forgejo: open native self-signups, gated by Turnstile + email confirmation

Viktor wants Forgejo open for anyone to sign up, but without bot/spam account floods. Flip the deployment from OAuth-only registration (ALLOW_ONLY_EXTERNAL_REGISTRATION=true) to allowing native local sign-up, and add two bot gates on the registration form: - Cloudflare Turnstile captcha (CAPTCHA_TYPE=cfturnstile). The widget is managed in Terraform (turnstile.tf) via the CF Global API key, so the sitekey/secret are IaC, not a dashboard artifact. - Mandatory email confirmation (REGISTER_EMAIL_CONFIRM=true). Wire the Forgejo mailer to the cluster mailserver as noreply@viktorbarzin.me (mail.viktorbarzin.me:587 STARTTLS), reusing the same Vault-sourced credential Authentik uses (email-secret.tf ESO -> secret/authentik smtp_password). Existing Authentik OAuth2 login is unchanged (additive). Deployment env appended (not inserted) so the diff stays purely additive; a reloader annotation rolls the pod on secret rotation. Verified live: signup page renders the Turnstile widget, mailer delivers a test message end-to-end, Forgejo healthy, plan-to-zero after apply. Runbook: docs/runbooks/forgejo-open-signups.md Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 16:05:07 +00:00 · 2026-06-19 16:05:07 +00:00 · 963e4fcdde
commit 963e4fcdde
parent 21dbd79ae4
5 changed files with 292 additions and 3 deletions
--- a/.claude/reference/service-catalog.md
+++ b/.claude/reference/service-catalog.md
@ -96,7 +96,7 @@
 | n8n | Workflow automation | n8n |
 | real-estate-crawler | Property crawler | real-estate-crawler |
 | tor-proxy | Tor proxy | tor-proxy |
-| forgejo | Git forge | forgejo |
+| forgejo | Git forge. Open native self-signup (Turnstile captcha + email confirm) alongside Authentik OAuth; see `docs/runbooks/forgejo-open-signups.md` | forgejo |
 | freshrss | RSS reader | freshrss |
 | navidrome | Music streaming | navidrome |
 | networking-toolbox | Network tools | networking-toolbox |
--- a/docs/runbooks/forgejo-open-signups.md
+++ b/docs/runbooks/forgejo-open-signups.md
@ -0,0 +1,128 @@
 # Runbook: Forgejo open self-service signups
 Last updated: 2026-06-19
 `forgejo.viktorbarzin.me` allows **open native self-registration** (anyone can
 create a local Forgejo account from the web form), gated against bots by two
 layers:
 1. **Cloudflare Turnstile** captcha on the registration form.
 2. **Mandatory email confirmation** — a new account stays inactive until the
   user clicks an activation link emailed to the address they registered with.
 The pre-existing **Authentik OAuth2 login** ("Sign in with …") is unchanged and
 still works alongside local accounts. This is additive — opening local signups
 did not touch SSO.
 Everything is Terraform-managed in `stacks/forgejo/`. There is no dashboard or
 manual cluster state.
 ## What is configured (and where)
 All on the `kubernetes_deployment.forgejo` container env in
 `stacks/forgejo/main.tf` (Forgejo reads `app.ini` keys from `FORGEJO__<section>__<KEY>`
 env vars):
 | Setting | Value | Effect |
 |---|---|---|
 | `service.DISABLE_REGISTRATION` | `false` | Registration is enabled |
 | `service.ALLOW_ONLY_EXTERNAL_REGISTRATION` | `false` | Native local sign-up allowed (was `true` = OAuth-only) |
 | `service.ENABLE_CAPTCHA` | `true` | Captcha required on the signup form |
 | `service.CAPTCHA_TYPE` | `cfturnstile` | Cloudflare Turnstile |
 | `service.CF_TURNSTILE_SITEKEY` | widget id | Public; rendered in the page |
 | `service.CF_TURNSTILE_SECRET` | from `forgejo-turnstile` Secret | Server-side verification |
 | `service.REGISTER_EMAIL_CONFIRM` | `true` | Account inactive until email is confirmed |
 | `mailer.*` | see below | Sends the activation email |
 Captcha guards **registration only** — `REQUIRE_CAPTCHA_FOR_LOGIN` is left at the
 default `false`, so existing users are not captcha'd on every login.
 ## Cloudflare Turnstile widget — `turnstile.tf`
 - The widget is a Terraform resource: `cloudflare_turnstile_widget.forgejo_signup`
  (mode `managed`, domain `forgejo.viktorbarzin.me`), created with the CF Global
  API Key already wired in `cloudflare_provider.tf`. The account id is resolved
  via `data.cloudflare_accounts`.
