blumeops/docs/reference/services/forgejo.md

---
title: Forgejo
tags:
  - service
  - git
  - ci-cd
---

# Forgejo

Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored to GitHub).

## Quick Reference

| Property | Value |
|----------|-------|
| **URL** | https://forge.ops.eblu.me |
| **SSH** | `ssh://forgejo@forge.ops.eblu.me:2222` |
| **Local Ports** | 3001 (HTTP), 2200 (SSH) |
| **Config** | `ansible/roles/forgejo/templates/app.ini.j2` |

## Repositories

| Repo | Description |
|------|-------------|
| `eblume/blumeops` | Infrastructure as code (primary) |
| `eblume/alloy` | Grafana Alloy fork (CGO build) |
| `eblume/tesla_auth` | Tesla OAuth helper |
| Helm chart mirrors | cloudnative-pg-charts, grafana-helm-charts |

## CI/CD (Forgejo Actions)

**Runner:** Kubernetes pod with Docker-in-Docker sidecar
- Namespace: `forgejo-runner`
- Labels: `k8s`
- ArgoCD app: `forgejo-runner`

**Workflows:** `.forgejo/workflows/`
- `build-container.yaml` - Container image builds on tag
- `build-blumeops.yaml` - Documentation builds and releases

## Secrets (Forgejo Config)

Server configuration secrets managed via 1Password → Ansible:
- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])

## Forgejo Actions Secrets

Repository-level secrets for CI/CD workflows, synced from 1Password via Ansible.

| Secret | 1Password Field | Used By | Purpose |
|--------|-----------------|---------|---------|
| `ARGOCD_AUTH_TOKEN` | `argocd_token` | `build-blumeops.yaml` | Sync docs app after release |

These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files.

**IaC:** The `forgejo_actions_secrets` Ansible role syncs these secrets from 1Password to Forgejo via the Forgejo API. Run with:

```bash
mise run provision-indri -- --tags forgejo_actions_secrets
```

### API Token Setup (Manual, One-Time)

The Ansible role authenticates to the Forgejo API using a Personal Access Token (PAT). This PAT must be created manually:

1. Go to https://forge.ops.eblu.me/user/settings/applications
2. Create a new token with `write:repository` scope
3. Store it in 1Password → "Forgejo Secrets" item → `api-token` field

This is a bootstrapping requirement - the PAT enables IaC for all other secrets.

## Related

- [[argocd]] - Uses Forgejo as git source
- [[zot]] - Container registry for built images
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00			`---`
Update all docs titles to human-readable (#117) ## Summary - Updated frontmatter `title:` in all 63 doc cards from slug-case to human-readable (e.g. `borgmatic` → `Borgmatic`, `ai-assistance-guide` → `AI Assistance Guide`) - Titles now closely match file stems so `[[wiki-links]]` render naturally without alternate anchor text - Corrected titles that diverged from stems (e.g. `host-inventory` → `Hosts`, `grafana-alloy` → `Alloy`, `argocd-applications` → `Apps`) - Deleted `title-test-alpha.md` and `title-test-beta.md` test cards and removed their reference index entry ## Deployment and Testing - [x] `docs-check-links` passes — all wiki-links valid - [x] `docs-check-index` passes - [x] `docs-check-filenames` passes - [ ] Verify titles render correctly on docs site after deploy Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/117 2026-02-07 21:44:57 -08:00			`title: Forgejo`
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00			`tags:`
			`- service`
			`- git`
Fix doc tag inconsistencies and add missing ai changelog type (#114) ## Summary - Add missing `ai` changelog fragment type to the update-documentation how-to guide (comment and table) - Consolidate `cicd` → `ci-cd` tag on forgejo.md - Consolidate `network` → `networking` tag on routing.md and tailscale.md Found during random doc review via `docs-review-tags`. Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/114 2026-02-06 18:52:36 -08:00			`- ci-cd`
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00			`---`

			`# Forgejo`

			`Git forge and CI/CD platform. Primary source of truth for blumeops (mirrored to GitHub).`

			`## Quick Reference`

			`\| Property \| Value \|`
			`\|----------\|-------\|`
			`\| URL \| https://forge.ops.eblu.me \|`
			\| SSH \| `ssh://forgejo@forge.ops.eblu.me:2222` \|
			`\| Local Ports \| 3001 (HTTP), 2200 (SSH) \|`
			\| Config \| `ansible/roles/forgejo/templates/app.ini.j2` \|

			`## Repositories`

			`\| Repo \| Description \|`
			`\|------\|-------------\|`
			\| `eblume/blumeops` \| Infrastructure as code (primary) \|
			\| `eblume/alloy` \| Grafana Alloy fork (CGO build) \|
			\| `eblume/tesla_auth` \| Tesla OAuth helper \|
			`\| Helm chart mirrors \| cloudnative-pg-charts, grafana-helm-charts \|`

			`## CI/CD (Forgejo Actions)`

			`Runner: Kubernetes pod with Docker-in-Docker sidecar`
			- Namespace: `forgejo-runner`
			- Labels: `k8s`
			- ArgoCD app: `forgejo-runner`

