Configure Gitea as private OAuth-enabled Git server with email support
Major Changes:
- Configure private Git server with OAuth-preferred authentication
- Integrate Titan Email for notifications and OAuth workflows
- Enable CI/CD Actions and repository mirroring
- Implement enhanced security hardening
Authentication & Access Control:
- Require sign-in for all access (unauthorized users blocked)
- OAuth via Authentik as primary login method (password form hidden)
- Password authentication still functional as backup via direct URL
- Registration disabled (admin-only user creation)
- Auto-registration for OAuth users with account linking support
Email Configuration (Titan Email):
- SMTP: smtp.titan.email:587 (STARTTLS)
- From address: hello@jnss.me
- Used for: OAuth account linking, notifications, confirmations
- Subject prefix: [Gitea]
Repository Privacy & Features:
- Private repositories by default (public repos allowed)
- Unauthorized users cannot view any content (must sign in)
- External integrations disabled (ext_issues, ext_wiki)
- Manual repository creation required (no push-to-create)
- LFS enabled for large file storage
Features Enabled:
- CI/CD Actions with GitHub actions support
- Repository mirroring (pull/push mirrors enabled)
- User organization creation
- Webhook security (restricted to private/loopback)
Security Enhancements:
- HTTPS-only session cookies with strict SameSite policy
- CSRF cookie HTTP-only protection
- Password breach checking (HaveIBeenPwned)
- 1-hour session timeout (reduced from 24h)
- Reverse proxy trust limited to Caddy only
- API Swagger docs disabled in production
Configuration Sections Added:
- [oauth2_client] - OAuth integration settings
- [mailer] - Email/SMTP configuration
- [session] - Enhanced session security
- [actions] - CI/CD workflow configuration
- [mirror] - Repository mirroring settings
- [api] - API access configuration
- [webhook] - Webhook security restrictions
- [service.explore] - Public content settings
Files Changed:
- roles/gitea/defaults/main.yml: +97 lines (OAuth, email, security vars)
- roles/gitea/templates/app.ini.j2: +94 lines (config sections)
- host_vars/arch-vps/vault.yml: +1 line (SMTP password - not committed)
Deployment Status:
- Successfully deployed to arch-vps
- Service running and healthy
- Ready for OAuth provider configuration in Authentik
- Tested: HTTP access, configuration generation, service health
Joakim
467e79c84b