From cbd4b71322b88b4e837f461325ea8989d264ff43 Mon Sep 17 00:00:00 2001
From: damocles <damocles@hyperhive>
Date: Fri, 22 May 2026 22:13:08 +0200
Subject: [PATCH] fix #296: auto-generate GPG signing key for Forgejo on first
 boot

---
 nix/modules/hive-forge.nix | 49 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/nix/modules/hive-forge.nix b/nix/modules/hive-forge.nix
index 26cea0d..fb83ff9 100644
--- a/nix/modules/hive-forge.nix
+++ b/nix/modules/hive-forge.nix
@@ -174,6 +174,14 @@ in
                 DEFAULT_THEME = "catppuccin-vibec0re";
                 THEMES = "catppuccin-vibec0re,forgejo-auto,forgejo-light,forgejo-dark,gitea-auto,gitea-light,gitea-dark";
               };
+              # Point forgejo at the GPG key generated by the
+              # forgejo-gpg-init oneshot below. "default" resolves to
+              # the first secret key found in GNUPGHOME. GNUPGHOME
+              # must be absolute and writeable by the forgejo user.
+              "repository.signing" = {
+                SIGNING_KEY = "default";
+                GNUPGHOME = "/var/lib/forgejo/.gnupg";
+              };
               # F3 (federation) computes its data dir relative to the
               # forgejo binary, which lands in the read-only nix
               # store and crashes anything that touches the F3
@@ -187,7 +195,46 @@ in
               };
             };
           };
-          environment.systemPackages = [ pkgs.forgejo ];
+          environment.systemPackages = [
+            pkgs.forgejo
+            pkgs.gnupg
+          ];
+
+          # Generate a GPG signing key for Forgejo on first boot so UI
+          # merges produce signed commits instead of erroring "no key to
+          # sign with". The key lives in forgejo's persistent state dir
+          # (/var/lib/forgejo/.gnupg) and survives container restarts.
+          # The stamp file prevents re-generation on subsequent boots.
+          # Service runs as the forgejo user so file ownership is correct.
+          systemd.services.forgejo-gpg-init = {
+            description = "generate GPG signing key for Forgejo (once)";
+            # Start before forgejo so the key is ready when forgejo reads
+            # repository.signing config on startup.
+            wantedBy = [ "forgejo.service" ];
+            before = [ "forgejo.service" ];
+            unitConfig.ConditionPathExists = "!/var/lib/forgejo/.gnupg/hive-key-init.stamp";
+            serviceConfig = {
+              Type = "oneshot";
+              RemainAfterExit = true;
+              User = "forgejo";
+              Group = "forgejo";
+            };
+            environment.GNUPGHOME = "/var/lib/forgejo/.gnupg";
+            path = [ pkgs.gnupg pkgs.coreutils ];
+            script = ''
+              mkdir -p "$GNUPGHOME"
+              chmod 700 "$GNUPGHOME"
+              gpg --batch --gen-key <<'EOF'
+%no-protection
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: HyperHive Forge
+Name-Email: forgejo@hive
+Expire-Date: 0
+EOF
+              touch "$GNUPGHOME/hive-key-init.stamp"
+            '';
+          };
         };
     };