 - `.id` is the **public sitekey** (passed as a plain env value). `.secret` is the
  **secret key**, stored in the `forgejo-turnstile` K8s Secret and injected via
  `secret_key_ref`. The secret also lives in TF state (Tier-1 PG, encrypted at
  rest) — same trust level as the CF API key already in state.
 - Forgejo is **non-proxied** (direct A record to Traefik), but Turnstile is a
  client-side JS widget served from `challenges.cloudflare.com`, so proxy status
  is irrelevant — the widget works regardless.
 **Rotate the widget secret** (e.g. if it leaks):
 ```
 cd stacks/forgejo && vault login -method=oidc
 ../../scripts/tg apply --non-interactive -replace=cloudflare_turnstile_widget.forgejo_signup
 ```
 This mints a new sitekey+secret, updates the `forgejo-turnstile` Secret, and (via
 the Reloader annotation) rolls the Forgejo pod. Verify the new sitekey appears in
 the `/user/sign_up` HTML afterwards.
 ## Mailer — `email-secret.tf` + `[mailer]` env
 - Forgejo sends as **`noreply@viktorbarzin.me`** via **`mail.viktorbarzin.me:587`**
  with `PROTOCOL=smtp+starttls`. This reuses the same mailserver SASL account
  Authentik uses (`stacks/authentik/email-secret.tf`) — one credential, one
  rotation point.
 - **The host MUST be `mail.viktorbarzin.me`, not `mailserver.mailserver.svc`**:
  the mailserver serves the `*.viktorbarzin.me` wildcard cert, which does not
  cover the `.svc` DNS name, so STARTTLS cert verification would fail.
  `mail.viktorbarzin.me` resolves in-cluster (→ `10.0.20.1`) and matches the cert.
 - The password is synced from Vault `secret/authentik` → `smtp_password` by the
  `forgejo-email` ExternalSecret (ESO `ClusterSecretStore vault-kv`) into the
  `forgejo-email` K8s Secret (key `PASSWD`), referenced by `FORGEJO__mailer__PASSWD`.
 - The deployment carries `reloader.stakater.com/auto: "true"`, so a rotation of
  either secret rolls the pod automatically.
 ## Re-closing / tightening signups
 Edit `stacks/forgejo/main.tf` and `scripts/tg apply` (or commit + push — CI
 applies):
 - **OAuth-only again** (revert this change): set
  `FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION` back to `"true"`.
 - **No new accounts at all** (admins create them): set
  `FORGEJO__service__DISABLE_REGISTRATION` to `"true"`.
 - **Require admin approval per signup** (strongest, instead of email confirm):
  set `REGISTER_MANUAL_CONFIRM=true` **and** `REGISTER_EMAIL_CONFIRM=false`
  (Forgejo makes the two mutually exclusive). New accounts then queue under Site
  Administration → Identity & Access → Accounts until an admin activates them.
 ## Handling spam / abuse accounts
 A signup that clears Turnstile + email confirmation is still a real, low-privilege
 Forgejo user. To deal with abuse:
 - **Ban/delete** via Site Administration → Identity & Access → Accounts, or
  `forgejo admin user delete --username <name>` inside the pod
  (`kubectl -n forgejo exec deploy/forgejo -- forgejo admin user ...`).
 - New users get Forgejo defaults (they can create repos/orgs). If abuse warrants,
  tighten with `[service].DEFAULT_ALLOW_CREATE_ORGANIZATION=false` and/or
  `[repository].MAX_CREATION_LIMIT` (add as env vars; out of scope for the initial
  open-signups change).
 ## Operational notes
 - The Forgejo deployment is **single-replica with `Recreate` strategy**, so any
  config apply briefly restarts the pod (git remote + OCI registry unavailable for
  a few seconds). Expected, not an incident.
 - The signup page is **not** behind Cloudflare's bot-fight (Forgejo is
  non-proxied) — Turnstile + email confirmation are the bot gate. CrowdSec +
  Traefik rate limiting still front the host.
