add keycloak for OAuth, runbooks, and finish forgejo setup

10 files changed, 156 insertions, 44 deletions

diff --git a/docs/forgejo.org b/docs/forgejo.org
new file mode 100644
index 0000000..28edec1
--- /dev/null
+++ b/docs/forgejo.org
@@ -0,0 +1,5 @@
+* Forgejo
+
+Running at https://code.fcuny.net
+
+Reverse proxy on the digital ocean host.
diff --git a/docs/keycloak.org b/docs/keycloak.org
new file mode 100644
index 0000000..e29350f
--- /dev/null
+++ b/docs/keycloak.org
@@ -0,0 +1,24 @@
+* Keycloak
+
+Running at id.fcuny.net
+
+There's an admin user in 1password.
+
+** Client for forgejo
+- create a client with name =forgejo=
+- set root URL to =https://code.fcuny.net=
+- set home URL to =https://code.fcuny.net=
+- set valid redirects URL to =https://code.fcuny.net*=
+- set web origins to =https://code.fcuny.net=
+- set admin URL to https://code.fcuny.net
+- set client authentication to =on=
+- keep =standard flow= checked and nothing else
+*** forgejo configuration
+- create a new authentication source under https://code.fcuny.net/admin/auths
+- choose OAuth2
+- set the name to =id.fcuny.net=
+- set OAuth2 provider to OpenID Connect
+- configure the OpenID realm to =https://id.fcuny.net/realms/master/.well-known/openid-configuration=
+- the client ID is =forgejo=
+- the client secret is in the =credentials= tab in forgejo for the client
+- select =skip local 2FA=
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
index 7fab370..d426a53 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
@@ -16,6 +16,13 @@
         reloadServices = [ "caddy.service" ];
         credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
       };
+      "id.fcuny.net" = {
+        domain = "id.fcuny.net";
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "caddy.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
+      };
     };
   };
 
@@ -39,6 +46,13 @@
           reverse_proxy 10.100.0.40:3000
         '';
       };
+      auth = {
+        hostName = "id.fcuny.net";
+        useACMEHost = "id.fcuny.net";
+        extraConfig = ''
+          reverse_proxy 10.100.0.40:8080
+        '';
+      };
     };
   };
 }
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index 028905b..2da20c3 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -35,8 +35,8 @@
     "${self}/profiles/network/firewall.nix"
     "${self}/profiles/services/podman.nix"
     "${self}/profiles/programs/fish.nix"
-    ./profiles/git-server.nix
     ./profiles/forgejo.nix
+    ./profiles/keycloak.nix
   ];
 
