Expose Forgejo publicly at forge.eblu.me (#278)

## Summary

Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.

- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)

## Deployment Order

1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync

## Verification Checklist

- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes

Reviewed-on: #278

fly/fail2ban/action.d/nginx-deny.conf

@@ -0,0 +1,14 @@
+# Custom fail2ban action that bans IPs via an nginx deny list.
+# Standard iptables banning won't work in Fly.io because $remote_addr
+# is Fly's internal proxy IP. Instead, we write banned IPs to a file
+# that nginx checks via a geo directive keyed on $http_fly_client_ip.
+
+[Definition]
+
+actionban = echo "<ip> 1;" >> /etc/nginx/forge-deny.conf && nginx -s reload
+
+actionunban = sed -i '/<ip> 1;/d' /etc/nginx/forge-deny.conf && nginx -s reload
+
+actionstart =
+actionstop =
+actioncheck =

fly/fail2ban/filter.d/forge-login.conf

@@ -0,0 +1,10 @@
+# Filter for Forgejo login failures via nginx JSON access log.
+# Matches 401/403 responses to authentication endpoints, keyed on
+# the client_ip field (populated from Fly-Client-IP header).
+
+[Definition]
+
+# Match JSON log lines with 401 or 403 status on login-related paths
+failregex = "client_ip":"<HOST>".*"request_uri":"\/user\/(login|sign_up|forgot_password)[^"]*".*"status":(401|403)
+
+ignoreregex =

fly/fail2ban/jail.d/forge.conf

@@ -0,0 +1,8 @@
+[forge-login]
+enabled  = true
+filter   = forge-login
+logpath  = /var/log/nginx/access.json.log
+maxretry = 5
+findtime = 600
+bantime  = 3600
+banaction = nginx-deny