Differences

This shows you the differences between two versions of the page.

--- infrastructure:services:git [2024-01-15 21:35 UTC] – june
+++ infrastructure:services:git [2024-03-30 20:50 UTC] (current) – [CCCHH ID (Keycloak) Integration] allow everybody to get git accounts jtbx
@@ Line 10: / Line 10: @@
 config-management:          nix-infra
 ----
+===== Description =====
 Git server running on Forgejo.
+==== SSH Public Key Fingerprints ====
+  * ssh-ed25519 fingerprint: ''SHA256:YjC9WtAL5wwgAhK6vLEKbkxB5/TKVaAxlWgG7UXgyvc''
+  * ssh-rsa fingerprint: ''SHA256:mw5OR16hA+bAGSdhnQMTdH3QN1wFFSBFTle4zzRukxE''
 ===== Configuration =====
@@ Line 17: / Line 24: @@
 The Forgejo is mostly configured using our nix-infra repo.
-However some parts need to be configured via the Web UI. This includes: Settings for organizations and users, the [[infrastructure:services:keycloak|]] integration.
+However some parts need to be configured via the Web UI. This includes: Settings for organizations and users as well as the [[infrastructure:services:keycloak|]] integration.
+==== CCCHH ID (Keycloak) Integration ====
+For the Keycloak integration we do the usual mapping of client roles into a ''groups'' claim, which then gets read by Forgejo. Forgejo then maps the value of the ''groups'' claim of a user to organization and teams and also uses it to determine whether or not the user should be an administrator. What exactly gets mapped is defined [[https://git.hamburg.ccc.de/admin/auths/1|here]].
+Issues: Password login can not be disabled currently (see https://codeberg.org/forgejo/forgejo/issues/732), so off-boarded users probably need to be removed from Forgejo manually.