test openid redirection

2023-04-24 21:55:30 +02:00 · 2023-04-24 21:55:30 +02:00 · 43d2f45fd8
parent fa4f5c2d75
commit 43d2f45fd8
1 changed files with 28 additions and 16 deletions
--- a/pp-gitea.nix
+++ b/pp-gitea.nix
@ -12,10 +12,15 @@ in
      example = "git.example.com";
      description = "The domain of the server";
    };
-    disableRegistration = mkOption {
+    openIdEnable = mkOption {
      type = types.bool;
-      default = true;
-      description = "Must be set to `false` for the initial deployement";
+      default = false;
+      description = "If OpenId provider is setup and should be used exclusively.";
+    };
+    openIdClientName = mkOption {
+      type = types.str;
+      default = "";
+      description = "The name (id) of the openId client to use exclusively.";
    };
    customPackage = mkOption {
      type = types.package;
@ -38,8 +43,10 @@ in
    services.gitea.stateDir = "/var/lib/gitea"; # default value
    services.gitea.enable = true;
    services.gitea.rootUrl = "https://${cfg.domain}/";
-    services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce cfg.disableRegistration; # Only set after initial deploy
    services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true;        # Why do I need to override this???
+    services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
+    services.gitea.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
+    services.gitea.settings.openid.ENABLE_OPENID_SIGNUP = cfg.openIdEnable;
    services.gitea.lfs.enable = true;
    services.gitea.domain = cfg.domain;
    # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
@ -80,18 +87,23 @@ in
          "${cfg.domain}" = {
            forceSSL = true;
            enableACME = true;
-            locations."/" = {
-              proxyPass = "http://127.0.0.1:3000";
-              extraConfig = ''
-                proxy_set_header X-Forwarded-Host $host;
-                proxy_set_header X-Forwarded-Server $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_set_header Host $host;
-                proxy_pass_request_headers on;
-              '';
-            };
+            locations = lib.mkMerge [
+              ("/" = {
+                proxyPass = "http://127.0.0.1:3000";
+                extraConfig = ''
+                  proxy_set_header X-Forwarded-Host $host;
+                  proxy_set_header X-Forwarded-Server $host;
+                  proxy_set_header X-Real-IP $remote_addr;
+                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                  proxy_set_header X-Forwarded-Proto $scheme;
+                  proxy_set_header Host $host;
+                  proxy_pass_request_headers on;
+                '';
+              })
+              (lib.mkIf (cfg.openIdEnable) {
+                "/user/login" = { globalRedirect = "$host/${cfg.openIdClientName}"; };
+              })
+            ];
          };
        };
      };