Differences

This shows you the differences between two versions of the page.

--- infrastructure:services:git [2024-01-15 21:29 UTC] – Created from the form at infrastructure:services:form june
+++ infrastructure:services:git [2024-03-30 20:50 UTC] (current) – [CCCHH ID (Keycloak) Integration] allow everybody to get git accounts jtbx
@@ Line 2: / Line 2: @@
 ---- dataentry service ----
 service-urls_urls:          https://git.hamburg.ccc.de/
-other-service-fqdns:        @@Other-Service-FQDNs@@
+other-service-fqdns:
 host-fqdn:                  git.hamburg.ccc.de
 netbox-link_url:            https://netbox.hamburg.ccc.de/virtualization/virtual-machines/46/
@@ Line 8: / Line 8: @@
 maintainers:                june
 ccchh-id-integration_yesno: true
+config-management:          nix-infra
 ----
-TODO: Wofür ist dieser Service?
+===== Description =====
+Git server running on Forgejo.
+==== SSH Public Key Fingerprints ====
+  * ssh-ed25519 fingerprint: ''SHA256:YjC9WtAL5wwgAhK6vLEKbkxB5/TKVaAxlWgG7UXgyvc''
+  * ssh-rsa fingerprint: ''SHA256:mw5OR16hA+bAGSdhnQMTdH3QN1wFFSBFTle4zzRukxE''
+===== Configuration =====
+The Forgejo is mostly configured using our nix-infra repo.
+However some parts need to be configured via the Web UI. This includes: Settings for organizations and users as well as the [[infrastructure:services:keycloak|]] integration.
+==== CCCHH ID (Keycloak) Integration ====
+For the Keycloak integration we do the usual mapping of client roles into a ''groups'' claim, which then gets read by Forgejo. Forgejo then maps the value of the ''groups'' claim of a user to organization and teams and also uses it to determine whether or not the user should be an administrator. What exactly gets mapped is defined [[https://git.hamburg.ccc.de/admin/auths/1|here]].
+Issues: Password login can not be disabled currently (see https://codeberg.org/forgejo/forgejo/issues/732), so off-boarded users probably need to be removed from Forgejo manually.
-===== Konfiguration =====
-TODO