Add Forgejo T05 verify, operator bootstrap, and security hardening
All checks were successful
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 3s

Introduce forgejo-verify acceptance checks, idempotent operator bootstrap,
runner registration SOPS capture helper, and session/security Helm values.
This commit is contained in:
tegwick 2026-07-07 22:09:53 +02:00
parent 9b31f229e8
commit 3a9236148a
8 changed files with 436 additions and 1 deletions

View file

@ -79,6 +79,29 @@ make forgejo-runner-status
make forgejo-status
make forgejo-logs
make forgejo-smoke
make forgejo-verify # T05 acceptance (smoke, TLS, DB, mailer, SSH operator)
make forgejo-secrets-check # SOPS sentinels present
```
## Operator accounts (T05)
Bootstrap is automated and does not commit secrets:
```bash
# Requires admin API token at /tmp/forgejo-tegwick-api-token (or FORGEJO_ADMIN_TOKEN)
make forgejo-operator-bootstrap
```
Default operator: `tegwick` (site admin, `coulomb` Owners team, SSH via
`forgejo-remote` / `~/.ssh/id_gitea`). `forgejo_admin` remains the Helm chart
bootstrap account; day-2 git+ssh should use the operator user.
Runner registration token: if the cluster secret was created with `kubectl create
secret` (not SOPS), capture it once on a host with the age key:
```bash
make forgejo-runner-registration-sops-bootstrap
make check-sops SOPS_SENTINEL=helm/forgejo-runner-registration.sops.yaml
```
## SMTP (IONOS) — password reset / notifications
@ -135,6 +158,15 @@ Do not put the SMTP password in `helm/forgejo-secrets.sops.yaml`.
Gitea on coulombcore remains canonical until `RAIL-HO-WP-0005` migration drills
and cutover pass. Do not repoint repo remotes until Wave 1 cutover is approved.
## Package registry (OCI, npm, generic)
See `docs/forgejo-package-registry.md`. Smoke targets:
```bash
make forgejo-smoke
make forgejo-npm-smoke
```
## Related
- Gitea reference: `~/railiance-forge/Makefile` (`gitea-deploy`)