 ## Verify it's working
 ```
 POD=$(kubectl -n forgejo get pod -l app=forgejo -o jsonpath='{.items[0].metadata.name}')
 # Env present:
 kubectl -n forgejo exec "$POD" -- env | grep -E 'ALLOW_ONLY_EXTERNAL|ENABLE_CAPTCHA|CAPTCHA_TYPE|CF_TURNSTILE_SITEKEY|REGISTER_EMAIL_CONFIRM|mailer__ENABLED'
 # Turnstile widget rendered on the form:
 kubectl -n forgejo exec "$POD" -- wget -qO- http://localhost:3000/user/sign_up | grep -oE 'cf-turnstile|data-sitekey="[^"]*"'
 # Secrets healthy:
 kubectl -n forgejo get externalsecret forgejo-email
 kubectl -n forgejo get secret forgejo-email forgejo-turnstile
 ```
 A full real-world check is to register a throwaway account and confirm the
 activation email arrives. The mailer transport (server/port/cert/cred) is shared
 with Authentik, which is already in production for external user enrollment.
--- a/stacks/forgejo/email-secret.tf
+++ b/stacks/forgejo/email-secret.tf
@ -0,0 +1,40 @@
 # SMTP password for Forgejo's open-signup email-confirmation + notification
 # mail (main.tf: FORGEJO__service__REGISTER_EMAIL_CONFIRM + [mailer]). Synced
 # from Vault secret/authentik -> smtp_password into the forgejo namespace as the
 # `forgejo-email` Secret (key PASSWD), referenced by FORGEJO__mailer__PASSWD.
 # Reuses the same noreply@viktorbarzin.me mailserver SASL account Authentik uses
 # (stacks/authentik/email-secret.tf) — one credential, one rotation point. The
 # reloader annotation rolls the Forgejo pod if the password is ever rotated.
 resource "kubernetes_manifest" "forgejo_email_secret" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "forgejo-email"
      namespace = "forgejo"
    }
    spec = {
      refreshInterval = "1h"
      secretStoreRef = {
        name = "vault-kv"
        kind = "ClusterSecretStore"
      }
      target = {
        name = "forgejo-email"
        template = {
          metadata = {
            annotations = {
              "reloader.stakater.com/match" = "true"
            }
          }
        }
      }
      data = [
        {
          secretKey = "PASSWD"
          remoteRef = { key = "authentik", property = "smtp_password" }
        },
      ]
    }
  }
 }
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@ -92,8 +92,16 @@ resource "kubernetes_deployment" "forgejo" {
      # from 11.0.14 → 1.18 on 2026-05-24 (same bug as memory id=1933).
      # TF owns the tag now; bump it manually here when upgrading.
      "keel.sh/policy" = "never"
      # Roll the pod when the signup secrets (forgejo-email password from Vault,
      # forgejo-turnstile secret) change — env vars are read at boot, not
      # hot-reloaded. Stakater Reloader watches all referenced secrets/CMs.
      "reloader.stakater.com/auto" = "true"
    }
  }
  # The forgejo-email Secret is materialised by the External Secrets operator
  # from the forgejo-email ExternalSecret (email-secret.tf); ensure the CR
  # exists before this deployment references it on a from-scratch apply.
  depends_on = [kubernetes_manifest.forgejo_email_secret]
  spec {
    replicas = 1
    strategy {
@ -142,14 +150,21 @@ resource "kubernetes_deployment" "forgejo" {
            name  = "FORGEJO__server__ROOT_URL"
            value = "https://forgejo.viktorbarzin.me"
          }
-          # Disable local registration — only allow OAuth2 (Authentik)
+          # Open self-service registration. Native local sign-up is allowed
          # (ALLOW_ONLY_EXTERNAL_REGISTRATION=false) alongside the existing
          # Authentik OAuth2 login. Bot abuse is gated by Cloudflare Turnstile
          # (ENABLE_CAPTCHA below) + mandatory email confirmation
          # (REGISTER_EMAIL_CONFIRM below). To re-close signups: set
          # DISABLE_REGISTRATION=true, or flip ALLOW_ONLY_EXTERNAL_REGISTRATION
          # back to "true" for OAuth-only. Runbook:
          # docs/runbooks/forgejo-open-signups.md
          env {
            name  = "FORGEJO__service__DISABLE_REGISTRATION"
            value = "false"
          }
          env {
            name  = "FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION"
-            value = "true"
+            value = "false"
          }
          env {
            name  = "FORGEJO__openid__ENABLE_OPENID_SIGNIN"
@ -190,6 +205,81 @@ resource "kubernetes_deployment" "forgejo" {
            name  = "FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES"
            value = "true"
