foundation/bootstrap
Andreas Niemann 522c5d7a54 fix(forgejo): generate + set SECRET_KEY (was empty under INSTALL_LOCK)
Follow-up to the crypto-secret mirror: Forgejo's [security] SECRET_KEY was
EMPTY because the bootstrap skips the web installer (INSTALL_LOCK), which is
what normally generates it. An empty SECRET_KEY weakens at-rest encryption of
2FA secrets, push-mirror/migration passwords, and OAuth app secrets.

Generate it with @pulumi/random (it is a plain high-entropy string, not a
format-constrained JWT — so unlike INTERNAL_TOKEN/JWT_SECRET it CAN be
random-generated, matching CONTRACT_002 §2.3) and inject via
FORGEJO__security__SECRET_KEY; env-to-ini overwrites it in the volume's
app.ini while leaving Forgejo's own INTERNAL_TOKEN + JWT secrets untouched.
The GATE-B mirror then captures the real value into Vault.

Done now while the egg is fresh (no encrypted data yet) → no re-encryption.

Validated live: app.ini + Vault forgejoSecretKey = 40 chars; forge healthz
pass + https 200; scp-form clone works; idempotent at 44 unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 23:30:35 +02:00
..
components fix(forgejo): generate + set SECRET_KEY (was empty under INSTALL_LOCK) 2026-06-30 23:30:35 +02:00
lib feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
config.ts feat(credentials): mirror backup creds + age key into Vault (CONTRACT_002) 2026-06-30 23:23:38 +02:00
index.ts fix(forgejo): generate + set SECRET_KEY (was empty under INSTALL_LOCK) 2026-06-30 23:30:35 +02:00
package.json feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
Pulumi.foundation.yaml feat(backup): age at-rest encryption of bundles (CONTRACT_004 §4.3) 2026-06-30 23:23:38 +02:00
Pulumi.yaml feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02 2026-06-30 18:06:21 +02:00
run.sh feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00
tsconfig.json feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
vault-unseal.sh feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00