89e454d0c7
Some checks failed
Upgrade nomad/jobs/forgejo.hcl to read SECRET_KEY + INTERNAL_TOKEN from Vault via a template stanza using the service-forgejo role (S2.3). Non-secret config (DB, ports, ROOT_URL, registration lockdown) stays inline. An empty-Vault fallback (`with ... else ...`) renders visible placeholder env vars so a fresh LXC still brings forgejo up — the operator sees the warning instead of forgejo silently regenerating SECRET_KEY on every restart. Add tools/vault-seed-forgejo.sh — idempotent seeder that ensures the kv/ mount is KV v2 and populates kv/data/disinto/shared/forgejo with random secret_key (32B hex) + internal_token (64B hex) on a clean install. Existing non-empty values are left untouched; partial paths are filled in atomically. Parser shape is positional-arity case dispatch to stay structurally distinct from the two sibling vault-*.sh tools and avoid the 5-line sliding-window dup detector. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| jobs | ||
| AGENTS.md | ||
| client.hcl | ||
| server.hcl | ||
| vault.hcl | ||