Enable zot registry auth + wire CI credentials (#237)

## Summary

- Enable OIDC + API key authentication on zot registry with three-tier accessControl
  - `anonymousPolicy: ["read"]` — anyone can pull
  - `artifact-workloads` group: `["read", "create"]` — CI push, no overwrite/delete
  - `admins` group: `["read", "create", "update", "delete"]` — break-glass
- Wire both CI push paths (Dagger and Nix/skopeo) with `ZOT_CI_API_KEY` credentials
- Add `artifact-workloads` PolicyBinding in Authentik blueprint for zot app access
- Add `ZOT_CI_API_KEY` to Forgejo Actions secrets via existing ansible role

Completes the `wire-ci-registry-auth` and `harden-zot-registry` Mikado cards.

## Manual Deployment Steps (after merge)

1. Deploy Authentik blueprint: `argocd app sync authentik`
2. In Authentik admin UI: set a password for the `zot-ci` service account
3. Deploy zot config: `mise run provision-indri -- --tags zot`
4. Log in to `https://registry.ops.eblu.me` as `zot-ci` via OIDC → generate API key
5. Store API key in 1Password as `zot-ci-apikey` in blumeops vault
6. Sync Forgejo secrets: `mise run provision-indri -- --tags forgejo_actions_secrets`
7. Trigger a test container build to verify CI push
8. Verify anonymous pull: `curl -sf https://registry.ops.eblu.me/v2/_catalog`

## Uncertainties

- **Zot `accessControl` group matching with OIDC:** Groups from Authentik's `profile` scope claim should map to zot policy groups, but the exact claim-to-group matching needs runtime verification
- **`http.auth.apikey: true`:** This config key is documented but needs verification against the specific zot version built from source on indri
- **API key permissions:** Need to confirm zot API keys inherit the generating user's group for accessControl evaluation

## Test Plan

- [ ] `mise run provision-indri -- --check --diff --tags zot` shows expected config changes
- [ ] Anonymous pull works after deploy
- [ ] Unauthenticated push fails (401)
- [ ] OIDC browser login redirects to Authentik and back
- [ ] API key push works after key generation
- [ ] CI push succeeds with both Dagger and skopeo paths
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/237

docs/reference/services/zot.md

@@ -35,9 +35,33 @@ When [[cluster|minikube]] pulls an image, containerd checks zot first. If cached
 
 ## Security Model
 
-Network access only (no authentication). Defense is the Tailscale ACL boundary.
+OIDC authentication via [[authentik]], with API key support for CI. Three-tier access control:
+
+| Role | Permissions | Use case |
+|------|------------|----------|
+| Anonymous | read | Pull images without auth |
+| `artifact-workloads` group | read, create | CI push (new tags only, no overwrite/delete) |
+| `admins` group | read, create, update, delete | Break-glass admin access |
+
+CI authenticates with a zot API key generated from the `zot-ci` service account's OIDC session. The key is stored in the `Forgejo Secrets` 1Password item (field `zot-ci-api`) and synced to Forgejo Actions secrets via ansible.
+
+## API Key Rotation
+
+The `zot-ci` API key expires every **90 days**. To rotate:
+
+1. In Authentik admin UI, impersonate the `zot-ci` user
+2. Visit `https://registry.ops.eblu.me` — you'll land on the login page
+3. Click "SIGN IN WITH OIDC" to authenticate as zot-ci
+4. Navigate to `https://registry.ops.eblu.me/user/apikey`
+5. Generate a new API key, copy it to clipboard
+6. Update 1Password:
+   ```fish
+   pbpaste | op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=-"
+   ```
+7. Sync to Forgejo: `mise run provision-indri -- --tags forgejo_actions_secrets`
 
 ## Related
 
 - [[forgejo]] - Container build CI
 - [[cluster|Cluster]] - Registry consumer
+- [[authentik]] - OIDC identity provider