fix #296: auto-generate GPG signing key for Forgejo on first boot

2026-05-22 22:13:08 +02:00 · 2026-05-22 22:13:08 +02:00 · cbd4b71322
commit cbd4b71322
parent a94b504883
1 changed files with 48 additions and 1 deletions
--- a/nix/modules/hive-forge.nix
+++ b/nix/modules/hive-forge.nix
@ -174,6 +174,14 @@ in
                DEFAULT_THEME = "catppuccin-vibec0re";
                THEMES = "catppuccin-vibec0re,forgejo-auto,forgejo-light,forgejo-dark,gitea-auto,gitea-light,gitea-dark";
              };
+              # Point forgejo at the GPG key generated by the
+              # forgejo-gpg-init oneshot below. "default" resolves to
+              # the first secret key found in GNUPGHOME. GNUPGHOME
+              # must be absolute and writeable by the forgejo user.
+              "repository.signing" = {
+                SIGNING_KEY = "default";
+                GNUPGHOME = "/var/lib/forgejo/.gnupg";
+              };
              # F3 (federation) computes its data dir relative to the
              # forgejo binary, which lands in the read-only nix
              # store and crashes anything that touches the F3
@ -187,7 +195,46 @@ in
              };
            };
          };
-          environment.systemPackages = [ pkgs.forgejo ];
+          environment.systemPackages = [
+            pkgs.forgejo
+            pkgs.gnupg
+          ];
+
+          # Generate a GPG signing key for Forgejo on first boot so UI
+          # merges produce signed commits instead of erroring "no key to
+          # sign with". The key lives in forgejo's persistent state dir
+          # (/var/lib/forgejo/.gnupg) and survives container restarts.
+          # The stamp file prevents re-generation on subsequent boots.
+          # Service runs as the forgejo user so file ownership is correct.
+          systemd.services.forgejo-gpg-init = {
+            description = "generate GPG signing key for Forgejo (once)";
+            # Start before forgejo so the key is ready when forgejo reads
+            # repository.signing config on startup.
+            wantedBy = [ "forgejo.service" ];
+            before = [ "forgejo.service" ];
+            unitConfig.ConditionPathExists = "!/var/lib/forgejo/.gnupg/hive-key-init.stamp";
+            serviceConfig = {
+              Type = "oneshot";
+              RemainAfterExit = true;
+              User = "forgejo";
+              Group = "forgejo";
+            };
+            environment.GNUPGHOME = "/var/lib/forgejo/.gnupg";
+            path = [ pkgs.gnupg pkgs.coreutils ];
+            script = ''
+              mkdir -p "$GNUPGHOME"
+              chmod 700 "$GNUPGHOME"
+              gpg --batch --gen-key <<'EOF'
+%no-protection
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: HyperHive Forge
+Name-Email: forgejo@hive
+Expire-Date: 0
+EOF
+              touch "$GNUPGHOME/hive-key-init.stamp"
+            '';
+          };
        };
    };