Default config changes

What I was aiming for with this was to simplify the Gitea app install process for new instances. This would:

1. Remove the step where new app owners must change the root password and save it, eliminating the initial period where new installs are vulnerable to spam and abuse, and eliminating the need for a root user at all.
2. Allow for disabling username/password entry form, streamlining cloudron logins.
3. Derive Gitea Site Administrator privileges directly from app owner/operator role, simplifying app administrator delegation.

These goals are related to the default initial configuration of the gitea app, and are thus not possible to achieve with cloudron groups.

To do this, cloudron would need to:

1. Add a role claim (maybe roles plural) to the claims returned by getClaims, corresponding to the user's role assignment for that app.
2. Accept a PR to the gitea app that configures it to use these claims to set the site administrator role, after waiting for gitea to implement the ability to configure these settings from app.ini.

I understand if you are not interested at this time.

I see. Having some impedance mismatch between cloudron roles and app groups makes sense.

What if cloudron exposed a separate "roles" claim in addition to groups? Gitea could be configured to use the cloudron role claim as Claim name providing groups for this source, then set administrator as the Group Claim value for administrator users. Or set it to operators if you want to allow every operator to act as a Gitea Site Administrator.

In this case as long as Map claimed groups to Organization teams is left blank then there's no mapping that will confuse the app.

@girish So my question for you is: Does cloudron assign an oauth2 claim for groups, specifically for app operators? If not, could it?

Ok I found that the configuration is loaded from the login_soruce table, which has a JSON column cfg with OAuth2-specific fields. For reference it works like this:

• OAuth2 login starts in SignInOAuthCallback
  • This calls GetActiveOAuth2SourceByAuthName to get the OAuth config
  • GetActiveOAuth2SourceByAuthName loads the login configuration from the database
  • This populates a models.auth.Source struct from the login_source table
  • The Cfg field is parsed into the source-specific struct services.auth.source.oauth2.Source which contains the GroupClaimName and AdminGroup fields.
• Then SignInOAuthCallback calls function getUserAdminAndRestrictedFromGroupClaims to read these fields to get the user's admin status from the oauth claims.

I looked at my login_source table:

SELECT * FROM login_source WHERE type = 6 /*OAuth2*/ AND name = 'cloudron' AND is_active = 1;

+----+------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-----------+-------------------+
| id | type | name     | is_sync_enabled | cfg                                                                                                                                                                                                                                                                                                                                                                                                          | created_unix | updated_unix | is_active | two_factor_policy |
+----+------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-----------+-------------------+
|  1 |    6 | cloudron |               0 | {"Provider":"openidConnect","ClientID":"<snip>","ClientSecret":"<snip>","OpenIDConnectAutoDiscoveryURL":"https://my.<cloudron domain>/openid/.well-known/openid-configuration","CustomURLMapping":null,"IconURL":"","Scopes":["openid email profile"],"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false,"RestrictedGroup":""} |   1752293846 |   1752293846 |         1 |                   |
+----+------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-----------+-------------------+

Here you can see the JSON fields GroupClaimName and AdminGroup in the cfg column.

So these configuration settings can be updated today with a query like this:

UPDATE login_source
SET cfg = JSON_SET(cfg, '$.GroupClaimName', '<group claim name>', '$.AdminGroup', '<operators group name>')
WHERE type = 6 /*OAuth2*/ AND name = 'cloudron' AND is_active = 1;

Obviously it would be better if this setting was exposed in app.ini, but this is enough for testing. And we'll have a stronger case for a PR to add this if we come with a live use-case.

To me it seems like the next steps are:

1. Figure out if Cloudron even exposes the group names and the app's operators group via OAuth2 claims
2. Test to see if filling in the GroupClaimName and AdminGroup fields in the UI works
3. Test to see if changing it by sql works
4. Decide if this makes sense as a default
5. Update the app to use it by default
   a. start.sh can open a subshell that tries to update these settings by direct query, checking in a loop every 5 seconds waiting for the schema to populate on first boot and for the login_source row to be created from config.
   b. Add the settings ENABLE_PASSWORD_SIGNIN_FORM = false and ENABLE_BASIC_AUTHENTICATION = false, and remove the first-time setup task to change the root password.
   c. Open an issue with Gitea to expose these settings via app.ini, remove the subshell workaround and use the exposed config options when they are available.

Yes I suspected that's how it would work.

What if we configure Gitea admin group claims from OIDC tokens? Can cloudron add a claim to the token when the authenticated user is an operator?

• --group-claim-name: Claim name providing group names for this source. (Optional)
• --admin-group: Group Claim value for administrator users. (Optional)

-Gitea Command Line Reference

https://github.com/search?q=repo%3Ago-gitea%2Fgitea oauth2_group_claim_name&type=code
https://github.com/search?q=repo%3Ago-gitea%2Fgitea+oauth2groupclaimname&type=code
https://github.com/search?q=repo%3Ago-gitea%2Fgitea GroupClaimName&type=code

Ok it looks like these configs are not settable by app.ini. I'll ask in the discord and post back here.

https://github.com/go-gitea/gitea/blob/b861d86f80ea7a848efb539b798bbde3c7877d02/modules/setting/oauth2.go#L63-L79

What if the OIDC user can be made admin through the CLI in start.sh?

Yes that's what I'm saying: I've never logged in with the root user since changing the password, I've always managed my gitea instance by giving my cloudron identity administrator privileges in the app. So maybe the admin is not even necessary. And if we just completely disable the admin login this would simplify first-time setup of the gitea app.

Cool. What do you think about item 2?

I was looking through the gitea config cheat sheet and there are some changes that could be made to make it more operator friendly.

I'd like to hear your thoughts.

1. Disable registration by default

See Prevent external users from joining gitea instance.

