From f2c4324fb07b0cbbc679a4471eac636fcf78fc1c Mon Sep 17 00:00:00 2001
From: Dan V <dan.vandachevici@gmail.com>
Date: Wed, 8 Apr 2026 23:42:04 +0200
Subject: [PATCH] fix: use internal email for gitadmin, free user email for SSO
 login

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 deployment/infrastructure/forgejo.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/deployment/infrastructure/forgejo.yaml b/deployment/infrastructure/forgejo.yaml
index bdc6b7d..04d0849 100644
--- a/deployment/infrastructure/forgejo.yaml
+++ b/deployment/infrastructure/forgejo.yaml
@@ -5,13 +5,13 @@
 # Storage: NFS on HP ProLiant (media-pool/git, media-pool/git-db)
 # SSH: NodePort 30022 (clone with: git clone ssh://git@<host>:30022/<user>/<repo>.git)
 #
-# Initial deploy steps after applying:
-#   1. Create Authentik OIDC provider (see plan.md todo: authentik-oidc)
-#   2. In Forgejo admin: Site Administration → Authentication Sources → Add OAuth2 Source
-#      - Provider: OpenID Connect
-#      - Name: authentik
-#      - Client ID/Secret: from Authentik
-#      - OpenID Discovery URL: https://auth.vandachevici.ro/application/o/forgejo/.well-known/openid-configuration
+# Post-deploy setup (already done, documented for re-deploy):
+#   1. Authentik OIDC provider created via API (provider PK=9, app slug=forgejo)
+#   2. Forgejo OAuth2 source configured via CLI:
+#      forgejo admin auth add-oauth --name authentik --provider openidConnect \
+#        --auto-discover-url https://auth.vandachevici.ro/application/o/forgejo/.well-known/openid-configuration
+#   3. Admin account: gitadmin / email: gitadmin@git.vandachevici.ro (break-glass only)
+#      Users should sign in via "Sign in with authentik" button
 
 ---
 apiVersion: v1