Integrate Forgejo with Authentik OIDC (#228)
## Summary
- Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation
- Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`)
- Add `forgejo-client-secret` to ExternalSecret and worker deployment env
- Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts
- Update documentation (forgejo.md, authentik.md, federated-login.md)
## Deployment and Testing
After merge, deployment requires these steps in order:
1. **Authentik (ArgoCD):**
- `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik`
- Verify: Forgejo app/provider visible in Authentik admin UI
- Verify: Grafana SSO still works (blueprint refactor)
2. **Forgejo app.ini (Ansible):**
- `mise run provision-indri -- --tags forgejo --check --diff` (dry run)
- `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo)
3. **Create Forgejo auth source (CLI on indri):**
```
ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
--name authentik \
--provider openidConnect \
--key forgejo \
--secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
--auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
--scopes "openid email profile groups" \
--group-claim-name groups \
--admin-group admins'
```
4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password
5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass
After merge: `argocd app set authentik --revision main && argocd app sync authentik`
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228
Erich Blume
cd50c1454a