blumeops

eblume/blumeops

Fork 0

Commit graph

Author	SHA1	Message	Date
Erich Blume	2865bf5c27	Review deploy-authentik: rewrite as process guide (#257 ) ## Summary - Rewrites deploy-authentik from a historical changelog into a reproducible process guide - Removes stale version info (`v1.1.2-nix`) and future work section (Forgejo federation is done, rest belongs elsewhere) - Marks deploy-authentik as completed in plans index and completed archive - Removes hardcoded image tag from authentik reference card (use `service-versions.yaml`) - Adds `last-reviewed: 2026-02-23` frontmatter ## Test plan - [x] All pre-commit hooks pass (docs-check-links, docs-check-index, etc.) - [x] ArgoCD app verified synced and healthy - [x] All wiki-links validated Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/257	2026-02-23 14:35:39 -08:00
Erich Blume	cd50c1454a	Integrate Forgejo with Authentik OIDC (#228 ) ## Summary - Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation - Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`) - Add `forgejo-client-secret` to ExternalSecret and worker deployment env - Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts - Update documentation (forgejo.md, authentik.md, federated-login.md) ## Deployment and Testing After merge, deployment requires these steps in order: 1. Authentik (ArgoCD): - `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik` - Verify: Forgejo app/provider visible in Authentik admin UI - Verify: Grafana SSO still works (blueprint refactor) 2. Forgejo app.ini (Ansible): - `mise run provision-indri -- --tags forgejo --check --diff` (dry run) - `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo) 3. Create Forgejo auth source (CLI on indri): ``` ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \ --name authentik \ --provider openidConnect \ --key forgejo \ --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \ --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \ --scopes "openid email profile groups" \ --group-claim-name groups \ --admin-group admins' ``` 4. Link eblume account: Sign in with Authentik on Forgejo, confirm link with local password 5. Verify: `tea repo list`, Forgejo Actions, local password break-glass After merge: `argocd app set authentik --revision main && argocd app sync authentik` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228	2026-02-20 17:39:50 -08:00
Erich Blume	71cb256527	Deploy Authentik identity provider (C2 Mikado) (#227 ) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227	2026-02-20 12:55:59 -08:00

Author

SHA1

Message

Date

Erich Blume

2865bf5c27

Review deploy-authentik: rewrite as process guide (#257 )

## Summary
- Rewrites deploy-authentik from a historical changelog into a reproducible process guide
- Removes stale version info (`v1.1.2-nix`) and future work section (Forgejo federation is done, rest belongs elsewhere)
- Marks deploy-authentik as completed in plans index and completed archive
- Removes hardcoded image tag from authentik reference card (use `service-versions.yaml`)
- Adds `last-reviewed: 2026-02-23` frontmatter

## Test plan
- [x] All pre-commit hooks pass (docs-check-links, docs-check-index, etc.)
- [x] ArgoCD app verified synced and healthy
- [x] All wiki-links validated

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/257

2026-02-23 14:35:39 -08:00

Erich Blume

cd50c1454a

Integrate Forgejo with Authentik OIDC (#228 )

## Summary

- Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation
- Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`)
- Add `forgejo-client-secret` to ExternalSecret and worker deployment env
- Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts
- Update documentation (forgejo.md, authentik.md, federated-login.md)

## Deployment and Testing

After merge, deployment requires these steps in order:

1. **Authentik (ArgoCD):**
   - `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik`
   - Verify: Forgejo app/provider visible in Authentik admin UI
   - Verify: Grafana SSO still works (blueprint refactor)

2. **Forgejo app.ini (Ansible):**
   - `mise run provision-indri -- --tags forgejo --check --diff` (dry run)
   - `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo)

3. **Create Forgejo auth source (CLI on indri):**
   ```
   ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
     --name authentik \
     --provider openidConnect \
     --key forgejo \
     --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
     --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
     --scopes "openid email profile groups" \
     --group-claim-name groups \
     --admin-group admins'
   ```

4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password

5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass

After merge: `argocd app set authentik --revision main && argocd app sync authentik`

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228

2026-02-20 17:39:50 -08:00

Erich Blume

71cb256527

Deploy Authentik identity provider (C2 Mikado) (#227 )

## Summary
C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.

This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.

## Current Mikado State
- **Goal:** `deploy-authentik` (active)
- **Leaf prerequisites:**
  - `build-authentik-container` — Build Nix container image
  - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster
  - `create-authentik-secrets` — Create 1Password item with credentials

## Process refinements
- Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early

## Test plan
- [ ] `mise run docs-mikado` shows correct dependency chain
- [ ] Leaf nodes can be worked independently
- [ ] Container builds on ringtail
- [ ] Authentik starts and reaches healthy state
- [ ] Forgejo OAuth2 connector works

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227

2026-02-20 12:55:59 -08:00

3 commits