From 7d99203fc65de5a65fb90de420fb15c770a4edd9 Mon Sep 17 00:00:00 2001 From: viktor Date: Fri, 19 Jun 2026 17:34:17 +0000 Subject: [PATCH] forgejo: re-enable ENABLE_AUTO_REGISTRATION for zero-click GitHub sign-up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per Viktor: GitHub sign-up must work zero-click (account created on first login, no form). This global [oauth2_client] setting enables it. It conflicts with Authentik (preferred_username is an email → invalid Forgejo username → 500 on auto-create), and Viktor's Forgejo email (me@viktorbarzin.me) doesn't match his Authentik email (vbarzin@gmail.com) so account-linking can't bridge it — so the Authentik OAuth2 source is DISABLED (login_source.is_active=0; DB-managed, out-of-band) per his directive. Forgejo sign-in is now GitHub + native login. Committed via API to land on origin without pushing a concurrent agent's unpushed local commit. Co-Authored-By: Claude Opus 4.8 --- stacks/forgejo/main.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 0abb1847..6baea2d0 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -280,6 +280,17 @@ resource "kubernetes_deployment" "forgejo" { } } } + # Zero-click sign-up for GitHub (OAuth2): auto-create the local + # account on first login (GitHub's username claim is valid). This is a + # GLOBAL [oauth2_client] setting, so the Authentik OAuth2 source is kept + # DISABLED (login_source.is_active=0, set out-of-band — sources are + # DB-managed, not TF): Authentik's preferred_username is the user's email, + # an invalid Forgejo username that 500'd auto-create. Re-enable Authentik + # only after fixing its username claim. docs/runbooks/forgejo-open-signups.md + env { + name = "FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION" + value = "true" + } volume_mount { name = "data" mount_path = "/data"