Integrate Forgejo with Authentik OIDC (#228)
## Summary
- Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation
- Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`)
- Add `forgejo-client-secret` to ExternalSecret and worker deployment env
- Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts
- Update documentation (forgejo.md, authentik.md, federated-login.md)
## Deployment and Testing
After merge, deployment requires these steps in order:
1. **Authentik (ArgoCD):**
- `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik`
- Verify: Forgejo app/provider visible in Authentik admin UI
- Verify: Grafana SSO still works (blueprint refactor)
2. **Forgejo app.ini (Ansible):**
- `mise run provision-indri -- --tags forgejo --check --diff` (dry run)
- `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo)
3. **Create Forgejo auth source (CLI on indri):**
```
ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
--name authentik \
--provider openidConnect \
--key forgejo \
--secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
--auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
--scopes "openid email profile groups" \
--group-claim-name groups \
--admin-group admins'
```
4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password
5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass
After merge: `argocd app set authentik --revision main && argocd app sync authentik`
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228
This commit is contained in:
parent
e0c6b7df99
commit
cd50c1454a
8 changed files with 143 additions and 14 deletions
|
|
@ -62,9 +62,20 @@ Authentik runs on [[ringtail]]'s k3s cluster while most services run on indri's
|
|||
|
||||
No k8s-internal DNS crosses cluster boundaries. Everything uses the `*.ops.eblu.me` domain.
|
||||
|
||||
## Forgejo
|
||||
|
||||
[[forgejo]] authenticates against Authentik using the same OIDC flow as Grafana. The auth source is created via CLI (`forgejo admin auth add-oauth`) rather than config file — it lives in Forgejo's SQLite database.
|
||||
|
||||
Account linking is configured with `ACCOUNT_LINKING = login`: when an Authentik user's email matches an existing local account, Forgejo prompts for the local password to confirm the link. This safely preserves the existing `eblume` account with all its API tokens, SSH keys, and repository ownership.
|
||||
|
||||
The `admins` group in Authentik maps to Forgejo admin status, enabling centralized admin management.
|
||||
|
||||
### MFA
|
||||
|
||||
Authentik enforces TOTP MFA on its default authentication flow (`not_configured_action: configure`). Forgejo's auth source has `SkipLocalTwoFA: true`, so SSO logins bypass Forgejo's local 2FA — Authentik has already verified the second factor. Local password logins (break-glass) still require Forgejo's own TOTP.
|
||||
|
||||
## Future Work
|
||||
|
||||
- **Forgejo OIDC:** Make Forgejo an OIDC client of Authentik (deferred — existing `eblume` account needs careful migration)
|
||||
- **Additional services:** ArgoCD, Miniflux, Immich, Zot (see [[harden-zot-registry]])
|
||||
|
||||
## Related
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue