phase 8: forgejo sync config, authentik-ldap SSO service, runbook update

apps/authentik-ldap/docker-compose.yml

@@ -0,0 +1,32 @@
+services:
+  authentik-ldap:
+    image: ghcr.io/goauthentik/ldap:2025.2.4
+    container_name: authentik-ldap
+    restart: unless-stopped
+    environment:
+      AUTHENTIK_HOST: https://auth.kitestacks.com
+      AUTHENTIK_INSECURE: "false"
+      # Token from Authentik outpost "osTicket LDAP Outpost"
+      # Regenerate via: Authentik admin → Outposts → osTicket LDAP Outpost → token
+      AUTHENTIK_TOKEN: REDACTED
+    networks:
+      - kitestacks
+      - osticket_default
+
+  # socat proxy: bridges standard LDAP port 389 → outpost port 3389
+  # Required because Net_LDAP2 (osTicket's LDAP library) always uses port 389
+  authentik-ldap-proxy:
+    image: alpine/socat
+    container_name: authentik-ldap-proxy
+    restart: unless-stopped
+    command: TCP-LISTEN:389,fork,reuseaddr TCP:authentik-ldap:3389
+    depends_on:
+      - authentik-ldap
+    networks:
+      - osticket_default
+
+networks:
+  kitestacks:
+    external: true
+  osticket_default:
+    external: true

apps/forgejo/docker-compose.yml

@@ -9,9 +9,16 @@ services:
     environment:
       - USER_UID=1000
       - USER_GID=1000
-      - FORGEJO__server__DOMAIN=192.168.1.205
-      - FORGEJO__server__ROOT_URL=http://192.168.1.205:3006
-      - FORGEJO__server__SSH_DOMAIN=192.168.1.205
+      - FORGEJO__server__DOMAIN=gitforge.kitestacks.com
+      - FORGEJO__server__ROOT_URL=https://gitforge.kitestacks.com/
+      - FORGEJO__server__SSH_DOMAIN=gitforge.kitestacks.com
       - FORGEJO__server__SSH_PORT=2222
     volumes:
       - ./data:/data
+    networks:
+      - default
+      - kitestacks
+
+networks:
+  kitestacks:
+    external: true