   boot.loader.efi.canTouchEfiVariables = true;
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
index b9dac30..a323981 100644
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
@@ -1,23 +1,92 @@
-{ ... }:
+{ self, config, ... }:
 {
+  age.secrets.forgejo-fastmail = {
+    file = "${self}/secrets/forgejo-fastmail.age";
+  };
+
   services.forgejo = {
     enable = true;
     database.type = "postgres";
     lfs.enable = false;
+    secrets = {
+      mailer.PASSWD = config.age.secrets.forgejo-fastmail.path;
+    };
     settings = {
-      session.COOKIE_SECURE = true;
+      DEFAULT.APP_NAME = "¯\\_(ツ)_/¯";
+      session = {
+        COOKIE_SECURE = true;
+        PROVIDER = "db";
+        PROVIDER_CONFIG = "";
+        SESSION_LIFE_TIME = 86400 * 5;
+      };
       server = {
         DOMAIN = "code.fcuny.net";
         ROOT_URL = "https://code.fcuny.net";
         HTTP_PORT = 3000;
         HTTP_ADDR = "10.100.0.40";
+        LANDING_PAGE = "explore";
+      };
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtp+starttls";
+        FROM = "code <forgejo@code.fcuny.net>";
+        USER = "franck@fcuny.net";
+        SMTP_ADDR = "smtp.fastmail.com";
       };
       metrics = {
         ENABLED = true;
         ENABLED_ISSUE_BY_LABEL = true;
         ENABLED_ISSUE_BY_REPOSITORY = true;
       };
-      service.DISABLE_REGISTRATION = true;
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        SHOW_REGISTRATION_BUTTON = true;
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
+      oauth2_client = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_AUTO_REGISTRATION = true;
+        USERNAME = "preferred_username";
+        ACCOUNT_LINKING = "auto";
+      };
+      repository = {
+        DEFAULT_PRIVATE = "public";
+        DEFAULT_PUSH_CREATE_PRIVATE = true;
+        ENABLE_PUSH_CREATE_USER = true;
+        PREFERRED_LICENSES = "GPL-3.0-or-later,MIT";
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+        DISABLE_STARS = true; # self-hosting so, doesn't make sense
+      };
+      "service.explore" = {
+        DISABLE_USERS_PAGE = true;
+      };
+      federation = {
+        ENABLED = true;
+      };
+      ui = {
+        # To protect privacy of users.
+        SHOW_USER_EMAIL = false;
+      };
     };
   };
+
+  my.modules.backups = {
+    local.paths = [ "/var/lib/forgejo" ];
+    local.exclude = [
+      "/var/lib/forgejo/data/indexers"
+      "/var/lib/forgejo/data/repo-archive"
+      "/var/lib/forgejo/data/tmp"
+    ];
+    remote.paths = [ "/var/lib/forgejo" ];
+    remote.exclude = [
+      "/var/lib/forgejo/data/indexers"
+      "/var/lib/forgejo/data/repo-archive"
+      "/var/lib/forgejo/data/tmp"
+    ];
+  };
 }
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/git-server.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/git-server.nix
deleted file mode 100644
index 6f523a8..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/git-server.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ pkgs, ... }:
-{
-  services.gitolite = {
-    enable = true;
-    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
-    user = "git";
-    group = "git";
-    extraGitoliteRc = ''
-      # Make dirs/files group readable, needed for webserver/cgit. (Default
-      # setting is 0077.)
-      $RC{UMASK} = 0027;
-      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
-      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
-      push( @{$RC{ENABLE}}, 'symbolic-ref' );
-    '';
-  };
-
-  # let's make sure the default branch is `main'.
-  systemd.tmpfiles.rules = [
-    "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" ''
-      [init]
-      	defaultBranch = main
-    ''}"
-  ];
-
-  my.modules.backups = {
-    local.paths = [ "/var/lib/gitolite" ];
-    local.exclude = [
-      "/var/lib/gitolite/.bash_history"
-      "/var/lib/gitolite/.ssh"
-      "/var/lib/gitolite/.viminfo"
-    ];
-    remote.paths = [ "/var/lib/gitolite" ];
-    remote.exclude = [
-      "/var/lib/gitolite/.bash_history"
-      "/var/lib/gitolite/.ssh"
-      "/var/lib/gitolite/.viminfo"
-    ];
-  };
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
new file mode 100644
index 0000000..fc1fe2d
--- /dev/null
+++ b/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
@@ -0,0 +1,18 @@
+{ config, self, ... }:
+{
+  age.secrets.keycloak-db-password = {
+    file = "${self}/secrets/keycloak-db-password.age";
+  };
+
+  services.keycloak = {
+    enable = true;
+    database.passwordFile = config.age.secrets.keycloak-db-password.path;
+    settings = {
+      hostname = "id.fcuny.net";
+      http-host = "10.100.0.40";
+      http-port = 8080;
+      proxy-headers = "xforwarded";
+      http-enabled = true;
+    };
+  };
+}
diff --git a/secrets/forgejo-fastmail.age b/secrets/forgejo-fastmail.age
new file mode 100644
index 0000000..bad24e6
--- /dev/null
+++ b/secrets/forgejo-fastmail.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA 9HXFxgGpjGDd9rqy/DEjPy57PMFaZ7s5lDs3GLrZ5Qk
+JO/g/1Xa59EKypv5xP9ZuhubrsGOlCbAUNYiP9YoDlA
+-> ssh-ed25519 qRUWSw zBrF/AGY/V7AYHzC95QW7bR5+TJOsNIuTQnPPM87jxc
+kRJnf+N/MLaRdZsEL1vdp5RADozFAGLhZ4J7vIib9og
+--- xeV5vUs0X53ENCgbiUxnQltC/h4hDstEBlvN8GM3YZw
+��J�u5W+gO$�7�>}���h�y�f0��Ps>e�Ki�=�J�6�H
\ No newline at end of file
diff --git a/secrets/keycloak-db-password.age b/secrets/keycloak-db-password.age
new file mode 100644
index 0000000..6ac0e85
--- /dev/null
+++ b/secrets/keycloak-db-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA cmAZbTltBmkWqUjWnr57vyxGl+5c96bxME0SS6w7ozs
+7bu8taoNlffYBuhKAhQ4bid2fRs45IYKgIZmiJKX9xk
+-> ssh-ed25519 qRUWSw 3c8Lqxx5rVaUBG3J05ffcNHP7I4Rq4kEvKQQgC29nxE
+R9EojU4XpWpBnTCWEF4p94SGGQ0TZwI8BBxRlg+/6hc
+--- AK9ErFYwVcMqqejL/qAHVt7se+s9LSdiMBarumrwRZg
+y��\��h��Gp�r�O�֭��bb�4�A�{��`�\��.��b�)�{�m_
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0c88cb7..5415ae0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,6 +9,14 @@ let
   };
 in
 {
+  "forgejo-fastmail.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
+  "keycloak-db-password.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
   "cloudflare-caddy.age".publicKeys = [
     users.fcuny
     hosts.do