[service]
DISABLE_REGISTRATION = True
REGISTER_MANUAL_CONFIRM = True
EMAIL_DOMAIN_ALLOWLIST = XX_your_domain_here_XX,cloudron.local
DEFAULT_USER_IS_RESTRICTED = True

I would guess that most cloudron users would want to manage gitea user accounts through cloudron instead of in the app itself. This would prevent spam and abuse of gitea instances by default. This may require some tuning, I'm not sure how carefully these configs were tested.

2. Completely disable gitea password-based signin form

I noticed gitea has these options to disable the username/password signin form entirely. This would make cloudron logins smoother because I keep forgetting and fill in my cloudron credentials to the gitea login form, which doesn't work, instead of clicking "Sign in with Cloudron".

More importantly, if this setting is changed it might eliminate the need to change and manage the admin password during first time app install, simplifying the initial setup. To ensure that users can get to the admin panel, maybe we could use the CLI to make the cloudron app owner account an administrator in start.sh.

[service]
ENABLE_PASSWORD_SIGNIN_FORM = false
ENABLE_BASIC_AUTHENTICATION = false

ENABLE_PASSWORD_SIGNIN_FORM: true: Show the password login form (for password-based login), otherwise, only show OAuth2 or passkey login methods if they are enabled. If you set it to false, maybe it also needs to set ENABLE_BASIC_AUTHENTICATION to false to completely disable password-based authentication.

Maybe because the next line is SHOW_REGISTRATION_BUTTON = false. Not sure what this combination of features does, maybe it hides the register button but allows direct POST requests to the endpoint anyway?

+1 to "change the app so that the default is a disabled registration". I just had a big mess to clean up because of this. https://forum.cloudron.io/topic/14053/clean-up-external-users-that-have-accessed-gitea-instance

At the very least these configs should be mentioned in the admin checklist.

• With help from Grok: https://grok.com/share/bGVnYWN5_baedbb67-0507-41f0-b26d-29da9f1b7f94
• Exported users to delete with mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT id FROM user WHERE FROM_UNIXTIME(created_unix) > '2025-03-01'" > /app/data/users-to-delete.txt
• Deleted the header name with vim
• Switch to git user sudo -u git bash
• Run a command to use the cli to purge each user in the list: while read -r id; do /home/git/gitea/gitea -c /run/gitea/app.ini admin user delete --id "$id" --purge; done < /app/data/users-to-delete.txt
• All bad users cleared but one (not sure why), deleted manually.
• Done!

In 2022 gitea added the ability to purge an individual account including all memberships and repos: Add option to purge users (go-gitea#18064)

Unfortunately for me there is no option to purge multiple accounts at once. So I posted on an existing open issue with a request for this feature: Multi-select users for mass modification/deletion/purge #33376

I may consider reverse-engineering the purge code and running it manually, but that would be a lot of work...

Maybe a curl script to hit the purge endpoint is a better idea.

It seems the schema has changed since that blog post, but the basic idea still worked.

• SELECT COUNT(*) FROM user; showed 19922 accounts.
• I noticed most accounts were added starting March 2025
• SELECT * FROM user WHERE FROM_UNIXTIME(created_unix) < '2025-03-01' shows only the 4 very old accounts that I recognized.
• SELECT COUNT(*) FROM user WHERE FROM_UNIXTIME(created_unix) > '2025-03-01' showed 19918 accounts that I would want to delete.
• UPDATE user SET is_active = 0 WHERE FROM_UNIXTIME(created_unix) > '2025-03-01'; marked these accounts as inactive
• Under Maintenance > Dashboard, I clicked Run on the Delete all unactivated accounts maintenance operation.
• It took ~5 minutes and deleted a bunch of accounts, but now it's stuck at 2169 accounts and running the maintenance operation again isn't working.
• Restarting app...
• The issue with the stuck accounts is shown in the logs: Inactive user "<snip>" has repositories, organizations or packages, skipping deletion: user still has ownership of repositories
• Looking into deleting inactive users along with everything they own.

My gitea instance is filled up with spam and malware distribution. Looks like over 1000 users since March 2025. I thought I disabled that feature but maybe not...

I have added the same list of configs that the user in this thread did: Prevent external users joining gitea instance

[service]
DISABLE_REGISTRATION = True
REGISTER_MANUAL_CONFIRM = True
EMAIL_DOMAIN_ALLOWLIST = XX_your_domain_here_XX,cloudron.local
DEFAULT_USER_IS_RESTRICTED = True

But now I have a mess to clean up. I'll document what I did here.

I found this blog article from 2022 with a 2-step solution:

1. Use sql query to change status of unwanted users to inactive: UPDATE public.user SET is_active = 'f' WHERE name != 'bertieb'; (modify as needed)
2. Use the gitea dashboard feature to delete inactive users.

I'll try this and report back.

Ok if I switch it to "Direct disk" it fails to boot but "GRUB (Legacy)" kernel option seems to boot fine.

Thank you that is helpful.

So maybe the correct option is to use the "Direct Disk" option that boots the kernel installed on the disk to allow the OS updates to manage the kernel version. This should head off any future issues and I won't have to coordinate when I upgrade to 22.04 and 24.04.

See: https://techdocs.akamai.com/cloud-computing/docs/manage-the-kernel-on-a-compute-instance#view-and-modify-the-kernel-in-cloud-manager

Everything seems to be back up and running now. Thank you!

Any advice which latest kernel version I should be using? There are many options...

Edit: Oh maybe I should upgrade 20.04 as a first step...

https://docs.cloudron.io/guides/upgrade-ubuntu-22/
https://docs.cloudron.io/guides/upgrade-ubuntu-24/

Maybe it would be worth putting the kernel version in the info section?