fix #296: auto-generate GPG signing key for Forgejo on first boot
This commit is contained in:
damocles
Mara
parent
a94b504883
commit
cbd4b71322
1 changed files with 48 additions and 1 deletions
|
|
@ -174,6 +174,14 @@ in
|
||||||
DEFAULT_THEME = "catppuccin-vibec0re";
|
DEFAULT_THEME = "catppuccin-vibec0re";
|
||||||
THEMES = "catppuccin-vibec0re,forgejo-auto,forgejo-light,forgejo-dark,gitea-auto,gitea-light,gitea-dark";
|
THEMES = "catppuccin-vibec0re,forgejo-auto,forgejo-light,forgejo-dark,gitea-auto,gitea-light,gitea-dark";
|
||||||
};
|
};
|
||||||
|
# Point forgejo at the GPG key generated by the
|
||||||
|
# forgejo-gpg-init oneshot below. "default" resolves to
|
||||||
|
# the first secret key found in GNUPGHOME. GNUPGHOME
|
||||||
|
# must be absolute and writeable by the forgejo user.
|
||||||
|
"repository.signing" = {
|
||||||
|
SIGNING_KEY = "default";
|
||||||
|
GNUPGHOME = "/var/lib/forgejo/.gnupg";
|
||||||
|
};
|
||||||
# F3 (federation) computes its data dir relative to the
|
# F3 (federation) computes its data dir relative to the
|
||||||
# forgejo binary, which lands in the read-only nix
|
# forgejo binary, which lands in the read-only nix
|
||||||
# store and crashes anything that touches the F3
|
# store and crashes anything that touches the F3
|
||||||
|
|
@ -187,7 +195,46 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
environment.systemPackages = [ pkgs.forgejo ];
|
environment.systemPackages = [
|
||||||
|
pkgs.forgejo
|
||||||
|
pkgs.gnupg
|
||||||
|
];
|
||||||
|
|
||||||
|
# Generate a GPG signing key for Forgejo on first boot so UI
|
||||||
|
# merges produce signed commits instead of erroring "no key to
|
||||||
|
# sign with". The key lives in forgejo's persistent state dir
|
||||||
|
# (/var/lib/forgejo/.gnupg) and survives container restarts.
|
||||||
|
# The stamp file prevents re-generation on subsequent boots.
|
||||||
|
# Service runs as the forgejo user so file ownership is correct.
|
||||||
|
systemd.services.forgejo-gpg-init = {
|
||||||
|
description = "generate GPG signing key for Forgejo (once)";
|
||||||
|
# Start before forgejo so the key is ready when forgejo reads
|
||||||
|
# repository.signing config on startup.
|
||||||
|
wantedBy = [ "forgejo.service" ];
|
||||||
|
before = [ "forgejo.service" ];
|
||||||
|
unitConfig.ConditionPathExists = "!/var/lib/forgejo/.gnupg/hive-key-init.stamp";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
User = "forgejo";
|
||||||
|
Group = "forgejo";
|
||||||
|
};
|
||||||
|
environment.GNUPGHOME = "/var/lib/forgejo/.gnupg";
|
||||||
|
path = [ pkgs.gnupg pkgs.coreutils ];
|
||||||
|
script = ''
|
||||||
|
mkdir -p "$GNUPGHOME"
|
||||||
|
chmod 700 "$GNUPGHOME"
|
||||||
|
gpg --batch --gen-key <<'EOF'
|
||||||
|
%no-protection
|
||||||
|
Key-Type: RSA
|
||||||
|
Key-Length: 4096
|
||||||
|
Name-Real: HyperHive Forge
|
||||||
|
Name-Email: forgejo@hive
|
||||||
|
Expire-Date: 0
|
||||||
|
EOF
|
||||||
|
touch "$GNUPGHOME/hive-key-init.stamp"
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue