Differences

This shows you the differences between two versions of the page.

--- infrastructure:services:git [2024-01-15 21:29 UTC] – june
+++ infrastructure:services:git [2024-03-30 20:50 UTC] (current) – [CCCHH ID (Keycloak) Integration] allow everybody to get git accounts jtbx
@@ Line 8: / Line 8: @@
 maintainers:                june
 ccchh-id-integration_yesno: true
+config-management:          nix-infra
 ----
+===== Description =====
 Git server running on Forgejo.
-===== Konfiguration =====
+==== SSH Public Key Fingerprints ====
-TODO
+  * ssh-ed25519 fingerprint: ''SHA256:YjC9WtAL5wwgAhK6vLEKbkxB5/TKVaAxlWgG7UXgyvc''
+  * ssh-rsa fingerprint: ''SHA256:mw5OR16hA+bAGSdhnQMTdH3QN1wFFSBFTle4zzRukxE''
+===== Configuration =====
+The Forgejo is mostly configured using our nix-infra repo.
+However some parts need to be configured via the Web UI. This includes: Settings for organizations and users as well as the [[infrastructure:services:keycloak|]] integration.
+==== CCCHH ID (Keycloak) Integration ====
+For the Keycloak integration we do the usual mapping of client roles into a ''groups'' claim, which then gets read by Forgejo. Forgejo then maps the value of the ''groups'' claim of a user to organization and teams and also uses it to determine whether or not the user should be an administrator. What exactly gets mapped is defined [[https://git.hamburg.ccc.de/admin/auths/1|here]].
+Issues: Password login can not be disabled currently (see https://codeberg.org/forgejo/forgejo/issues/732), so off-boarded users probably need to be removed from Forgejo manually.