From 8f47145b404269a6f0433d80a618ad5d587fca93 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 07:53:28 -0800
Subject: [PATCH] Update Authentik Forgejo OAuth callback to forge.eblu.me
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update redirect_uris and meta_launch_url to use the new public domain.
OAuth flow will dead-end naturally since Authentik is not publicly
accessible — SSO only works from the tailnet.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 argocd/manifests/authentik/configmap-blueprint.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index f5b4784..e867c3a 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -120,7 +120,7 @@ data:
           client_secret: !Env AUTHENTIK_FORGEJO_CLIENT_SECRET
           redirect_uris:
             - matching_mode: strict
-              url: https://forge.ops.eblu.me/user/oauth2/authentik/callback
+              url: https://forge.eblu.me/user/oauth2/authentik/callback
           signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
           property_mappings:
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
@@ -138,7 +138,7 @@ data:
           name: Forgejo
           slug: forgejo
           provider: !KeyOf forgejo-provider
-          meta_launch_url: https://forge.ops.eblu.me
+          meta_launch_url: https://forge.eblu.me
           policy_engine_mode: any
 
       # Policy binding — restrict Forgejo to admins group