Forgejo
Git forge and CI/CD platform. Primary source of truth for blumeops (mirrored to GitHub).
Quick Reference
| Property | Value |
|---|---|
| URL | https://forge.ops.eblu.me |
| SSH | ssh://forgejo@forge.ops.eblu.me:2222 |
| Local Ports | 3001 (HTTP), 2200 (SSH) |
| Config | ansible/roles/forgejo/templates/app.ini.j2 |
Repositories
| Repo | Description |
|---|---|
eblume/blumeops | Infrastructure as code (primary) |
eblume/alloy | Grafana Alloy fork (CGO build) |
eblume/tesla_auth | Tesla OAuth helper |
| Helm chart mirrors | cloudnative-pg-charts, grafana-helm-charts |
CI/CD (Forgejo Actions)
Runner: Kubernetes pod with Docker-in-Docker sidecar
- Namespace:
forgejo-runner - Labels:
k8s - ArgoCD app:
forgejo-runner
Workflows: .forgejo/workflows/
build-container.yaml- Container image builds on tagbuild-blumeops.yaml- Documentation builds and releases
Secrets (Forgejo Config)
Server configuration secrets managed via 1Password → Ansible:
lfs-jwt-secret,internal-token,oauth2-jwt-secret- Forgejo server tokensrunner_reg- Runner registration token (also in k8s via external-secrets)
Forgejo Actions Secrets
Repository-level secrets for CI/CD workflows, synced from 1Password via Ansible.
| Secret | 1Password Field | Used By | Purpose |
|---|---|---|---|
ARGOCD_AUTH_TOKEN | argocd_token | build-blumeops.yaml | Sync docs app after release |
These secrets are injected as ${{ secrets.SECRET_NAME }} in workflow files.
IaC: The forgejo_actions_secrets Ansible role syncs these secrets from 1Password to Forgejo via the Forgejo API. Run with:
mise run provision-indri -- --tags forgejo_actions_secretsAPI Token Setup (Manual, One-Time)
The Ansible role authenticates to the Forgejo API using a Personal Access Token (PAT). This PAT must be created manually:
- Go to https://forge.ops.eblu.me/user/settings/applications
- Create a new token with
write:repositoryscope - Store it in 1Password → “Forgejo Secrets” item →
api-tokenfield
This is a bootstrapping requirement - the PAT enables IaC for all other secrets.