fix(forgejo): generate + set SECRET_KEY (was empty under INSTALL_LOCK)

Follow-up to the crypto-secret mirror: Forgejo's [security] SECRET_KEY was
EMPTY because the bootstrap skips the web installer (INSTALL_LOCK), which is
what normally generates it. An empty SECRET_KEY weakens at-rest encryption of
2FA secrets, push-mirror/migration passwords, and OAuth app secrets.

Generate it with @pulumi/random (it is a plain high-entropy string, not a
format-constrained JWT — so unlike INTERNAL_TOKEN/JWT_SECRET it CAN be
random-generated, matching CONTRACT_002 §2.3) and inject via
FORGEJO__security__SECRET_KEY; env-to-ini overwrites it in the volume's
app.ini while leaving Forgejo's own INTERNAL_TOKEN + JWT secrets untouched.
The GATE-B mirror then captures the real value into Vault.

Done now while the egg is fresh (no encrypted data yet) → no re-encryption.

Validated live: app.ini + Vault forgejoSecretKey = 40 chars; forge healthz
pass + https 200; scp-form clone works; idempotent at 44 unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-06-30 23:30:35 +02:00
parent fbd1ad4d1d
commit 522c5d7a54
3 changed files with 16 additions and 4 deletions

View file

@ -26,6 +26,7 @@ export interface ForgejoDeps {
rustfs: RustfsOutputs;
pgCreds: PostgresCredentials;
rustfsCreds: RustfsCredentials;
forgejoCreds: ForgejoCredentials;
}
export interface ForgejoOutputs {
@ -88,6 +89,11 @@ export function deployForgejo(
// Go SSH server colliding on :22. SSH_PORT is the clone-URL port; the sshd is
// published on host :22 (scp-form goal) + :2222 (CONTRACT_003).
"FORGEJO__server__START_SSH_SERVER=false",
// [security] SECRET_KEY — Forgejo leaves this EMPTY when the installer is
// skipped (INSTALL_LOCK); set it explicitly so at-rest encryption of 2FA /
// mirror / oauth secrets is keyed. env-to-ini overwrites it in the volume's
// app.ini (INTERNAL_TOKEN + JWT secrets are left untouched — Forgejo's own).
pulumi.interpolate`FORGEJO__security__SECRET_KEY=${deps.forgejoCreds.secretKey}`,
"FORGEJO__server__SSH_LISTEN_PORT=22",
`FORGEJO__server__SSH_PORT=${cfg.forgeSshPort}`,
`FORGEJO__server__SSH_DOMAIN=${cfg.hosts.git}`,