			Workflows: `.forgejo/workflows/`
			- `build-container.yaml` - Container image builds on tag
Document Forgejo Actions secrets (#102) ## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102 2026-02-04 07:32:32 -08:00			- `build-blumeops.yaml` - Documentation builds and releases
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00
Document Forgejo Actions secrets (#102) ## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102 2026-02-04 07:32:32 -08:00			`## Secrets (Forgejo Config)`
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00
Document Forgejo Actions secrets (#102) ## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102 2026-02-04 07:32:32 -08:00			`Server configuration secrets managed via 1Password → Ansible:`
			- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
			- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])

			`## Forgejo Actions Secrets`

Add IaC for Forgejo Actions secrets via Ansible (#107) ## Summary - New `forgejo_actions_secrets` Ansible role syncs repository-level Actions secrets from 1Password to Forgejo via the Forgejo API - Replaces manual process of copying secrets from 1Password to Forgejo UI - Documents the one-time PAT setup requirement in forgejo.md ## Manual Setup Required Before this role can run, a Forgejo PAT must be created: 1. Go to https://forge.ops.eblu.me/user/settings/applications 2. Create a new token with `write:repository` scope 3. Store it in 1Password → "Forgejo Secrets" item → `api-token` field This has already been done. ## Test Plan - [x] Ran `mise run provision-indri -- --tags forgejo_actions_secrets` successfully - [x] Verified secret synced (API returned 204 = updated existing) - [x] Ansible-lint passes 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/107 2026-02-04 09:11:01 -08:00			`Repository-level secrets for CI/CD workflows, synced from 1Password via Ansible.`
Document Forgejo Actions secrets (#102) ## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102 2026-02-04 07:32:32 -08:00
Add IaC for Forgejo Actions secrets via Ansible (#107) ## Summary - New `forgejo_actions_secrets` Ansible role syncs repository-level Actions secrets from 1Password to Forgejo via the Forgejo API - Replaces manual process of copying secrets from 1Password to Forgejo UI - Documents the one-time PAT setup requirement in forgejo.md ## Manual Setup Required Before this role can run, a Forgejo PAT must be created: 1. Go to https://forge.ops.eblu.me/user/settings/applications 2. Create a new token with `write:repository` scope 3. Store it in 1Password → "Forgejo Secrets" item → `api-token` field This has already been done. ## Test Plan - [x] Ran `mise run provision-indri -- --tags forgejo_actions_secrets` successfully - [x] Verified secret synced (API returned 204 = updated existing) - [x] Ansible-lint passes 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/107 2026-02-04 09:11:01 -08:00			`\| Secret \| 1Password Field \| Used By \| Purpose \|`
			`\|--------\|-----------------\|---------\|---------\|`
			\| `ARGOCD_AUTH_TOKEN` \| `argocd_token` \| `build-blumeops.yaml` \| Sync docs app after release \|
Document Forgejo Actions secrets (#102) ## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102 2026-02-04 07:32:32 -08:00
			These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files.

Add IaC for Forgejo Actions secrets via Ansible (#107) ## Summary - New `forgejo_actions_secrets` Ansible role syncs repository-level Actions secrets from 1Password to Forgejo via the Forgejo API - Replaces manual process of copying secrets from 1Password to Forgejo UI - Documents the one-time PAT setup requirement in forgejo.md ## Manual Setup Required Before this role can run, a Forgejo PAT must be created: 1. Go to https://forge.ops.eblu.me/user/settings/applications 2. Create a new token with `write:repository` scope 3. Store it in 1Password → "Forgejo Secrets" item → `api-token` field This has already been done. ## Test Plan - [x] Ran `mise run provision-indri -- --tags forgejo_actions_secrets` successfully - [x] Verified secret synced (API returned 204 = updated existing) - [x] Ansible-lint passes 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/107 2026-02-04 09:11:01 -08:00			IaC: The `forgejo_actions_secrets` Ansible role syncs these secrets from 1Password to Forgejo via the Forgejo API. Run with:

			```bash
			`mise run provision-indri -- --tags forgejo_actions_secrets`
			```

			`### API Token Setup (Manual, One-Time)`

			`The Ansible role authenticates to the Forgejo API using a Personal Access Token (PAT). This PAT must be created manually:`

			`1. Go to https://forge.ops.eblu.me/user/settings/applications`
			2. Create a new token with `write:repository` scope
			3. Store it in 1Password → "Forgejo Secrets" item → `api-token` field

			`This is a bootstrapping requirement - the PAT enables IaC for all other secrets.`
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00
			`## Related`

Convert wiki-link titles to lowercase slugs (#92) ## Summary - Convert all frontmatter titles to lowercase-hyphenated format (e.g., `grafana-alloy` instead of `Grafana Alloy`) - Update all wiki-links to use the new slug format - Update `doc-titles` task to validate slug format (lowercase, hyphens only) Quartz appears to require titles without spaces for wiki-link resolution. ## Deployment and Testing - [x] Pre-commit hooks pass (`doc-titles` and `doc-links`) - [ ] Build docs v1.0.8 and deploy - [ ] Verify wiki-links resolve correctly (e.g., `[[grafana-alloy]]`) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/92 2026-02-03 16:06:35 -08:00			`- [[argocd]] - Uses Forgejo as git source`
			`- [[zot]] - Container registry for built images`