From ac01c2d6e2062222f665555ba1d83a731f6591d1 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 15 Mar 2026 19:25:27 -0700 Subject: [PATCH] Fix stale docs and shell quoting in devpi start script - ArgoCD ref: correct Git Source URL to forge.ops.eblu.me:2222 - Authentik ref: add Zot as active OIDC client, blueprint, and secret - Federated login: remove Zot from Future Work (completed in PR #236) - devpi/start.sh: use bash array for command building (proper quoting) Co-Authored-By: Claude Opus 4.6 (1M context) --- containers/devpi/start.sh | 6 +++--- docs/explanation/federated-login.md | 2 +- docs/reference/services/argocd.md | 2 +- docs/reference/services/authentik.md | 5 ++++- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/containers/devpi/start.sh b/containers/devpi/start.sh index e34e60c..8ed46a2 100644 --- a/containers/devpi/start.sh +++ b/containers/devpi/start.sh @@ -21,11 +21,11 @@ if [ ! -f "$SERVERDIR/.serverversion" ]; then fi # Build command -CMD="devpi-server --serverdir $SERVERDIR --host $HOST --port $PORT" +CMD=(devpi-server --serverdir "$SERVERDIR" --host "$HOST" --port "$PORT") if [ -n "$OUTSIDE_URL" ]; then - CMD="$CMD --outside-url $OUTSIDE_URL" + CMD+=(--outside-url "$OUTSIDE_URL") fi echo "Starting devpi-server..." -exec $CMD +exec "${CMD[@]}" diff --git a/docs/explanation/federated-login.md b/docs/explanation/federated-login.md index c6142e2..8accad0 100644 --- a/docs/explanation/federated-login.md +++ b/docs/explanation/federated-login.md @@ -76,7 +76,7 @@ Authentik enforces TOTP MFA on its default authentication flow (`not_configured_ ## Future Work -- **Additional services:** ArgoCD, Miniflux, Immich, Zot (see [[harden-zot-registry]]) +- **Additional services:** ArgoCD, Miniflux, Immich ## Related diff --git a/docs/reference/services/argocd.md b/docs/reference/services/argocd.md index 8972714..e890cc5 100644 --- a/docs/reference/services/argocd.md +++ b/docs/reference/services/argocd.md @@ -17,7 +17,7 @@ GitOps continuous delivery platform for the [[cluster|Kubernetes cluster]]. | **URL** | https://argocd.ops.eblu.me | | **Tailscale URL** | https://argocd.tail8d86e.ts.net | | **Namespace** | `argocd` | -| **Git Source** | `ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git` | +| **Git Source** | `ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git` | | **Manifests Path** | `argocd/` | ## Sync Policy diff --git a/docs/reference/services/authentik.md b/docs/reference/services/authentik.md index 67e223b..89a17cc 100644 --- a/docs/reference/services/authentik.md +++ b/docs/reference/services/authentik.md @@ -44,6 +44,7 @@ Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap m - **`mfa.yaml`** — MFA enforcement on the default authentication flow (`not_configured_action: configure`) - **`grafana.yaml`** — Grafana OAuth2 provider, application, and policy binding - **`forgejo.yaml`** — Forgejo OAuth2 provider, application, and policy binding +- **`zot.yaml`** — Zot registry OAuth2 provider, application, and policy binding Group membership is included in the `profile` scope claim (Authentik built-in). Services use `--group-claim-name groups` to read it. @@ -55,8 +56,9 @@ Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml` |--------|--------| | [[grafana]] | Active | | [[forgejo]] | Active | +| [[zot]] | Active | -Future clients: [[argocd]], [[miniflux]], [[zot]] +Future clients: [[argocd]], [[miniflux]] ## Secrets @@ -68,6 +70,7 @@ Injected via [[external-secrets]] from the "Authentik (blumeops)" 1Password item | `db-password` | PostgreSQL password | | `grafana-client-secret` | OIDC client secret for Grafana | | `forgejo-client-secret` | OIDC client secret for Forgejo | +| `zot-client-secret` | OIDC client secret for Zot | | `api-token` | Authentik API token | ## Container Image