Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group),
grafana.yaml (updated with !Find and groups scope), and forgejo.yaml
(new provider + application). Add forgejo-client-secret to ExternalSecret
and worker deployment. Configure Forgejo oauth2_client for auto-registration
with login-based account linking to safely preserve existing accounts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/reference/services/authentik.md

@@ -39,11 +39,13 @@ Uses the shared CNPG `blumeops-pg` cluster on [[indri]], accessed cross-cluster
 
 ## Blueprints
 
-Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at `/blueprints/custom/`. Current blueprints define:
+Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at `/blueprints/custom/`. Current blueprints:
 
-- `admins` group
-- Grafana OAuth2 provider (client ID: `grafana`)
-- Grafana application with group-based policy binding
+- **`common.yaml`** — shared identity resources (`admins` group)
+- **`grafana.yaml`** — Grafana OAuth2 provider, application, and policy binding
+- **`forgejo.yaml`** — Forgejo OAuth2 provider, application, and policy binding
+
+All providers include the `groups` scope mapping for group-based admin propagation.
 
 Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml`
 
@@ -52,8 +54,9 @@ Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml`
 | Client | Status |
 |--------|--------|
 | [[grafana]] | Active |
+| [[forgejo]] | Active |
 
-Future clients: [[forgejo]], [[argocd]], [[miniflux]], [[zot]]
+Future clients: [[argocd]], [[miniflux]], [[zot]]
 
 ## Secrets
 
@@ -64,6 +67,7 @@ Injected via [[external-secrets]] from the "Authentik (blumeops)" 1Password item
 | `secret-key` | Authentik secret key |
 | `db-password` | PostgreSQL password |
 | `grafana-client-secret` | OIDC client secret for Grafana |
+| `forgejo-client-secret` | OIDC client secret for Forgejo |
 | `api-token` | Authentik API token |
 
 ## Container Image

docs/reference/services/forgejo.md

@@ -1,6 +1,6 @@
 ---
 title: Forgejo
-modified: 2026-02-19
+modified: 2026-02-20
 tags:
   - service
   - git
@@ -79,7 +79,18 @@ This is a bootstrapping requirement - the PAT enables IaC for all other secrets.
 
 ## Identity Provider
 
-[[authentik]] is the BlumeOps OIDC identity provider and source of truth for user identity. Forgejo will eventually authenticate against Authentik as an OIDC client, with user provisioning managed in Authentik. This migration is deferred — the existing `eblume` account has extensive automations that need careful migration.
+[[authentik]] is the BlumeOps OIDC identity provider and source of truth for user identity. Forgejo authenticates against Authentik as an OIDC client.
+
+**Configuration:**
+- OAuth2 provider and application defined in Authentik blueprints (`argocd/manifests/authentik/configmap-blueprint.yaml`)
+- Auth source created via `forgejo admin auth add-oauth` (lives in Forgejo's SQLite database, not app.ini)
+- `[oauth2_client]` section in `app.ini.j2` controls auto-registration and account linking behavior
+
+**Account linking:** `ACCOUNT_LINKING = login` — when an Authentik user's email matches an existing local account, Forgejo prompts for the local password to confirm the link. This preserves existing accounts, API tokens, SSH keys, and repository ownership.
+
+**Group-based admin:** The `admins` group in Authentik maps to Forgejo admin status via `--admin-group admins` on the auth source. Manage admin access in Authentik, not Forgejo.
+
+**Break-glass:** Local password login always works. Authentik SSO is additive — if Authentik is down, log in with local credentials.
 
 ## Future: Public Access