From e404490e7519e852e9e424f76e0101449cde5c4f Mon Sep 17 00:00:00 2001 From: Arunavo Ray Date: Thu, 28 Aug 2025 09:26:23 +0530 Subject: [PATCH] added LFS ENV var --- docker-compose.authentik.yml | 174 ++++++++++++++++++++++++++++++ docker-compose.keycloak.yml | 135 ++++++++++++++++++++++-- docs/ENVIRONMENT_VARIABLES.md | 13 ++- scripts/setup-authentik-test.sh | 180 ++++++++++++++++++++++++++++++++ 4 files changed, 490 insertions(+), 12 deletions(-) create mode 100644 docker-compose.authentik.yml create mode 100755 scripts/setup-authentik-test.sh diff --git a/docker-compose.authentik.yml b/docker-compose.authentik.yml new file mode 100644 index 0000000..a4d3b3e --- /dev/null +++ b/docker-compose.authentik.yml @@ -0,0 +1,174 @@ +version: "3.8" + +services: + # PostgreSQL database for Authentik + authentik-db: + image: postgres:15-alpine + container_name: authentik-db + restart: unless-stopped + environment: + POSTGRES_USER: authentik + POSTGRES_PASSWORD: authentik-db-password + POSTGRES_DB: authentik + volumes: + - authentik-db-data:/var/lib/postgresql/data + networks: + - authentik-net + healthcheck: + test: ["CMD-SHELL", "pg_isready -U authentik"] + interval: 10s + timeout: 5s + retries: 5 + + # Redis cache for Authentik + authentik-redis: + image: redis:7-alpine + container_name: authentik-redis + restart: unless-stopped + command: redis-server --save 60 1 --loglevel warning + volumes: + - authentik-redis-data:/data + networks: + - authentik-net + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + + # Authentik Server + authentik-server: + image: ghcr.io/goauthentik/server:2024.2 + container_name: authentik-server + restart: unless-stopped + command: server + environment: + # Core Settings + AUTHENTIK_SECRET_KEY: "change-me-to-a-random-50-char-string-for-production" + AUTHENTIK_ERROR_REPORTING__ENABLED: false + + # Database + AUTHENTIK_POSTGRESQL__HOST: authentik-db + AUTHENTIK_POSTGRESQL__USER: authentik + AUTHENTIK_POSTGRESQL__NAME: authentik + AUTHENTIK_POSTGRESQL__PASSWORD: authentik-db-password + + # Redis + AUTHENTIK_REDIS__HOST: authentik-redis + + # Email (optional - for testing, uses console backend) + AUTHENTIK_EMAIL__HOST: localhost + AUTHENTIK_EMAIL__PORT: 25 + AUTHENTIK_EMAIL__USE_TLS: false + AUTHENTIK_EMAIL__USE_SSL: false + AUTHENTIK_EMAIL__TIMEOUT: 10 + AUTHENTIK_EMAIL__FROM: authentik@localhost + + # Log Level + AUTHENTIK_LOG_LEVEL: info + + # Disable analytics + AUTHENTIK_DISABLE_UPDATE_CHECK: true + AUTHENTIK_DISABLE_STARTUP_ANALYTICS: true + + # Default admin user (only created on first run) + AUTHENTIK_BOOTSTRAP_PASSWORD: admin-password + AUTHENTIK_BOOTSTRAP_TOKEN: initial-admin-token + AUTHENTIK_BOOTSTRAP_EMAIL: admin@example.com + volumes: + - authentik-media:/media + - authentik-templates:/templates + ports: + - "9000:9000" # HTTP + - "9443:9443" # HTTPS (if configured) + networks: + - authentik-net + - gitea-mirror-net + depends_on: + authentik-db: + condition: service_healthy + authentik-redis: + condition: service_healthy + + # Authentik Worker (background tasks) + authentik-worker: + image: ghcr.io/goauthentik/server:2024.2 + container_name: authentik-worker + restart: unless-stopped + command: worker + environment: + # Same environment as server + AUTHENTIK_SECRET_KEY: "change-me-to-a-random-50-char-string-for-production" + AUTHENTIK_ERROR_REPORTING__ENABLED: false + AUTHENTIK_POSTGRESQL__HOST: authentik-db + AUTHENTIK_POSTGRESQL__USER: authentik + AUTHENTIK_POSTGRESQL__NAME: authentik + AUTHENTIK_POSTGRESQL__PASSWORD: authentik-db-password + AUTHENTIK_REDIS__HOST: authentik-redis + AUTHENTIK_EMAIL__HOST: localhost + AUTHENTIK_EMAIL__PORT: 25 + AUTHENTIK_EMAIL__USE_TLS: false + AUTHENTIK_EMAIL__USE_SSL: false + AUTHENTIK_EMAIL__TIMEOUT: 10 + AUTHENTIK_EMAIL__FROM: authentik@localhost + AUTHENTIK_LOG_LEVEL: info + AUTHENTIK_DISABLE_UPDATE_CHECK: true + AUTHENTIK_DISABLE_STARTUP_ANALYTICS: true + volumes: + - authentik-media:/media + - authentik-templates:/templates + networks: + - authentik-net + depends_on: + authentik-db: + condition: service_healthy + authentik-redis: + condition: service_healthy + + # Gitea Mirror Application (uncomment to run together) + # gitea-mirror: + # build: . + # # OR use pre-built image: + # # image: ghcr.io/raylabshq/gitea-mirror:latest + # container_name: gitea-mirror + # restart: unless-stopped + # environment: + # # Core Settings + # BETTER_AUTH_URL: http://localhost:4321 + # BETTER_AUTH_TRUSTED_ORIGINS: http://localhost:4321,http://localhost:9000 + # BETTER_AUTH_SECRET: "your-32-character-secret-key-here" + # + # # GitHub Settings (configure as needed) + # GITHUB_USERNAME: ${GITHUB_USERNAME} + # GITHUB_TOKEN: ${GITHUB_TOKEN} + # + # # Gitea Settings (configure as needed) + # GITEA_URL: ${GITEA_URL} + # GITEA_USERNAME: ${GITEA_USERNAME} + # GITEA_TOKEN: ${GITEA_TOKEN} + # volumes: + # - ./data:/app/data + # ports: + # - "4321:4321" + # networks: + # - gitea-mirror-net + # depends_on: + # - authentik-server + +volumes: + authentik-db-data: + name: authentik-db-data + authentik-redis-data: + name: authentik-redis-data + authentik-media: + name: authentik-media + authentik-templates: + name: authentik-templates + +networks: + authentik-net: + name: authentik-net + driver: bridge + gitea-mirror-net: + name: gitea-mirror-net + driver: bridge \ No newline at end of file diff --git a/docker-compose.keycloak.yml b/docker-compose.keycloak.yml index 4e8379a..93df27c 100644 --- a/docker-compose.keycloak.yml +++ b/docker-compose.keycloak.yml @@ -1,17 +1,130 @@ -version: '3.8' +version: "3.8" services: - keycloak: - image: quay.io/keycloak/keycloak:latest - container_name: gitea-mirror-keycloak + # PostgreSQL database for Keycloak + keycloak-db: + image: postgres:15-alpine + container_name: keycloak-db + restart: unless-stopped environment: - KEYCLOAK_ADMIN: admin - KEYCLOAK_ADMIN_PASSWORD: admin - command: start-dev - ports: - - "8080:8080" + POSTGRES_DB: keycloak + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak-db-password volumes: - - keycloak_data:/opt/keycloak/data + - keycloak-db-data:/var/lib/postgresql/data + networks: + - keycloak-net + healthcheck: + test: ["CMD-SHELL", "pg_isready -U keycloak"] + interval: 10s + timeout: 5s + retries: 5 + + # Keycloak Identity Provider + keycloak: + image: quay.io/keycloak/keycloak:23.0 + container_name: keycloak + restart: unless-stopped + command: start-dev # Use 'start' for production with HTTPS + environment: + # Admin credentials + KEYCLOAK_ADMIN: admin + KEYCLOAK_ADMIN_PASSWORD: admin-password + + # Database configuration + KC_DB: postgres + KC_DB_URL_HOST: keycloak-db + KC_DB_URL_DATABASE: keycloak + KC_DB_USERNAME: keycloak + KC_DB_PASSWORD: keycloak-db-password + + # HTTP settings + KC_HTTP_ENABLED: true + KC_HTTP_PORT: 8080 + KC_HOSTNAME_STRICT: false + KC_HOSTNAME_STRICT_HTTPS: false + KC_PROXY: edge # If behind a proxy + + # Development settings (remove for production) + KC_HOSTNAME: localhost + KC_HOSTNAME_PORT: 8080 + KC_HOSTNAME_ADMIN: localhost + + # Features + KC_FEATURES: token-exchange,admin-fine-grained-authz + + # Health and metrics + KC_HEALTH_ENABLED: true + KC_METRICS_ENABLED: true + + # Log level + KC_LOG_LEVEL: INFO + # Uncomment for debug logging + # KC_LOG_LEVEL: DEBUG + # QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES: DEBUG + ports: + - "8080:8080" # HTTP + - "8443:8443" # HTTPS (if configured) + - "9000:9000" # Management + networks: + - keycloak-net + - gitea-mirror-net + depends_on: + keycloak-db: + condition: service_healthy + volumes: + # For custom themes (optional) + - keycloak-themes:/opt/keycloak/themes + # For importing realm configurations + - ./keycloak-realm-export.json:/opt/keycloak/data/import/realm.json:ro + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"] + interval: 15s + timeout: 10s + retries: 10 + start_period: 60s + + # Gitea Mirror Application (uncomment to run together) + # gitea-mirror: + # build: . + # # OR use pre-built image: + # # image: ghcr.io/raylabshq/gitea-mirror:latest + # container_name: gitea-mirror + # restart: unless-stopped + # environment: + # # Core Settings + # BETTER_AUTH_URL: http://localhost:4321 + # BETTER_AUTH_TRUSTED_ORIGINS: http://localhost:4321,http://localhost:8080 + # BETTER_AUTH_SECRET: "your-32-character-secret-key-here" + # + # # GitHub Settings (configure as needed) + # GITHUB_USERNAME: ${GITHUB_USERNAME} + # GITHUB_TOKEN: ${GITHUB_TOKEN} + # + # # Gitea Settings (configure as needed) + # GITEA_URL: ${GITEA_URL} + # GITEA_USERNAME: ${GITEA_USERNAME} + # GITEA_TOKEN: ${GITEA_TOKEN} + # volumes: + # - ./data:/app/data + # ports: + # - "4321:4321" + # networks: + # - gitea-mirror-net + # depends_on: + # keycloak: + # condition: service_healthy volumes: - keycloak_data: \ No newline at end of file + keycloak-db-data: + name: keycloak-db-data + keycloak-themes: + name: keycloak-themes + +networks: + keycloak-net: + name: keycloak-net + driver: bridge + gitea-mirror-net: + name: gitea-mirror-net + driver: bridge \ No newline at end of file diff --git a/docs/ENVIRONMENT_VARIABLES.md b/docs/ENVIRONMENT_VARIABLES.md index a7c5a46..3bf803e 100644 --- a/docs/ENVIRONMENT_VARIABLES.md +++ b/docs/ENVIRONMENT_VARIABLES.md @@ -2,6 +2,17 @@ This document provides a comprehensive list of all environment variables supported by Gitea Mirror. These can be used to configure the application via Docker or other deployment methods. +## Environment Variables and UI Interaction + +When environment variables are set: +1. They are loaded on application startup +2. Values are stored in the database on first load +3. The UI will display these values and they can be modified +4. UI changes are saved to the database and persist +5. Environment variables provide initial defaults but don't override UI changes + +**Note**: Some critical settings like `GITEA_LFS`, `MIRROR_RELEASES`, and `MIRROR_METADATA` will be visible and configurable in the UI even when set via environment variables. + ## Table of Contents - [Core Configuration](#core-configuration) @@ -85,7 +96,7 @@ Settings for the destination Gitea instance. |----------|-------------|---------|---------| | `GITEA_ORG_VISIBILITY` | Default organization visibility | `public` | `public`, `private`, `limited`, `default` | | `GITEA_MIRROR_INTERVAL` | Mirror sync interval (automatically enables scheduler) | `8h` | Duration string (e.g., `30m`, `1h`, `8h`, `24h`) | -| `GITEA_LFS` | Enable LFS support (requires LFS on Gitea server) | `false` | `true`, `false` | +| `GITEA_LFS` | Enable LFS support (requires LFS on Gitea server) - Shows in UI | `false` | `true`, `false` | | `GITEA_CREATE_ORG` | Auto-create organizations | `true` | `true`, `false` | | `GITEA_PRESERVE_VISIBILITY` | Preserve GitHub repo visibility in Gitea | `false` | `true`, `false` | diff --git a/scripts/setup-authentik-test.sh b/scripts/setup-authentik-test.sh new file mode 100755 index 0000000..170b0d9 --- /dev/null +++ b/scripts/setup-authentik-test.sh @@ -0,0 +1,180 @@ +#!/bin/bash + +# Setup script for testing Authentik SSO with Gitea Mirror +# This script helps configure Authentik for testing SSO integration + +set -e + +echo "======================================" +echo "Authentik SSO Test Environment Setup" +echo "======================================" +echo "" + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +# Check if docker and docker-compose are installed +if ! command -v docker &> /dev/null; then + echo -e "${RED}Docker is not installed. Please install Docker first.${NC}" + exit 1 +fi + +if ! command -v docker-compose &> /dev/null && ! docker compose version &> /dev/null; then + echo -e "${RED}Docker Compose is not installed. Please install Docker Compose first.${NC}" + exit 1 +fi + +# Function to generate random secret +generate_secret() { + openssl rand -base64 32 | tr -d '\n' | tr -d '=' | tr -d '/' | tr -d '+' +} + +# Function to wait for service +wait_for_service() { + local service=$1 + local port=$2 + local max_attempts=30 + local attempt=1 + + echo -n "Waiting for $service to be ready" + while ! nc -z localhost $port 2>/dev/null; do + if [ $attempt -eq $max_attempts ]; then + echo -e "\n${RED}Timeout waiting for $service${NC}" + return 1 + fi + echo -n "." + sleep 2 + ((attempt++)) + done + echo -e " ${GREEN}Ready!