From 3cb30ab798f17c2b94434584bc1e76173b042db4 Mon Sep 17 00:00:00 2001
From: marlon <marlon@riseup.net>
Date: Wed, 30 Oct 2024 16:49:50 -0400
Subject: [PATCH] sso templating

---
 .env.sample    | 7 ++++---
 compose.yml    | 3 +++
 gitlab.rb.tmpl | 8 ++++----
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.env.sample b/.env.sample
index 7c35fdb..bfd76f4 100644
--- a/.env.sample
+++ b/.env.sample
@@ -3,7 +3,8 @@ TYPE=gitlab
 DOMAIN=gitlab.example.com
 
 REGISTRY_DOMAIN=registry.gitlab.example.com
-PAGES_DOMAIN=pages.gitlab.example.com
+# The Gitlab Pages domain must not be a subdomain of the main Gitlab domain
+PAGES_DOMAIN=pages.example.com
 
 ## Domain aliases
 EXTRA_DOMAINS=", `$REGISTRY_DOMAIN`, `$PAGES_DOMAIN`"
@@ -20,6 +21,6 @@ SECRET_RUNNER_TOKEN_VERSION=v1
 SSO=false
 ## Authentik Configuration
 # SSO=true
-# SSO_PROVIDER_HOST="authentik.mydomain.com"
+# SSO_PROVIDER_URL="https://authentik.mydomain.com/application/o/gitlab/"
 # ORG_NAME="My Organization"
-# SECRET_CLIENT_SSO_SECRET_VERSION=v1
+# SECRET_SSO_PROVIDER_SECRET_VERSION=v1
diff --git a/compose.yml b/compose.yml
index c853014..8a586ac 100644
--- a/compose.yml
+++ b/compose.yml
@@ -53,6 +53,9 @@ secrets:
   runner_token:
     external: true
     name: ${STACK_NAME}_runner_token_${SECRET_RUNNER_TOKEN_VERSION}
+  sso_provider_secret:
+    external: true
+    name: ${STACK_NAME}_sso_provider_secret_${SECRET_SSO_PROVIDER_SECRET_VERSION}
 
 volumes:
   gitlabconfig:
diff --git a/gitlab.rb.tmpl b/gitlab.rb.tmpl
index de94dc7..607540b 100644
--- a/gitlab.rb.tmpl
+++ b/gitlab.rb.tmpl
@@ -569,19 +569,19 @@ gitlab_rails['omniauth_providers'] = [
   {
     "name" => "openid_connect",
     "label" => "{{ env "ORG_NAME" }}",
-    "icon" => "https://git.{{ env "BASE_DOMAIN" }}/uploads/-/system/appearance/favicon/1/favicon.png",
+    "icon" => "https://{{ env "DOMAIN" }}/uploads/-/system/appearance/favicon/1/favicon.png",
     "args" => { 
       "name" => "openid_connect",
       "scope" => ["openid","profile","email"],
       "response_type" => "code",
-      "issuer" => "https://accounts.{{ env "BASE_DOMAIN" }}/realms/{{ env "KEYCLOAK_REALM" }}",
+      "issuer" => "{{ env "SSO_PROVIDER_URL" }}",
       "discovery" => true,
       "client_auth_method" => "query",
       "send_scope_to_token_endpoint" => "false",
       "client_options" => {
         "identifier" => "gitlab",
-        "secret" => "{{ env "GITLAB_KEYCLOAK_SECRET" }}",
-        "redirect_uri" => "https://git.{{ env "BASE_DOMAIN" }}/users/auth/openid_connect/callback"
+        "secret" => "{{ secret "sso_provider_secret" }}",
+        "redirect_uri" => "https://{{ env "DOMAIN" }}/users/auth/openid_connect/callback"
       }
     }
   }