Add IaC for Forgejo Actions secrets via Ansible (#107)

## Summary - New `forgejo_actions_secrets` Ansible role syncs repository-level Actions secrets from 1Password to Forgejo via the Forgejo API - Replaces manual process of copying secrets from 1Password to Forgejo UI - Documents the one-time PAT setup requirement in forgejo.md ## Manual Setup Required Before this role can run, a Forgejo PAT must be created: 1. Go to https://forge.ops.eblu.me/user/settings/applications 2. Create a new token with `write:repository` scope 3. Store it in 1Password → "Forgejo Secrets" item → `api-token` field This has already been done. ## Test Plan - [x] Ran `mise run provision-indri -- --tags forgejo_actions_secrets` successfully - [x] Verified secret synced (API returned 204 = updated existing) - [x] Ansible-lint passes 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/107
2026-02-04 09:11:01 -08:00 · 2026-02-04 09:11:01 -08:00 · 74bd5abe54
commit 74bd5abe54
parent e15caec898
5 changed files with 97 additions and 6 deletions
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@ -61,6 +61,34 @@
      no_log: true
      tags: [forgejo]

+    # Forgejo Actions secrets (synced to Forgejo via API)
+    - name: Fetch Forgejo API token
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields api-token --reveal
+      delegate_to: localhost
+      register: _forgejo_api_token
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [forgejo_actions_secrets]
+
+    - name: Fetch ArgoCD auth token for Forgejo Actions
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields argocd_token --reveal
+      delegate_to: localhost
+      register: _forgejo_argocd_token
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [forgejo_actions_secrets]
+
+    - name: Set Forgejo Actions secrets facts
+      ansible.builtin.set_fact:
+        forgejo_api_token: "{{ _forgejo_api_token.stdout }}"
+        forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}"
+      no_log: true
+      tags: [forgejo_actions_secrets]
+
    # Caddy Gandi token for ACME DNS-01 challenges
    - name: Fetch Gandi PAT for Caddy
      ansible.builtin.command:
@ -104,6 +132,8 @@
      tags: borgmatic_metrics
    - role: forgejo
      tags: forgejo
+    - role: forgejo_actions_secrets
+      tags: forgejo_actions_secrets
    - role: zot
      tags: zot
    - role: zot_metrics