          }
          # --- Open-signup bot prevention + mailer (appended so the diff vs the
          # pre-signup deployment stays purely additive). ---
          # Cloudflare Turnstile captcha on the registration form (widget
          # managed in turnstile.tf). Sitekey is public (rendered in the page);
          # the secret is injected from the forgejo-turnstile Secret. Guards
          # registration only — not every login (REQUIRE_CAPTCHA_FOR_LOGIN left
          # at the default false).
          env {
            name  = "FORGEJO__service__ENABLE_CAPTCHA"
            value = "true"
          }
          env {
            name  = "FORGEJO__service__CAPTCHA_TYPE"
            value = "cfturnstile"
          }
          env {
            name  = "FORGEJO__service__CF_TURNSTILE_SITEKEY"
            value = cloudflare_turnstile_widget.forgejo_signup.id
          }
          env {
            name = "FORGEJO__service__CF_TURNSTILE_SECRET"
            value_from {
              secret_key_ref {
                name = kubernetes_secret.forgejo_turnstile.metadata[0].name
                key  = "cf-turnstile-secret"
              }
            }
          }
          # Mandatory email confirmation: new accounts stay inactive until the
          # user clicks an emailed activation link (kills throwaway-email bots).
          env {
            name  = "FORGEJO__service__REGISTER_EMAIL_CONFIRM"
            value = "true"
          }
          # Mailer: reuse the noreply@viktorbarzin.me mailserver SASL account
          # (same as Authentik). MUST use the public host mail.viktorbarzin.me,
          # NOT mailserver.mailserver.svc — the mailserver serves the
          # *.viktorbarzin.me wildcard cert which does not cover the svc DNS
          # name, so STARTTLS verification would fail. mail.viktorbarzin.me
          # resolves in-cluster (10.0.20.1) and matches the cert. Password from
          # the forgejo-email ESO Secret (Vault secret/authentik ->
          # smtp_password; see email-secret.tf).
          env {
            name  = "FORGEJO__mailer__ENABLED"
            value = "true"
          }
          env {
            name  = "FORGEJO__mailer__PROTOCOL"
            value = "smtp+starttls"
          }
          env {
            name  = "FORGEJO__mailer__SMTP_ADDR"
            value = "mail.viktorbarzin.me"
          }
          env {
            name  = "FORGEJO__mailer__SMTP_PORT"
            value = "587"
          }
          env {
            name  = "FORGEJO__mailer__FROM"
            value = "Forgejo <noreply@viktorbarzin.me>"
          }
          env {
            name  = "FORGEJO__mailer__USER"
            value = "noreply@viktorbarzin.me"
          }
          env {
            name = "FORGEJO__mailer__PASSWD"
            value_from {
              secret_key_ref {
                name = "forgejo-email"
                key  = "PASSWD"
              }
            }
          }
          volume_mount {
            name       = "data"
            mount_path = "/data"
--- a/stacks/forgejo/turnstile.tf
+++ b/stacks/forgejo/turnstile.tf
@ -0,0 +1,31 @@
 # Cloudflare Turnstile widget guarding the open Forgejo signup form
 # (main.tf: FORGEJO__service__ENABLE_CAPTCHA + CAPTCHA_TYPE=cfturnstile).
 # Managed here so the sitekey/secret are IaC rather than a dashboard artifact.
 # The CF Global API Key (cloudflare_provider.tf) has account-wide access, so it
 # can manage Turnstile. The widget secret is sensitive and lands in TF state
 # (Tier-1 PG, encrypted at rest) — same trust level as the API key already in
 # state. Forgejo is non-proxied, but Turnstile is a client-side JS widget served
 # from challenges.cloudflare.com, so proxy status is irrelevant.
 data "cloudflare_accounts" "main" {}
 resource "cloudflare_turnstile_widget" "forgejo_signup" {
  account_id = data.cloudflare_accounts.main.accounts[0].id
  name       = "forgejo-signup"
  domains    = ["forgejo.viktorbarzin.me"]
  # "managed" = Cloudflare adaptively decides whether to show an interactive
  # challenge; lowest friction for real users, strong against bots.
  mode = "managed"
 }
 # Turnstile secret -> K8s Secret consumed by the Forgejo deployment via
 # secret_key_ref (FORGEJO__service__CF_TURNSTILE_SECRET). The sitekey is public
 # and passed as a plain env value in main.tf.
 resource "kubernetes_secret" "forgejo_turnstile" {
  metadata {
    name      = "forgejo-turnstile"
    namespace = kubernetes_namespace.forgejo.metadata[0].name
  }
  data = {
    "cf-turnstile-secret" = cloudflare_turnstile_widget.forgejo_signup.secret
  }
 }