Add EFS infrastructure for Forgejo (new CloudFormation stack)

- Introduce forgejo-efs.yaml defining EFS FileSystem with encryption, lifecycle policies, and backup enabled
- Add dedicated AccessPoints for /forgejo/data and /forgejo/config with POSIX ownership and tags
- Include FileSystemPolicy enforcing mount-target-only access
- Export EFS resource IDs for cross-stack referencing

infra/cfn/forgejo-efs.yaml

@@ -0,0 +1,103 @@
+Parameters:
+  KmsKeyId:
+    Type: String
+    Description: "KMS key for EFS encryption"
+
+Resources:
+  EFSAccessPointData:
+    Type: "AWS::EFS::AccessPoint"
+    DeletionPolicy: Retain
+    Properties:
+      FileSystemId: !Ref EFSFileSystem
+      RootDirectory:
+        Path: "/forgejo/data"
+        CreationInfo:
+          OwnerGid: "1000"
+          Permissions: "750"
+          OwnerUid: "1000"
+      AccessPointTags:
+      - Value: "forgejo-data-ap"
+        Key: "Name"
+      - Value: "Git-server"
+        Key: "Project"
+      PosixUser:
+        Uid: "1000"
+        SecondaryGids: []
+        Gid: "1000"
+
+  EFSAccessPointConfig:
+    Type: "AWS::EFS::AccessPoint"
+    DeletionPolicy: Retain
+    Properties:
+      FileSystemId: !Ref EFSFileSystem
+      RootDirectory:
+        Path: "/forgejo/config"
+        CreationInfo:
+          OwnerGid: "1000"
+          Permissions: "750"
+          OwnerUid: "1000"
+      AccessPointTags:
+      - Value: "forgejo-config-ap"
+        Key: "Name"
+      - Value: "Git-server"
+        Key: "Project"
+      PosixUser:
+        Uid: "1000"
+        SecondaryGids: []
+        Gid: "1000"
+
+  EFSFileSystem:
+    Type: "AWS::EFS::FileSystem"
+    DeletionPolicy: Retain
+    Properties:
+      KmsKeyId: !Ref KmsKeyId
+      PerformanceMode: "generalPurpose"
+      Encrypted: true
+      FileSystemTags:
+      - Value: "forgejo-file-system"
+        Key: "Name"
+      - Value: "Git-server"
+        Key: "Project"
+      FileSystemPolicy:
+        Version: "2012-10-17"
+        Statement:
+        - Condition:
+            Bool:
+              elasticfilesystem:AccessedViaMountTarget: "true"
+          Resource: !Sub "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/fs-011efd71b198bacc7"
+          Action:
+          - "elasticfilesystem:ClientWrite"
+          - "elasticfilesystem:ClientMount"
+          Effect: "Allow"
+          Principal:
+            AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+          Sid: "efs-statement-b87417f1-f7fd-4978-b642-9b3084238008"
+        Id: "efs-policy-wizard-c4d5acbb-f970-40a3-8938-87ca58cb6f1b"
+      FileSystemProtection:
+        ReplicationOverwriteProtection: "ENABLED"
+      LifecyclePolicies:
+      - TransitionToIA: "AFTER_30_DAYS"
+      - TransitionToArchive: "AFTER_90_DAYS"
+      ThroughputMode: "elastic"
+      BackupPolicy:
+        Status: "ENABLED"
+
+Outputs:
+
+  EFSFileSystemId:
+    Description: "ID of the EFS File System"
+    Value: !Ref EFSFileSystem
+    Export:
+      Name: !Sub "${AWS::StackName}-EFSFileSystemId"
+
+  AccessPointData:
+    Description: "Access Point for /forgejo/data"
+    Value: !Ref EFSAccessPointData
+    Export:
+      Name: !Sub "${AWS::StackName}-EFSAccessPointData"
+
+  AccessPointConfig:
+    Description: "Access Point for /forgejo/config"
+    Value: !Ref EFSAccessPointConfig
+    Export:
+      Name: !Sub "${AWS::StackName}-EFSAccessPointConfig"