Follow-up to the crypto-secret mirror: Forgejo's [security] SECRET_KEY was EMPTY because the bootstrap skips the web installer (INSTALL_LOCK), which is what normally generates it. An empty SECRET_KEY weakens at-rest encryption of 2FA secrets, push-mirror/migration passwords, and OAuth app secrets. Generate it with @pulumi/random (it is a plain high-entropy string, not a format-constrained JWT — so unlike INTERNAL_TOKEN/JWT_SECRET it CAN be random-generated, matching CONTRACT_002 §2.3) and inject via FORGEJO__security__SECRET_KEY; env-to-ini overwrites it in the volume's app.ini while leaving Forgejo's own INTERNAL_TOKEN + JWT secrets untouched. The GATE-B mirror then captures the real value into Vault. Done now while the egg is fresh (no encrypted data yet) → no re-encryption. Validated live: app.ini + Vault forgejoSecretKey = 40 chars; forge healthz pass + https 200; scp-form clone works; idempotent at 44 unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| components | ||
| lib | ||
| config.ts | ||
| index.ts | ||
| package.json | ||
| Pulumi.foundation.yaml | ||
| Pulumi.yaml | ||
| run.sh | ||
| tsconfig.json | ||
| vault-unseal.sh | ||