eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests
History
Erich Blume cd50c1454a Integrate Forgejo with Authentik OIDC (#228) 
## Summary

- Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation
- Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`)
- Add `forgejo-client-secret` to ExternalSecret and worker deployment env
- Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts
- Update documentation (forgejo.md, authentik.md, federated-login.md)

## Deployment and Testing

After merge, deployment requires these steps in order:

1. **Authentik (ArgoCD):**
   - `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik`
   - Verify: Forgejo app/provider visible in Authentik admin UI
   - Verify: Grafana SSO still works (blueprint refactor)

2. **Forgejo app.ini (Ansible):**
   - `mise run provision-indri -- --tags forgejo --check --diff` (dry run)
   - `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo)

3. **Create Forgejo auth source (CLI on indri):**
   ```
   ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
     --name authentik \
     --provider openidConnect \
     --key forgejo \
     --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
     --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
     --scopes "openid email profile groups" \
     --group-claim-name groups \
     --admin-group admins'
   ```

4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password

5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass

After merge: `argocd app set authentik --revision main && argocd app sync authentik`

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228
2026-02-20 17:39:50 -08:00
..
1password-connect Fix 1Password Connect credentials for chart 2.3.0 2026-02-13 17:30:45 -08:00
alloy-k8s Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
argocd Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify (#190) 2026-02-14 21:27:44 -08:00
authentik Integrate Forgejo with Authentik OIDC (#228) 2026-02-20 17:39:50 -08:00
cloudnative-pg K8s Migration Phase 1: Infrastructure Setup (#29) 2026-01-19 09:49:52 -08:00
cv Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify (#190) 2026-02-14 21:27:44 -08:00
databases Deploy Authentik identity provider (C2 Mikado) (#227) 2026-02-20 12:55:59 -08:00
devpi Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify (#190) 2026-02-14 21:27:44 -08:00
docs Update docs release to v1.10.0 2026-02-19 20:45:43 -08:00
external-secrets Add External Secrets Operator with 1Password Connect (#66) (#66) 2026-01-28 19:30:10 -08:00
forgejo-runner Configure DinD to use Zot as pull-through registry mirror (#183) 2026-02-13 12:36:03 -08:00
frigate Update Frigate zone masks and expand alert notifications (#219) 2026-02-19 17:32:02 -08:00
grafana Deploy Authentik identity provider (C2 Mikado) (#227) 2026-02-20 12:55:59 -08:00
grafana-config Deploy Authentik identity provider (C2 Mikado) (#227) 2026-02-20 12:55:59 -08:00
homepage Add Authentik to homepage dashboard 2026-02-20 13:03:48 -08:00
immich Recategorize homepage into Content and Misc groups (#179) 2026-02-13 09:09:22 -08:00
kiwix Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
kube-state-metrics Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
loki Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
miniflux Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
mosquitto Fix mosquitto image tag: use 2.0.22 instead of nonexistent 2.1.2 (#198) 2026-02-16 17:19:32 -08:00
navidrome Fix navidrome custom container image v1.0.2 (#194) 2026-02-16 08:24:33 -08:00
ntfy Port Mosquitto and ntfy to ringtail k3s, retire Apple Silicon Detector (#216) 2026-02-19 11:22:44 -08:00
nvidia-device-plugin Port Frigate NVR to ringtail k3s with GPU acceleration (#217) 2026-02-19 14:27:04 -08:00
prometheus Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify (#190) 2026-02-14 21:27:44 -08:00
tailscale-operator Deploy Tailscale operator on ringtail k3s cluster (#215) 2026-02-19 09:33:05 -08:00
tailscale-operator-base Deploy Tailscale operator on ringtail k3s cluster (#215) 2026-02-19 09:33:05 -08:00
tailscale-operator-ringtail Deploy Tailscale operator on ringtail k3s cluster (#215) 2026-02-19 09:33:05 -08:00
teslamate Doc review: connect-to-postgres, create-release-artifact-workflow, deploy-k8s-service (#191) 2026-02-15 07:42:01 -08:00
torrent Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify (#190) 2026-02-14 21:27:44 -08:00