This is an old revision of the document!
Table of Contents
Git
- service-urls:
- https://git.hamburg.ccc.de/
- host-fqdn:
- git.hamburg.ccc.de
- netbox-link:
- https://netbox.hamburg.ccc.de/virtualization/virtual-machines/46/
- server:
- Chaosknoten
- maintainer:
- june
- ccchh-id-integration:
- true
- config-management:
- nix-infra
Git server running on Forgejo.
SSH Public Key Fingerprints
- ssh-ed25519 fingerprint:
SHA256:YjC9WtAL5wwgAhK6vLEKbkxB5/TKVaAxlWgG7UXgyvc
- ssh-rsa fingerprint:
SHA256:mw5OR16hA+bAGSdhnQMTdH3QN1wFFSBFTle4zzRukxE
Configuration
The Forgejo is mostly configured using our nix-infra repo.
However some parts need to be configured via the Web UI. This includes: Settings for organizations and users as well as the CCCHH ID integration.
CCCHH ID (Keycloak) Integration
For the Keycloak integration we do the usual mapping of client roles into a groups
claim, which then gets read by Forgejo. Forgejo then maps the value of the groups
claim of a user to organization and teams and also uses it to determine whether or not the user should be an administrator. What exactly gets mapped is defined here.
Furthermore we also map a user attribute gitaccess
and its value into a claim by the same name in Keycloak. The claim and its values are then read by Keycloak to determine whether or not the user should be able to log in.
Issues: Password login can not be disabled currently (see https://codeberg.org/forgejo/forgejo/issues/732), so off-boarded users probably need to be removed from Forgejo manually.