test openid redirection

pp-gitea.nix

@@ -12,10 +12,15 @@ in
       example = "git.example.com";
       description = "The domain of the server";
     };
-    disableRegistration = mkOption {
+    openIdEnable = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
-      description = "Must be set to `false` for the initial deployement";
+      description = "If OpenId provider is setup and should be used exclusively.";
+    };
+    openIdClientName = mkOption {
+      type = types.str;
+      default = "";
+      description = "The name (id) of the openId client to use exclusively.";
     };
     customPackage = mkOption {
       type = types.package;
@@ -38,8 +43,10 @@ in
     services.gitea.stateDir = "/var/lib/gitea"; # default value
     services.gitea.enable = true;
     services.gitea.rootUrl = "https://${cfg.domain}/";
-    services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce cfg.disableRegistration; # Only set after initial deploy
     services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true;        # Why do I need to override this???
+    services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
+    services.gitea.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
+    services.gitea.settings.openid.ENABLE_OPENID_SIGNUP = cfg.openIdEnable;
     services.gitea.lfs.enable = true;
     services.gitea.domain = cfg.domain;
     # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
@@ -92,6 +99,9 @@ in
                 proxy_pass_request_headers on;
               '';
             };
+            locations."/user/login" = lib.mkIf (cfg.openIdEnable) {
+              globalRedirect = "$host/${cfg.openIdClientName}";
+            };
           };
         };
       };