khuedoan-homelab/scripts/hacks

#!/usr/bin/env python

"""
Quick and dirty script for things that I can't/don't have time to do properly yet
TODO: retire this script
"""

import base64
import json
import json
import pexpect
import requests
import subprocess
import sys
import urllib

from rich.console import Console
from kubernetes import client, config
from kubernetes.stream import stream

# https://git.khuedoan.com/user/settings/applications
# Doing this properly inside the cluster requires:
# - Kubernetes service account
config.load_config()

gitea_host = client.NetworkingV1Api().read_namespaced_ingress('gitea', 'gitea').spec.rules[0].host
gitea_user_secret = client.CoreV1Api().read_namespaced_secret('gitea-admin-secret', 'gitea')
gitea_user = base64.b64decode(gitea_user_secret.data['username']).decode("utf-8")
gitea_pass = base64.b64decode(gitea_user_secret.data['password']).decode("utf-8")
gitea_url = f"http://{gitea_host}"

kanidm_host = client.NetworkingV1Api().read_namespaced_ingress('kanidm', 'kanidm').spec.rules[0].host

def apply_secret(name: str, namespace: str, data: dict) -> None:
    try:
        client.CoreV1Api().read_namespaced_secret(name, namespace)
        patch_body = client.V1Secret(
            metadata=client.V1ObjectMeta(name=name),
            data=data,
        )
        client.CoreV1Api().replace_namespaced_secret(name, namespace, patch_body)
    except client.exceptions.ApiException:
        # Secret doesn't exist, create a new one
        new_secret = client.V1Secret(
            metadata=client.V1ObjectMeta(name=name),
            data=data,
        )
        client.CoreV1Api().create_namespaced_secret(namespace, new_secret)

def setup_gitea_access_token(name: str, scopes: list[str]) -> None:
    current_tokens = requests.get(
        url=f"{gitea_url}/api/v1/users/{gitea_user}/tokens",
        auth=(gitea_user,gitea_pass),
    ).json()

    if not any(token['name'] == name for token in current_tokens):
        resp = requests.post(
            url=f"{gitea_url}/api/v1/users/{gitea_user}/tokens",
            auth=(gitea_user,gitea_pass),
            headers={
                'Content-Type': 'application/json'
            },
            data=json.dumps({
                'name': name,
                'scopes': scopes
            })
        )

        if resp.status_code == 201:
            apply_secret(
                f"gitea.{name}",
                "global-secrets",
                {
                    'token': base64.b64encode(resp.json()['sha1'].encode("utf-8")).decode("utf-8")
                }
            )
        else:
            print(f"Error creating access token {name} ({resp.status_code})")
            print(resp.content)
            sys.exit(1)

def setup_gitea_oauth_app(name: str, redirect_uri: str) -> None:
    # TODO use the new global application, while it's there in the UI, there's no API yet.
    current_apps = requests.get(
        url=f"{gitea_url}/api/v1/user/applications/oauth2",
        auth=(gitea_user,gitea_pass),
    ).json()

    if not any(app['name'] == name for app in current_apps):
        resp = requests.post(
            url=f"{gitea_url}/api/v1/user/applications/oauth2",
            auth=(gitea_user,gitea_pass),
            headers={
                'Content-Type': 'application/json'
            },
            data=json.dumps({
                'name': name,
                'redirect_uris': [redirect_uri],
                'confidential_client': True
            })
        )

        if resp.status_code == 201:
            apply_secret(
                f"gitea.{name}",
                "global-secrets",
                {
                    'client_id': base64.b64encode(resp.json()['client_id'].encode("utf-8")).decode("utf-8"),
                    'client_secret': base64.b64encode(resp.json()['client_secret'].encode("utf-8")).decode("utf-8"),
                }
            )
        else:
            print(f"Error creating OAuth application {name} ({resp.status_code})")
            print(resp.content)
            sys.exit(1)

def setup_gitea_auth_with_dex():
    gitea_pod = client.CoreV1Api().list_namespaced_pod(namespace='gitea', label_selector='app=gitea').items[0].metadata.name
    client_secret = base64.b64decode(
        client.CoreV1Api().read_namespaced_secret('dex.gitea', 'global-secrets').data['client_secret']
    ).decode("utf-8")
    discovery_url = f"https://{client.NetworkingV1Api().read_namespaced_ingress('dex', 'dex').spec.rules[0].host}/.well-known/openid-configuration"

    # TODO currently there's no API to add new authentication sources in Gitea,
    # so we have to workaround by running Gitea CLI in a Gitea pod.
    stream(
        client.CoreV1Api().connect_get_namespaced_pod_exec,
        gitea_pod,
        'gitea',
        command=[
            'gitea', 'admin', 'auth', 'add-oauth',
            '--name', 'Dex',
            '--provider', 'openidConnect',
            '--key', 'gitea',
            '--secret', client_secret,
            '--auto-discover-url', discovery_url
        ],
        stderr=True, stdin=False,
        stdout=False, tty=False
    )

def reset_kanidm_account_password(account: str) -> str:
    resp = stream(
        client.CoreV1Api().connect_get_namespaced_pod_exec,
        'kanidm-0',
        'kanidm',
        command=["kanidmd", "recover-account", "--output", "json", account],
        stderr=False, stdin=False,
        stdout=True, tty=False
    ).splitlines()[-1]

    return json.loads(resp)['password']

# TODO Proper automation will be added later, waiting for client library update:
# https://github.com/kanidm/kanidm/pull/2301
def kanidm_login(accounts: list[str]) -> None:
    for account in accounts:
        password = reset_kanidm_account_password(account)

        # There's no way to input password using the standard library, so we have to use pexpect
        # https://stackoverflow.com/questions/2387731/use-subprocess-to-send-a-password
        cli_login = pexpect.spawn(f"kanidm login --url https://{kanidm_host} --name {account}")
        cli_login.sendline(password)
        cli_login.read()

def setup_kanidm_group(name: str) -> None:
    subprocess.run(
        ["kanidm", "group", "create", "--url", f"https://{kanidm_host}", "--name", "idm_admin", name],
        capture_output=True,
    )

def setup_kanidm_oauth_app(name: str, redirect_uri: str) -> None:
    try:
        subprocess.run(
            ["kanidm", "system", "oauth2", "create", "--url", f"https://{kanidm_host}", "--name", "admin", name, name, redirect_uri],
            capture_output=True,
            check=True,
        )
    except subprocess.CalledProcessError:
        return

    # TODO https://github.com/dexidp/dex/pull/3188
    subprocess.run(
        ["kanidm", "system", "oauth2", "warning-insecure-client-disable-pkce", "--url", f"https://{kanidm_host}", "--name", "admin", name],
        capture_output=True,
        check=True,
    )

    subprocess.run(
        # TODO better group management
        ["kanidm", "system", "oauth2", "create-scope-map", "--url", f"https://{kanidm_host}", "--name", "admin", name, "editor", "openid", "profile", "email", "groups"],
        capture_output=True,
        check=True,
    )

    client_secret = json.loads(subprocess.run(
        ["kanidm", "system", "oauth2", "show-basic-secret", "--url", f"https://{kanidm_host}", "--name", "admin", "--output", "json", name],
        capture_output=True,
        check=True,
    ).stdout.decode("utf-8"))['secret']

    apply_secret(
        f"kanidm.{name}",
        "global-secrets",
        {
            'client_id': base64.b64encode(name.encode("utf-8")).decode("utf-8"),
            'client_secret': base64.b64encode(client_secret.encode("utf-8")).decode("utf-8"),
        }
    )

def main() -> None:
    with Console().status("Completing the remaining sorcery"):
        gitea_access_tokens = [
            {
                'name': 'renovate',
                'scopes': [
                    "write:repository",
                    "read:user",
                    "write:issue",
                    "read:organization",
                    "read:misc"
                ]
            }
        ]

