Default config changes

infogulch

I was looking through the gitea config cheat sheet and there are some changes that could be made to make it more operator friendly.

I'd like to hear your thoughts.

1. Disable registration by default

See Prevent external users from joining gitea instance.

[service]
DISABLE_REGISTRATION = True
REGISTER_MANUAL_CONFIRM = True
EMAIL_DOMAIN_ALLOWLIST = XX_your_domain_here_XX,cloudron.local
DEFAULT_USER_IS_RESTRICTED = True

I would guess that most cloudron users would want to manage gitea user accounts through cloudron instead of in the app itself. This would prevent spam and abuse of gitea instances by default. This may require some tuning, I'm not sure how carefully these configs were tested.

2. Completely disable gitea password-based signin form

I noticed gitea has these options to disable the username/password signin form entirely. This would make cloudron logins smoother because I keep forgetting and fill in my cloudron credentials to the gitea login form, which doesn't work, instead of clicking "Sign in with Cloudron".

More importantly, if this setting is changed it might eliminate the need to change and manage the admin password during first time app install, simplifying the initial setup. To ensure that users can get to the admin panel, maybe we could use the CLI to make the cloudron app owner account an administrator in start.sh.

[service]
ENABLE_PASSWORD_SIGNIN_FORM = false
ENABLE_BASIC_AUTHENTICATION = false

ENABLE_PASSWORD_SIGNIN_FORM: true: Show the password login form (for password-based login), otherwise, only show OAuth2 or passkey login methods if they are enabled. If you set it to false, maybe it also needs to set ENABLE_BASIC_AUTHENTICATION to false to completely disable password-based authentication.

girish

@infogulch thanks for the write up.

I have a MR going now which disables registration by default - https://git.cloudron.io/packages/gitea-app/-/merge_requests/29 . Also, adds a checklist item to disable registration in non-sso mode .

infogulch

Cool. What do you think about item 2?

girish

@infogulch I think disabling the signin form disables admin login as well. We won't put it in the package since then the first login won't work (to change admin password) . But I think it makes sense in general.

infogulch

Yes that's what I'm saying: I've never logged in with the root user since changing the password, I've always managed my gitea instance by giving my cloudron identity administrator privileges in the app. So maybe the admin is not even necessary. And if we just completely disable the admin login this would simplify first-time setup of the gitea app.

girish

Doesn't the first OIDC user need to be made an admin by logging in as admin first?

infogulch

What if the OIDC user can be made admin through the CLI in start.sh?

girish

Users are auto-created by gitea on OIDC login. So, we may not have the user object in gitea database in start.sh time.

infogulch

Yes I suspected that's how it would work.

What if we configure Gitea admin group claims from OIDC tokens? Can cloudron add a claim to the token when the authenticated user is an operator?

• --group-claim-name: Claim name providing group names for this source. (Optional)
• --admin-group: Group Claim value for administrator users. (Optional)

-Gitea Command Line Reference

https://github.com/search?q=repo%3Ago-gitea%2Fgitea oauth2_group_claim_name&type=code
https://github.com/search?q=repo%3Ago-gitea%2Fgitea+oauth2groupclaimname&type=code
https://github.com/search?q=repo%3Ago-gitea%2Fgitea GroupClaimName&type=code

Ok it looks like these configs are not settable by app.ini. I'll ask in the discord and post back here.

https://github.com/go-gitea/gitea/blob/b861d86f80ea7a848efb539b798bbde3c7877d02/modules/setting/oauth2.go#L63-L79