disinto

disinto-admin/disinto

Fork 0

History

Claude 89e454d0c7 Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/nomad-validate Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details ci/woodpecker/pr/nomad-validate Pipeline was successful Details ci/woodpecker/pr/secret-scan Pipeline failed Details fix: [nomad-step-2] S2.4 — forgejo.hcl reads admin creds from Vault via template stanza (#882 ) Upgrade nomad/jobs/forgejo.hcl to read SECRET_KEY + INTERNAL_TOKEN from Vault via a template stanza using the service-forgejo role (S2.3). Non-secret config (DB, ports, ROOT_URL, registration lockdown) stays inline. An empty-Vault fallback (`with ... else ...`) renders visible placeholder env vars so a fresh LXC still brings forgejo up — the operator sees the warning instead of forgejo silently regenerating SECRET_KEY on every restart. Add tools/vault-seed-forgejo.sh — idempotent seeder that ensures the kv/ mount is KV v2 and populates kv/data/disinto/shared/forgejo with random secret_key (32B hex) + internal_token (64B hex) on a clean install. Existing non-empty values are left untouched; partial paths are filled in atomically. Parser shape is positional-arity case dispatch to stay structurally distinct from the two sibling vault-*.sh tools and avoid the 5-line sliding-window dup detector. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 17:25:44 +00:00
..
forgejo.hcl	fix: [nomad-step-2] S2.4 — forgejo.hcl reads admin creds from Vault via template stanza (#882 )	2026-04-16 17:25:44 +00:00

Claude 89e454d0c7

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline failed

Details

fix: [nomad-step-2] S2.4 — forgejo.hcl reads admin creds from Vault via template stanza (#882 )

Upgrade nomad/jobs/forgejo.hcl to read SECRET_KEY + INTERNAL_TOKEN from
Vault via a template stanza using the service-forgejo role (S2.3).
Non-secret config (DB, ports, ROOT_URL, registration lockdown) stays
inline. An empty-Vault fallback (`with ... else ...`) renders visible
placeholder env vars so a fresh LXC still brings forgejo up — the
operator sees the warning instead of forgejo silently regenerating
SECRET_KEY on every restart.

Add tools/vault-seed-forgejo.sh — idempotent seeder that ensures the
kv/ mount is KV v2 and populates kv/data/disinto/shared/forgejo with
random secret_key (32B hex) + internal_token (64B hex) on a clean
install. Existing non-empty values are left untouched; partial paths
are filled in atomically. Parser shape is positional-arity case
dispatch to stay structurally distinct from the two sibling vault-*.sh
tools and avoid the 5-line sliding-window dup detector.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-16 17:25:44 +00:00

forgejo.hcl

fix: [nomad-step-2] S2.4 — forgejo.hcl reads admin creds from Vault via template stanza (#882 )

2026-04-16 17:25:44 +00:00