        gitea_oauth_apps = [
            {'name': 'woodpecker', 'redirect_uri': f"https://{client.NetworkingV1Api().read_namespaced_ingress('woodpecker-server', 'woodpecker').spec.rules[0].host}/authorize"},
        ]

        kanidm_groups = [
            # TODO better group management
            {'name': 'editor'},
        ]

        kanidm_oauth_apps = [
            {'name': 'dex', 'redirect_uri': f"https://{client.NetworkingV1Api().read_namespaced_ingress('dex', 'dex').spec.rules[0].host}/callback"},
        ]

        for token in gitea_access_tokens:
            setup_gitea_access_token(token['name'], token['scopes'])

        for app in gitea_oauth_apps:
            setup_gitea_oauth_app(app['name'], app['redirect_uri'])

        setup_gitea_auth_with_dex()

        kanidm_login(["admin", "idm_admin"])

        for group in kanidm_groups:
            setup_kanidm_group(group['name'])

        for app in kanidm_oauth_apps:
            setup_kanidm_oauth_app(app['name'], app['redirect_uri'])

if __name__ == '__main__':
    main()
refactor(tools): switch to Nix - Nix is more reproducible (pinned to a specific hash) - Faster rebuild after changing the package list (due to /nix caching in volume) - Users can still use make tools (wrapped in Docker) without installing Nix - Using nix-shell will work if you have nix installed. 2022-08-26 19:08:52 +07:00			`#!/usr/bin/env python`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
			`"""`
			`Quick and dirty script for things that I can't/don't have time to do properly yet`
			`TODO: retire this script`
			`"""`

feat: get credentials automatically in post install script 2022-07-23 23:59:29 +07:00			`import base64`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`import json`
feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`import json`
			`import pexpect`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`import requests`
feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`import subprocess`
feat: get credentials automatically in post install script 2022-07-23 23:59:29 +07:00			`import sys`
fix: URL encode Gitea password 2023-02-22 18:33:48 +07:00			`import urllib`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
feat: get credentials automatically in post install script 2022-07-23 23:59:29 +07:00			`from rich.console import Console`
			`from kubernetes import client, config`
feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`from kubernetes.stream import stream`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
			`# https://git.khuedoan.com/user/settings/applications`
			`# Doing this properly inside the cluster requires:`
			`# - Kubernetes service account`
refactor(hacks): use wrapper function to load kube config 2024-01-16 14:15:39 +07:00			`config.load_config()`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
feat: get credentials automatically in post install script 2022-07-23 23:59:29 +07:00			`gitea_host = client.NetworkingV1Api().read_namespaced_ingress('gitea', 'gitea').spec.rules[0].host`
refactor!: update post install script to write to k8s secret instead of Vault 2023-11-26 02:35:19 +07:00			`gitea_user_secret = client.CoreV1Api().read_namespaced_secret('gitea-admin-secret', 'gitea')`
			`gitea_user = base64.b64decode(gitea_user_secret.data['username']).decode("utf-8")`
			`gitea_pass = base64.b64decode(gitea_user_secret.data['password']).decode("utf-8")`
fix(hacks): don't use string interpolation for Gitea auth This fails when there are some special characters in the password 2024-03-02 23:34:46 +07:00			`gitea_url = f"http://{gitea_host}"`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`kanidm_host = client.NetworkingV1Api().read_namespaced_ingress('kanidm', 'kanidm').spec.rules[0].host`

