gitops/plane: fix issuer on ingress

2026-01-16 13:21:15 +01:00
parent a20ae55b8f
commit b9f99c2950
37 changed files with 1332 additions and 31 deletions
--- a/docker-30/gitea/docker-compose.yaml
+++ b/docker-30/gitea/docker-compose.yaml
@@ -57,6 +57,15 @@ services:
      - GITEA__server__ROOT_URL=https://gitea.home.hrajfrisbee.cz
      - GITEA__security__SECRET_KEY=${GITEA_SECRET_KEY}
      - GITEA__security__INTERNAL_TOKEN=${INTERNAL_TOKEN}
+      - GITEA__mailer__ENABLED=true
+      - GITEA__mailer__PROTOCOL=smtps
+      - GITEA__mailer__SMTP_ADDR=smtp.gmail.com
+      - GITEA__mailer__SMTP_PORT=465
+      - GITEA__mailer__USER=kacerr.cz@gmail.com
+      - GITEA__mailer__PASSWD=${GMAIL_GITEA_APP_PASSWORD}
+      - GITEA__mailer__FROM=kacerr.cz+gitea@gmail.com
+      - GITEA__packages__ENABLED=true
+
      #- GITEA__storage__STORAGE_TYPE=minio
      #- GITEA__storage__MINIO_ENDPOINT=minio:9000
      #- GITEA__storage__MINIO_ACCESS_KEY_ID=gitea
@@ -83,7 +92,7 @@ services:
    depends_on:
      - gitea
    environment:
-      GITEA_INSTANCE_URL: http://gitea:3000
+      GITEA_INSTANCE_URL: https://gitea.home.hrajfrisbee.cz/
      GITEA_RUNNER_REGISTRATION_TOKEN: ${RUNNER_TOKEN}
    volumes:
      - ./runner-data:/data
--- a/docker-30/kanidm/readme.md
+++ b/docker-30/kanidm/readme.md
@@ -54,6 +54,50 @@ kanidm person get novakj | grep memberof
 kanidm group get idm_people_self_name_write
 ```

+## configure oauth proxy
+
+```bash
+kanidm system oauth2 create oauth2-proxy "OAuth2 Proxy" https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback
+kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz
+kanidm system oauth2 enable-pkce oauth2-proxy
+kanidm system oauth2 warning-insecure-client-disable-pkce oauth2-proxy  # if proxy doesn't support PKCE
+kanidm system oauth2 get oauth2-proxy  # note the client secret
+
+# update incorrect urls if needed
+remove-redirect-url
+kanidm system oauth2 add-redirect-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback
+kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz
+
+# output
+✔ Multiple authentication tokens exist. Please select one · idm_admin@idm.home.hrajfrisbee.cz
+---
+class: account
+class: key_object
+class: key_object_internal
+class: key_object_jwe_a128gcm
+class: key_object_jwt_es256
+class: memberof
+class: oauth2_resource_server
+class: oauth2_resource_server_basic
+class: object
+displayname: OAuth2 Proxy
+key_internal_data: 69df0a387991455f7c9800f13b881803: valid jwe_a128gcm 0
+key_internal_data: c5f61c48a9c0eb61ba993a36748826cc: valid jws_es256 0
+name: oauth2-proxy
+oauth2_allow_insecure_client_disable_pkce: true
+oauth2_rs_basic_secret: hidden
+oauth2_rs_origin_landing: https://oauth2-proxylab.home.hrajfrisbee.cz/
+oauth2_strict_redirect_uri: true
+spn: oauth2-proxy@idm.home.hrajfrisbee.cz
+uuid: d0dcbad5-90e4-4e36-a51b-653624069009
+
+secret: 7KJbUe5x35NVCT1VbzZfhYBU19cz9Xe9Z1fvw4WazrkHX2c8
+
+
+
+kanidm system oauth2 update-scope-map oauth2-proxy k8s_users openid profile email 
+```
+


 ```bash