diff --git a/ops/keycloak/identity_providers.tf b/ops/keycloak/identity_providers.tf new file mode 100644 index 000000000..b60804a7d --- /dev/null +++ b/ops/keycloak/identity_providers.tf @@ -0,0 +1,41 @@ +variable "github_client_secret" { + type = string +} + +variable "gitlab_client_secret" { + type = string +} + +resource "keycloak_oidc_identity_provider" "github" { + alias = "github" + provider_id = "github" + client_id = "Ov23liKpXqs0aPaVgDpg" + client_secret = var.github_client_secret + realm = keycloak_realm.snix.id + backchannel_supported = false + gui_order = "1" + store_token = false + sync_mode = "IMPORT" + trust_email = true + default_scopes = "openid user:email" + + authorization_url = "" + token_url = "" +} + +resource "keycloak_oidc_identity_provider" "gitlab" { + alias = "gitlab" + provider_id = "gitlab" + client_id = "6ecb359ede53f7d80003d127dc4448bd1b1d73631a01273d9576e00ff9a94d2c" + client_secret = var.gitlab_client_secret + realm = keycloak_realm.snix.id + backchannel_supported = false + gui_order = "2" + store_token = false + sync_mode = "IMPORT" + trust_email = true + default_scopes = "openid read_user" + + authorization_url = "" + token_url = "" +} diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf deleted file mode 100644 index 499c7f7f3..000000000 --- a/ops/keycloak/user_sources.tf +++ /dev/null @@ -1,27 +0,0 @@ -# All user sources, that is services from which Keycloak gets user -# information (either by accessing a system like LDAP or integration -# through protocols like OIDC). - -variable "github_client_secret" { - type = string -} - -# keycloak_oidc_identity_provider.github will be destroyed -# (because keycloak_oidc_identity_provider.github is not in configuration) -resource "keycloak_oidc_identity_provider" "github" { - alias = "github" - provider_id = "github" - client_id = "Ov23liKpXqs0aPaVgDpg" - client_secret = var.github_client_secret - realm = keycloak_realm.snix.id - backchannel_supported = false - gui_order = "1" - store_token = false - sync_mode = "IMPORT" - trust_email = true - default_scopes = "openid user:email" - - # These default to built-in values for the `github` provider_id. - authorization_url = "" - token_url = "" -} diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age index 1ebcaa082..f33370e07 100644 Binary files a/ops/secrets/tf-keycloak.age and b/ops/secrets/tf-keycloak.age differ diff --git a/web/content/docs/guides/contributing.md b/web/content/docs/guides/contributing.md index 1ebf4515d..95b50b534 100644 --- a/web/content/docs/guides/contributing.md +++ b/web/content/docs/guides/contributing.md @@ -29,9 +29,9 @@ went through these instructions first. ### Creating a Gerrit account - Navigate to [our Gerrit instance][snix-gerrit]. Hit the "Sign in" button - (which allows SSO with a GitHub account) [^1] + (which allows SSO with some common IdPs) - In the User settings, paste an SSH public key and hit the "Add New SSH key" - button. [^2] + button. [^1] - Alternatively, you can also create "HTTP Credentials" (though saving the HTTP password is messy). @@ -58,7 +58,7 @@ replicates fast enough, then update to --push only --> ### Install the commit-msg hook Gerrit uses a `commit-msg` hook to add a `Change-Id: …` field to each commit message if not present already. This allows Gerrit to identify new revisions / -updates of old commits, and track them as new revisions of the same "CL" [^3]. +updates of old commits, and track them as new revisions of the same "CL" [^2]. To install the commit-msg hook, run the following from the repo root: @@ -122,6 +122,5 @@ $ git push origin HEAD:refs/for/canon%r=alice,cc=bob,l=Autosubmit+1,publish-comm [snix-gerrit]: https://cl.snix.dev [Gerrit walkthrough]: https://gerrit-review.googlesource.com/Documentation/intro-gerrit-walkthrough.html [gerrit-for-github-users]: https://gerrit.wikimedia.org/r/Documentation/intro-gerrit-walkthrough-github.html -[^1]: more SSO providers to come -[^2]: currently, `ssh-*-sk` keytypes are not supported, so use an `ssh-ed25519` key. -[^3]: abbreviation for "change list", and the review unit in Gerrit. +[^1]: currently, `ssh-*-sk` keytypes are not supported, so use an `ssh-ed25519` key. +[^2]: abbreviation for "change list", and the review unit in Gerrit.