studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ory): OIDC group-to-team mapping, social login, Gitea OIDC-only mode

Browse Source 
Identity permissions flow from Kratos metadata_admin.groups through
Hydra ID token claims to Gitea's OIDC group-to-team mapping:
- super-admin → site admin + Owners + Employees teams
- employee → Owners + Employees teams
- community → Contributors team (social sign-up users)

Kratos: Discord + GitHub social login providers, community identity
schema, OIDC method enabled with env-var credential injection via VSO.

Gitea: OIDC-only login (no local registration, no password form),
APP_NAME, favicon, auto-registration with account linking.

Also: messages-mta-in recreate strategy + liveness probe for milter.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-27 17:46:11 +00:00
parent 33f0e44545
commit 97628b0f6f
5 changed files with 136 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
base/devtools/gitea-values.yaml
View File

@@ -19,6 +19,9 @@ gitea:
email: gitea@local.domain
config:
DEFAULT:
APP_NAME: "Sunbeam Studios Version Control"
ui:
DEFAULT_THEME: sunbeam
THEMES: sunbeam
@@ -56,11 +59,24 @@ gitea:
TYPE: redis
CONN_STR: redis://valkey.data.svc.cluster.local:6379/2?pool_size=100&idle_timeout=180s
service:
# Only allow registration through OIDC (Hydra/Kratos), not local accounts.
DISABLE_REGISTRATION: "false"
ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
# Hide the password login form — show only the OIDC button.
ENABLE_PASSWORD_SIGNIN_FORM: "false"
openid:
ENABLE_OPENID_SIGNIN: "false"
ENABLE_OPENID_SIGNUP: "false"
oauth2_client:
# Auto-redirect to Hydra OIDC on login — makes OIDC the primary auth method.
OAUTH2_AUTO_REDIRECT_TO_PROVIDER: Sunbeam
# Register new OIDC users automatically.
ENABLE_AUTO_REGISTRATION: "true"
ACCOUNT_LINKING: auto
USERNAME: preferred_username
storage:
STORAGE_TYPE: minio
@@ -112,6 +128,10 @@ extraContainerVolumeMounts:
mountPath: /data/gitea/public/assets/img/logo.svg
subPath: logo.svg
readOnly: true
- name: custom-theme
mountPath: /data/gitea/public/assets/img/favicon.png
subPath: favicon.png
readOnly: true
- name: mkcert-ca
mountPath: /run/ca/ca.crt
subPath: ca.crt