Enable zot registry auth + wire CI credentials (#237)

## Summary

- Enable OIDC + API key authentication on zot registry with three-tier accessControl
  - `anonymousPolicy: ["read"]` — anyone can pull
  - `artifact-workloads` group: `["read", "create"]` — CI push, no overwrite/delete
  - `admins` group: `["read", "create", "update", "delete"]` — break-glass
- Wire both CI push paths (Dagger and Nix/skopeo) with `ZOT_CI_API_KEY` credentials
- Add `artifact-workloads` PolicyBinding in Authentik blueprint for zot app access
- Add `ZOT_CI_API_KEY` to Forgejo Actions secrets via existing ansible role

Completes the `wire-ci-registry-auth` and `harden-zot-registry` Mikado cards.

## Manual Deployment Steps (after merge)

1. Deploy Authentik blueprint: `argocd app sync authentik`
2. In Authentik admin UI: set a password for the `zot-ci` service account
3. Deploy zot config: `mise run provision-indri -- --tags zot`
4. Log in to `https://registry.ops.eblu.me` as `zot-ci` via OIDC → generate API key
5. Store API key in 1Password as `zot-ci-apikey` in blumeops vault
6. Sync Forgejo secrets: `mise run provision-indri -- --tags forgejo_actions_secrets`
7. Trigger a test container build to verify CI push
8. Verify anonymous pull: `curl -sf https://registry.ops.eblu.me/v2/_catalog`

## Uncertainties

- **Zot `accessControl` group matching with OIDC:** Groups from Authentik's `profile` scope claim should map to zot policy groups, but the exact claim-to-group matching needs runtime verification
- **`http.auth.apikey: true`:** This config key is documented but needs verification against the specific zot version built from source on indri
- **API key permissions:** Need to confirm zot API keys inherit the generating user's group for accessControl evaluation

## Test Plan

- [ ] `mise run provision-indri -- --check --diff --tags zot` shows expected config changes
- [ ] Anonymous pull works after deploy
- [ ] Unauthenticated push fails (401)
- [ ] OIDC browser login redirects to Authentik and back
- [ ] API key push works after key generation
- [ ] CI push succeeds with both Dagger and skopeo paths
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/237

ansible/playbooks/indri.yml

@@ -108,11 +108,22 @@
       check_mode: false
       tags: [forgejo_actions_secrets]
 
+    - name: Fetch Zot CI API key for Forgejo Actions
+      ansible.builtin.command:
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/zot-ci-api"
+      delegate_to: localhost
+      register: _zot_ci_api_key
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [forgejo_actions_secrets]
+
     - name: Set Forgejo Actions secrets facts
       ansible.builtin.set_fact:
         forgejo_api_token: "{{ _forgejo_api_token.stdout }}"
         forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}"
         forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}"
+        forgejo_secret_zot_ci_api_key: "{{ _zot_ci_api_key.stdout }}"
       no_log: true
       tags: [forgejo_actions_secrets]
 

ansible/roles/forgejo_actions_secrets/defaults/main.yml

@@ -16,6 +16,8 @@ forgejo_actions_secrets_repos:
         value_var: forgejo_secret_argocd_token
       - name: FLY_DEPLOY_TOKEN
         value_var: forgejo_secret_fly_deploy_token
+      - name: ZOT_CI_API_KEY
+        value_var: forgejo_secret_zot_ci_api_key
   - repo: cv
     secrets:
       - name: FORGE_TOKEN

ansible/roles/zot/defaults/main.yml

@@ -5,6 +5,8 @@ zot_data_dir: /Users/erichblume/zot
 zot_config_dir: /Users/erichblume/.config/zot
 zot_port: 5050
 zot_log_dir: /Users/erichblume/Library/Logs
+zot_external_url: https://registry.ops.eblu.me
+zot_oidc_issuer: https://authentik.ops.eblu.me/application/o/zot/
 
 # Pull-through cache registries (on-demand sync)
 zot_sync_registries:

ansible/roles/zot/templates/config.json.j2

@@ -8,7 +8,41 @@
   },
   "http": {
     "address": "0.0.0.0",
-    "port": "{{ zot_port }}"
+    "port": "{{ zot_port }}",
+    "externalUrl": "{{ zot_external_url }}",
+    "auth": {
+      "openid": {
+        "providers": {
+          "oidc": {
+            "credentialsFile": "{{ zot_config_dir }}/oidc-credentials.json",
+            "issuer": "{{ zot_oidc_issuer }}",
+            "scopes": ["openid", "email", "profile"],
+            "claimMapping": {
+              "username": "preferred_username"
+            }
+          }
+        }
+      },
+      "apikey": true
+    },
+    "accessControl": {
+      "repositories": {
+        "**": {
+          "policies": [
+            {
+              "groups": ["artifact-workloads"],
+              "actions": ["read", "create"]
+            },
+            {
+              "groups": ["admins"],
+              "actions": ["read", "create", "update", "delete"]
+            }
+          ],
+          "anonymousPolicy": ["read"],
+          "defaultPolicy": ["read"]
+        }
+      }
+    }
   },
   "log": {
     "level": "info"