fix(hacks): patch secret if existed (#131) 2024-01-21 16:47:40 +07:00			`def apply_secret(name: str, namespace: str, data: dict) -> None:`
refactor!: update post install script to write to k8s secret instead of Vault 2023-11-26 02:35:19 +07:00			`try:`
			`client.CoreV1Api().read_namespaced_secret(name, namespace)`
fix(hacks): patch secret if existed (#131) 2024-01-21 16:47:40 +07:00			`patch_body = client.V1Secret(`
			`metadata=client.V1ObjectMeta(name=name),`
			`data=data,`
			`)`
			`client.CoreV1Api().replace_namespaced_secret(name, namespace, patch_body)`
refactor!: update post install script to write to k8s secret instead of Vault 2023-11-26 02:35:19 +07:00			`except client.exceptions.ApiException:`
			`# Secret doesn't exist, create a new one`
			`new_secret = client.V1Secret(`
			`metadata=client.V1ObjectMeta(name=name),`
			`data=data,`
			`)`
			`client.CoreV1Api().create_namespaced_secret(namespace, new_secret)`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
fix(gitea): define scopes when creating access tokens Required in newer versions. 2024-01-09 00:28:48 +07:00			`def setup_gitea_access_token(name: str, scopes: list[str]) -> None:`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`current_tokens = requests.get(`
			`url=f"{gitea_url}/api/v1/users/{gitea_user}/tokens",`
fix(hacks): don't use string interpolation for Gitea auth This fails when there are some special characters in the password 2024-03-02 23:34:46 +07:00			`auth=(gitea_user,gitea_pass),`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`).json()`

			`if not any(token['name'] == name for token in current_tokens):`
			`resp = requests.post(`
			`url=f"{gitea_url}/api/v1/users/{gitea_user}/tokens",`
fix(hacks): don't use string interpolation for Gitea auth This fails when there are some special characters in the password 2024-03-02 23:34:46 +07:00			`auth=(gitea_user,gitea_pass),`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`headers={`
			`'Content-Type': 'application/json'`
			`},`
			`data=json.dumps({`
fix(gitea): define scopes when creating access tokens Required in newer versions. 2024-01-09 00:28:48 +07:00			`'name': name,`
			`'scopes': scopes`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`})`
			`)`

			`if resp.status_code == 201:`
fix(hacks): patch secret if existed (#131) 2024-01-21 16:47:40 +07:00			`apply_secret(`
refactor!: make secret generator write to k8s Secrets instead of Vault 2023-11-26 02:09:21 +07:00			`f"gitea.{name}",`
			`"global-secrets",`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`{`
refactor!: update post install script to write to k8s secret instead of Vault 2023-11-26 02:35:19 +07:00			`'token': base64.b64encode(resp.json()['sha1'].encode("utf-8")).decode("utf-8")`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`}`
			`)`
			`else:`
			`print(f"Error creating access token {name} ({resp.status_code})")`
			`print(resp.content)`
			`sys.exit(1)`

			`def setup_gitea_oauth_app(name: str, redirect_uri: str) -> None:`
chore(gitea)!: ugrade Helm chart to v10 This is a breaking change, see https://gitea.com/gitea/helm-chart#upgrading before upgrading to avoid losing data. Personally I have my repos saved in many Git hosting providers so I just nuke it and reinstall. Fixes changed files detection in pull_request event in Woodpecker. 2024-01-08 10:56:44 +07:00			`# TODO use the new global application, while it's there in the UI, there's no API yet.`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`current_apps = requests.get(`
			`url=f"{gitea_url}/api/v1/user/applications/oauth2",`
fix(hacks): don't use string interpolation for Gitea auth This fails when there are some special characters in the password 2024-03-02 23:34:46 +07:00			`auth=(gitea_user,gitea_pass),`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`).json()`

			`if not any(app['name'] == name for app in current_apps):`
			`resp = requests.post(`
			`url=f"{gitea_url}/api/v1/user/applications/oauth2",`
fix(hacks): don't use string interpolation for Gitea auth This fails when there are some special characters in the password 2024-03-02 23:34:46 +07:00			`auth=(gitea_user,gitea_pass),`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`headers={`
			`'Content-Type': 'application/json'`
			`},`
			`data=json.dumps({`
			`'name': name,`
chore(gitea)!: ugrade Helm chart to v10 This is a breaking change, see https://gitea.com/gitea/helm-chart#upgrading before upgrading to avoid losing data. Personally I have my repos saved in many Git hosting providers so I just nuke it and reinstall. Fixes changed files detection in pull_request event in Woodpecker. 2024-01-08 10:56:44 +07:00			`'redirect_uris': [redirect_uri],`
			`'confidential_client': True`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`})`
			`)`

			`if resp.status_code == 201:`
fix(hacks): patch secret if existed (#131) 2024-01-21 16:47:40 +07:00			`apply_secret(`
refactor!: make secret generator write to k8s Secrets instead of Vault 2023-11-26 02:09:21 +07:00			`f"gitea.{name}",`
			`"global-secrets",`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`{`
refactor!: update post install script to write to k8s secret instead of Vault 2023-11-26 02:35:19 +07:00			`'client_id': base64.b64encode(resp.json()['client_id'].encode("utf-8")).decode("utf-8"),`
			`'client_secret': base64.b64encode(resp.json()['client_secret'].encode("utf-8")).decode("utf-8"),`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`}`
			`)`
			`else:`
			`print(f"Error creating OAuth application {name} ({resp.status_code})")`
			`print(resp.content)`
			`sys.exit(1)`

feat(gitea): automatically setup Dex as authentication source It's very ugly but it works ¯\_(ツ)_/¯ 2024-01-17 01:08:06 +07:00			`def setup_gitea_auth_with_dex():`
			`gitea_pod = client.CoreV1Api().list_namespaced_pod(namespace='gitea', label_selector='app=gitea').items[0].metadata.name`
			`client_secret = base64.b64decode(`
			`client.CoreV1Api().read_namespaced_secret('dex.gitea', 'global-secrets').data['client_secret']`
			`).decode("utf-8")`
			`discovery_url = f"https://{client.NetworkingV1Api().read_namespaced_ingress('dex', 'dex').spec.rules[0].host}/.well-known/openid-configuration"`

			`# TODO currently there's no API to add new authentication sources in Gitea,`
			`# so we have to workaround by running Gitea CLI in a Gitea pod.`
			`stream(`
			`client.CoreV1Api().connect_get_namespaced_pod_exec,`
			`gitea_pod,`
			`'gitea',`
			`command=[`
			`'gitea', 'admin', 'auth', 'add-oauth',`
			`'--name', 'Dex',`
			`'--provider', 'openidConnect',`
			`'--key', 'gitea',`
			`'--secret', client_secret,`
			`'--auto-discover-url', discovery_url`
			`],`
			`stderr=True, stdin=False,`
			`stdout=False, tty=False`
			`)`

feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`def reset_kanidm_account_password(account: str) -> str:`
			`resp = stream(`
			`client.CoreV1Api().connect_get_namespaced_pod_exec,`
			`'kanidm-0',`
			`'kanidm',`
			`command=["kanidmd", "recover-account", "--output", "json", account],`
fix(kandim): upgrade to 1.1.0-rc.16 Fixes ERR_ZSTD_WINDOW_SIZE_TOO_BIG 2024-04-18 17:24:28 +07:00			`stderr=False, stdin=False,`
			`stdout=True, tty=False`
			`).splitlines()[-1]`
feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00
			`return json.loads(resp)['password']`

			`# TODO Proper automation will be added later, waiting for client library update:`
			`# https://github.com/kanidm/kanidm/pull/2301`
			`def kanidm_login(accounts: list[str]) -> None:`
			`for account in accounts:`
			`password = reset_kanidm_account_password(account)`

			`# There's no way to input password using the standard library, so we have to use pexpect`
			`# https://stackoverflow.com/questions/2387731/use-subprocess-to-send-a-password`
			`cli_login = pexpect.spawn(f"kanidm login --url https://{kanidm_host} --name {account}")`
			`cli_login.sendline(password)`
			`cli_login.read()`

			`def setup_kanidm_group(name: str) -> None:`
			`subprocess.run(`
			`["kanidm", "group", "create", "--url", f"https://{kanidm_host}", "--name", "idm_admin", name],`
			`capture_output=True,`
			`)`

			`def setup_kanidm_oauth_app(name: str, redirect_uri: str) -> None:`
			`try:`
			`subprocess.run(`
			`["kanidm", "system", "oauth2", "create", "--url", f"https://{kanidm_host}", "--name", "admin", name, name, redirect_uri],`
			`capture_output=True,`
			`check=True,`
			`)`
			`except subprocess.CalledProcessError:`
			`return`

