fix: use internal email for gitadmin, free user email for SSO login

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

deployment/infrastructure/forgejo.yaml

@@ -5,13 +5,13 @@
 # Storage: NFS on HP ProLiant (media-pool/git, media-pool/git-db)
 # SSH: NodePort 30022 (clone with: git clone ssh://git@<host>:30022/<user>/<repo>.git)
 #
-# Initial deploy steps after applying:
-#   1. Create Authentik OIDC provider (see plan.md todo: authentik-oidc)
-#   2. In Forgejo admin: Site Administration → Authentication Sources → Add OAuth2 Source
-#      - Provider: OpenID Connect
-#      - Name: authentik
-#      - Client ID/Secret: from Authentik
-#      - OpenID Discovery URL: https://auth.vandachevici.ro/application/o/forgejo/.well-known/openid-configuration
+# Post-deploy setup (already done, documented for re-deploy):
+#   1. Authentik OIDC provider created via API (provider PK=9, app slug=forgejo)
+#   2. Forgejo OAuth2 source configured via CLI:
+#      forgejo admin auth add-oauth --name authentik --provider openidConnect \
+#        --auto-discover-url https://auth.vandachevici.ro/application/o/forgejo/.well-known/openid-configuration
+#   3. Admin account: gitadmin / email: gitadmin@git.vandachevici.ro (break-glass only)
+#      Users should sign in via "Sign in with authentik" button
 
 ---
 apiVersion: v1