${NC}" + return 0 +} + +# Parse command line arguments +ACTION=${1:-start} + +case $ACTION in + start) + echo "Starting Authentik test environment..." + echo "" + + # Check if .env.authentik exists, if not create it + if [ ! -f .env.authentik ]; then + echo "Creating .env.authentik with secure defaults..." + cat > .env.authentik << EOF +# Authentik Configuration +AUTHENTIK_SECRET_KEY=$(generate_secret) +AUTHENTIK_DB_PASSWORD=$(generate_secret) +AUTHENTIK_BOOTSTRAP_PASSWORD=admin-password +AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com + +# Gitea Mirror Configuration +BETTER_AUTH_SECRET=$(generate_secret) +BETTER_AUTH_URL=http://localhost:4321 +BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:4321,http://localhost:9000 + +# URLs for testing +AUTHENTIK_URL=http://localhost:9000 +GITEA_MIRROR_URL=http://localhost:4321 +EOF + echo -e "${GREEN}Created .env.authentik with secure secrets${NC}" + echo "" + fi + + # Load environment variables + source .env.authentik + + # Start Authentik services + echo "Starting Authentik services..." + docker-compose -f docker-compose.authentik.yml --env-file .env.authentik up -d + + # Wait for Authentik to be ready + echo "" + wait_for_service "Authentik" 9000 + + # Wait a bit more for initialization + echo "Waiting for Authentik to initialize..." + sleep 10 + + echo "" + echo -e "${GREEN}✓ Authentik is running!${NC}" + echo "" + echo "======================================" + echo "Authentik Access Information:" + echo "======================================" + echo "URL: http://localhost:9000" + echo "Admin Username: akadmin" + echo "Admin Password: admin-password" + echo "" + echo "======================================" + echo "Next Steps:" + echo "======================================" + echo "1. Access Authentik at http://localhost:9000" + echo "2. Login with akadmin / admin-password" + echo "3. Create OAuth2 Provider for Gitea Mirror:" + echo " - Name: gitea-mirror" + echo " - Redirect URIs:" + echo " http://localhost:4321/api/auth/callback/sso-provider" + echo " - Scopes: openid, profile, email" + echo "" + echo "4. Create Application:" + echo " - Name: Gitea Mirror" + echo " - Slug: gitea-mirror" + echo " - Provider: gitea-mirror (created above)" + echo "" + echo "5. Start Gitea Mirror with:" + echo " bun run dev" + echo "" + echo "6. Configure SSO in Gitea Mirror:" + echo " - Go to Settings → Authentication & SSO" + echo " - Add provider with:" + echo " - Issuer URL: http://localhost:9000/application/o/gitea-mirror/" + echo " - Client ID: (from Authentik provider)" + echo " - Client Secret: (from Authentik provider)" + echo "" + ;; + + stop) + echo "Stopping Authentik test environment..." + docker-compose -f docker-compose.authentik.yml down + echo -e "${GREEN}✓ Authentik stopped${NC}" + ;; + + clean) + echo "Cleaning up Authentik test environment..." + docker-compose -f docker-compose.authentik.yml down -v + echo -e "${GREEN}✓ Authentik data cleaned${NC}" + + read -p "Remove .env.authentik file? (y/N) " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]]; then + rm -f .env.authentik + echo -e "${GREEN}✓ Configuration file removed${NC}" + fi + ;; + + logs) + docker-compose -f docker-compose.authentik.yml logs -f + ;; + + status) + echo "Authentik Service Status:" + echo "=========================" + docker-compose -f docker-compose.authentik.yml ps + ;; + + *) + echo "Usage: $0 {start|stop|clean|logs|status}" + echo "" + echo "Commands:" + echo " start - Start Authentik test environment" + echo " stop - Stop Authentik services" + echo " clean - Stop and remove all data" + echo " logs - Show Authentik logs" + echo " status - Show service status" + exit 1 + ;; +esac \ No newline at end of file