Erich Blume
aabfcf6fc0
## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102
64 lines
1.9 KiB
Markdown
64 lines
1.9 KiB
Markdown
---
|
|
title: forgejo
|
|
tags:
|
|
- service
|
|
- git
|
|
- cicd
|
|
---
|
|
|
|
# Forgejo
|
|
|
|
Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored to GitHub).
|
|
|
|
## Quick Reference
|
|
|
|
| Property | Value |
|
|
|----------|-------|
|
|
| **URL** | https://forge.ops.eblu.me |
|
|
| **SSH** | `ssh://forgejo@forge.ops.eblu.me:2222` |
|
|
| **Local Ports** | 3001 (HTTP), 2200 (SSH) |
|
|
| **Config** | `ansible/roles/forgejo/templates/app.ini.j2` |
|
|
|
|
## Repositories
|
|
|
|
| Repo | Description |
|
|
|------|-------------|
|
|
| `eblume/blumeops` | Infrastructure as code (primary) |
|
|
| `eblume/alloy` | Grafana Alloy fork (CGO build) |
|
|
| `eblume/tesla_auth` | Tesla OAuth helper |
|
|
| Helm chart mirrors | cloudnative-pg-charts, grafana-helm-charts |
|
|
|
|
## CI/CD (Forgejo Actions)
|
|
|
|
**Runner:** Kubernetes pod with Docker-in-Docker sidecar
|
|
- Namespace: `forgejo-runner`
|
|
- Labels: `k8s`
|
|
- ArgoCD app: `forgejo-runner`
|
|
|
|
**Workflows:** `.forgejo/workflows/`
|
|
- `build-container.yaml` - Container image builds on tag
|
|
- `build-blumeops.yaml` - Documentation builds and releases
|
|
|
|
## Secrets (Forgejo Config)
|
|
|
|
Server configuration secrets managed via 1Password → Ansible:
|
|
- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
|
|
- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])
|
|
|
|
## Forgejo Actions Secrets
|
|
|
|
Repository-level secrets for CI/CD workflows. **Not IaC** - managed in Forgejo UI at:
|
|
`Settings → Actions → Secrets`
|
|
|
|
| Secret | Used By | Purpose |
|
|
|--------|---------|---------|
|
|
| `ARGOCD_AUTH_TOKEN` | `build-blumeops.yaml` | Sync docs app after release |
|
|
|
|
These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files.
|
|
|
|
> **Note:** These secrets are also stored in 1Password ("Forgejo Secrets" item) as the source of truth, but were manually copied to Forgejo. They will not auto-update if the 1Password value changes.
|
|
|
|
## Related
|
|
|
|
- [[argocd]] - Uses Forgejo as git source
|
|
- [[zot]] - Container registry for built images
|