Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 16:55:22 -08:00
1 changed files with 8 additions and 0 deletions
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@ -32,7 +32,15 @@ data:
        identifiers:
          name: default-authentication-mfa-validation
        attrs:
+          name: default-authentication-mfa-validation
          not_configured_action: force_setup
+          device_classes:
+            - totp
+            - webauthn
+            - static
+          configuration_stages:
+            - !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]
+            - !Find [authentik_stages_authenticator_static.authenticatorstaticstage, [name, default-authenticator-static-setup]]

  grafana.yaml: |
    version: 1