Merge forgejo/master: reconcile diverged lineages [ci skip]

Local checkout carried the 2026-06-10 DNS/registry architecture series (pfSense forward-zone, CoreDNS viktorbarzin.me:53 carve-out, nodes stock) + vzdump/nfs-mirror/workstation-rebuild commits that never reached the canonical remote, while forgejo master received the emo-access series via isolated worktrees. Viktor asked to merge. Conflict resolutions (newest iteration wins in each file): - stacks/forgejo/cleanup.tf: LOCAL — dry_run=true (2026-06-10 revert after live retention orphaned OCI indexes; remote had 06-09 enable) - .claude/CLAUDE.md, docs/architecture/backup-dr.md: LOCAL — final registry/DNS architecture + implemented vzdump alerts - scripts/workstation/setup-devvm.sh: LOCAL — pinned-version, reproducible-rebuild refactor (kubelogin pin, restructured staging) - scripts/workstation/managed-settings.json: FORGEJO — the allow-then-audit claudeMd (matches /etc deployment byte-for-byte) - scripts/t3-provision-users.sh: FORGEJO comment; refresh_locked_clone intact [ci skip]: all stack changes in the local lineage were applied live this morning — CI would re-walk 100+ stacks via the modules/ fallback for zero state change. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 15:21:50 +00:00 · 2026-06-10 15:21:50 +00:00 · 8cfd0e5e5c
commit 8cfd0e5e5c
parent a1b7b0ca53 a34f9ff3b8
10 changed files with 160 additions and 5 deletions
--- a/docs/runbooks/offboard-user.md
+++ b/docs/runbooks/offboard-user.md
@ -29,7 +29,26 @@ gated `userdel_archive`, which is **never** auto-applied).
   sudo systemctl disable --now t3-serve@<os_user>.service
   sudo passwd -l <os_user>
   ```
-4. **Verify:** they can no longer reach `t3.viktorbarzin.me` (302 → Authentik, then
+4. **Revoke git + group access** *(manual)*:
+   ```bash
+   # legacy secret-bearing group, if they were ever in it
+   sudo gpasswd -d <os_user> code-shared
+   # drop write access to the infra repo
+   curl -X DELETE -H "Authorization: token <admin_pat>" \
+     https://forgejo.viktorbarzin.me/api/v1/repos/viktor/infra/collaborators/<forgejo_login>
+   # if they were whitelisted for direct master push, remove them from the
+   # branch-protection whitelists (PATCH with the remaining usernames)
+   curl -X PATCH -H "Authorization: token <admin_pat>" -H 'Content-Type: application/json' \
+     https://forgejo.viktorbarzin.me/api/v1/repos/viktor/infra/branch_protections/master \
+     -d '{"push_whitelist_usernames":["viktor"],"merge_whitelist_usernames":["viktor"]}'
+   # revoke their devvm git PAT (token name: devvm-infra-git; admin PAT may
+   # manage other users' tokens — verified 2026-06-10; the CLI has no delete)
+   curl -X DELETE -H "Authorization: token <admin_pat>" \
+     https://forgejo.viktorbarzin.me/api/v1/users/<forgejo_login>/tokens/devvm-infra-git
+   ```
+   Note: their already-running sessions keep dropped groups until cycled — restart
+   `t3-serve@<os_user>` to enforce immediately.
+5. **Verify:** they can no longer reach `t3.viktorbarzin.me` (302 → Authentik, then
   denied once removed from the `T3 Users` group — Part C) and cannot log in. Nothing
   is deleted; re-adding the roster entry + reconcile fully restores them.