repository creation required (no push-to-create) - LFS enabled for large file storage Features Enabled: - CI/CD Actions with GitHub actions support - Repository mirroring (pull/push mirrors enabled) - User organization creation - Webhook security (restricted to private/loopback) Security Enhancements: - HTTPS-only session cookies with strict SameSite policy - CSRF cookie HTTP-only protection - Password breach checking (HaveIBeenPwned) - 1-hour session timeout (reduced from 24h) - Reverse proxy trust limited to Caddy only - API Swagger docs disabled in production Configuration Sections Added: - [oauth2_client] - OAuth integration settings - [mailer] - Email/SMTP configuration - [session] - Enhanced session security - [actions] - CI/CD workflow configuration - [mirror] - Repository mirroring settings - [api] - API access configuration - [webhook] - Webhook security restrictions - [service.explore] - Public content settings Files Changed: - roles/gitea/defaults/main.yml: +97 lines (OAuth, email, security vars) - roles/gitea/templates/app.ini.j2: +94 lines (config sections) - host_vars/arch-vps/vault.yml: +1 line (SMTP password - not committed) Deployment Status: - Successfully deployed to arch-vps - Service running and healthy - Ready for OAuth provider configuration in Authentik - Tested: HTTP access, configuration generation, service health
This commit is contained in:
@@ -57,9 +57,100 @@ gitea_run_mode: "prod"
|
||||
gitea_default_branch: "main"
|
||||
gitea_enable_lfs: true
|
||||
|
||||
# Security settings
|
||||
gitea_disable_registration: false
|
||||
gitea_require_signin: false
|
||||
# =================================================================
|
||||
# Private Git Server & OAuth Configuration
|
||||
# =================================================================
|
||||
|
||||
# Access Control - Private server with public repos allowed
|
||||
gitea_disable_registration: true # No public registration (admin only)
|
||||
gitea_require_signin: true # Require sign-in (unauthorized users read-only)
|
||||
gitea_show_registration_button: false # Hide registration UI
|
||||
|
||||
# OAuth Configuration - Preferred but not forced
|
||||
gitea_enable_password_signin: false # Hide password login form
|
||||
gitea_enable_basic_auth: true # Keep password API auth as backup
|
||||
gitea_oauth2_auto_registration: true # Auto-create OAuth users
|
||||
gitea_oauth2_account_linking: "login" # Show account linking page
|
||||
gitea_oauth2_username_source: "preferred_username"
|
||||
gitea_oauth2_update_avatar: true
|
||||
gitea_oauth2_scopes: "profile,email,groups"
|
||||
gitea_oauth2_register_email_confirm: false
|
||||
|
||||
# =================================================================
|
||||
# Email Configuration (Titan Email via Hostinger)
|
||||
# =================================================================
|
||||
|
||||
gitea_mailer_enabled: true
|
||||
gitea_mailer_protocol: "smtp+starttls" # Port 587 with STARTTLS
|
||||
gitea_smtp_addr: "smtp.titan.email"
|
||||
gitea_smtp_port: 587
|
||||
gitea_mailer_from: "hello@jnss.me"
|
||||
gitea_mailer_user: "hello@jnss.me"
|
||||
gitea_mailer_password: "{{ vault_gitea_smtp_password }}"
|
||||
gitea_mailer_subject_prefix: "[Gitea]"
|
||||
|
||||
# =================================================================
|
||||
# Enhanced Security Settings
|
||||
# =================================================================
|
||||
|
||||
# Session Security
|
||||
gitea_session_provider: "file"
|
||||
gitea_session_cookie_name: "gitea_session"
|
||||
gitea_session_life_time: 3600 # 1 hour
|
||||
gitea_cookie_secure: true # HTTPS-only cookies
|
||||
gitea_session_same_site: "strict" # Strict CSRF protection
|
||||
|
||||
# Security Hardening
|
||||
gitea_csrf_cookie_httponly: true # Prevent XSS on CSRF token
|
||||
gitea_password_check_pwn: true # Check password breach database
|
||||
gitea_reverse_proxy_limit: 1 # Trust only one proxy (Caddy)
|
||||
gitea_reverse_proxy_trusted_proxies: "127.0.0.0/8,::1/128"
|
||||
|
||||
# =================================================================
|
||||
# Repository Configuration
|
||||
# =================================================================
|
||||
|
||||
# Privacy Defaults (private by default, public allowed)
|
||||
gitea_default_private: "private" # New repos are private
|
||||
gitea_default_push_create_private: true # Push-created repos are private
|
||||
# Note: NOT setting gitea_force_private - allows public repos
|
||||
|
||||
# Repository Features
|
||||
gitea_disabled_repo_units: "repo.ext_issues,repo.ext_wiki"
|
||||
gitea_enable_push_create_user: false # Require manual repo creation
|
||||
gitea_enable_push_create_org: false
|
||||
|
||||
# =================================================================
|
||||
# Features & Capabilities
|
||||
# =================================================================
|
||||
|
||||
# CI/CD Actions
|
||||
gitea_actions_enabled: true # Enable Gitea Actions
|
||||
gitea_actions_default_url: "github" # Use GitHub actions
|
||||
gitea_actions_log_retention_days: 90
|
||||
gitea_actions_artifact_retention_days: 30
|
||||
|
||||
# Repository Mirroring
|
||||
gitea_mirror_enabled: true
|
||||
gitea_mirror_default_interval: "8h"
|
||||
gitea_mirror_min_interval: "1h"
|
||||
|
||||
# Organization & User Management
|
||||
gitea_allow_create_org: true # Users can create orgs
|
||||
|
||||
# API Configuration
|
||||
gitea_api_swagger_enabled: false # Disable API docs
|
||||
|
||||
# Webhook Security
|
||||
gitea_webhook_allowed_hosts: "private,loopback"
|
||||
gitea_webhook_skip_tls_verify: false
|
||||
gitea_webhook_deliver_timeout: 5
|
||||
|
||||
# =================================================================
|
||||
# Service Explore Configuration
|
||||
# =================================================================
|
||||
|
||||
gitea_explore_require_signin: false # Allow browsing public content
|
||||
|
||||
# =================================================================
|
||||
# SSH Mode Configuration
|
||||
|
||||
Reference in New Issue
Block a user