			`# TODO https://github.com/dexidp/dex/pull/3188`
			`subprocess.run(`
			`["kanidm", "system", "oauth2", "warning-insecure-client-disable-pkce", "--url", f"https://{kanidm_host}", "--name", "admin", name],`
			`capture_output=True,`
			`check=True,`
			`)`

			`subprocess.run(`
			`# TODO better group management`
			`["kanidm", "system", "oauth2", "create-scope-map", "--url", f"https://{kanidm_host}", "--name", "admin", name, "editor", "openid", "profile", "email", "groups"],`
			`capture_output=True,`
			`check=True,`
			`)`

			`client_secret = json.loads(subprocess.run(`
			`["kanidm", "system", "oauth2", "show-basic-secret", "--url", f"https://{kanidm_host}", "--name", "admin", "--output", "json", name],`
			`capture_output=True,`
			`check=True,`
			`).stdout.decode("utf-8"))['secret']`

fix(hacks): patch secret if existed (#131) 2024-01-21 16:47:40 +07:00			`apply_secret(`
feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`f"kanidm.{name}",`
			`"global-secrets",`
			`{`
			`'client_id': base64.b64encode(name.encode("utf-8")).decode("utf-8"),`
			`'client_secret': base64.b64encode(client_secret.encode("utf-8")).decode("utf-8"),`
			`}`
			`)`

feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`def main() -> None:`
			`with Console().status("Completing the remaining sorcery"):`
			`gitea_access_tokens = [`
fix(gitea): define scopes when creating access tokens Required in newer versions. 2024-01-09 00:28:48 +07:00			`{`
			`'name': 'renovate',`
			`'scopes': [`
			`"write:repository",`
			`"read:user",`
			`"write:issue",`
			`"read:organization",`
			`"read:misc"`
			`]`
			`}`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`]`

			`gitea_oauth_apps = [`
chore(gitea)!: ugrade Helm chart to v10 This is a breaking change, see https://gitea.com/gitea/helm-chart#upgrading before upgrading to avoid losing data. Personally I have my repos saved in many Git hosting providers so I just nuke it and reinstall. Fixes changed files detection in pull_request event in Woodpecker. 2024-01-08 10:56:44 +07:00			`{'name': 'woodpecker', 'redirect_uri': f"https://{client.NetworkingV1Api().read_namespaced_ingress('woodpecker-server', 'woodpecker').spec.rules[0].host}/authorize"},`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`]`

feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`kanidm_groups = [`
			`# TODO better group management`
			`{'name': 'editor'},`
			`]`

			`kanidm_oauth_apps = [`
			`{'name': 'dex', 'redirect_uri': f"https://{client.NetworkingV1Api().read_namespaced_ingress('dex', 'dex').spec.rules[0].host}/callback"},`
			`]`

fix(gitea): define scopes when creating access tokens Required in newer versions. 2024-01-09 00:28:48 +07:00			`for token in gitea_access_tokens:`
			`setup_gitea_access_token(token['name'], token['scopes'])`
feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00
			`for app in gitea_oauth_apps:`
			`setup_gitea_oauth_app(app['name'], app['redirect_uri'])`

feat(gitea): automatically setup Dex as authentication source It's very ugly but it works ¯\_(ツ)_/¯ 2024-01-17 01:08:06 +07:00			`setup_gitea_auth_with_dex()`

feat: automate Kanidm configuration Just a hack for now. 2024-01-06 01:25:55 +07:00			`kanidm_login(["admin", "idm_admin"])`

			`for group in kanidm_groups:`
			`setup_kanidm_group(group['name'])`

			`for app in kanidm_oauth_apps:`
			`setup_kanidm_oauth_app(app['name'], app['redirect_uri'])`

feat: add script to setup Gitea tokens and OAuth apps 2022-07-18 03:48:15 +07:00			`if __name__ == '__main__':`
			`main()`