disabled TCP connections for postgres

janus-ca pkg updates
mTLS generate script improvements
2026-04-04 12:21:50 -05:00 · 2026-04-04 12:09:13 -05:00 · 2026-04-04 11:09:25 -05:00 · 2026-04-04 10:44:37 -05:00 · 2026-04-04 09:46:55 -05:00 · 2026-04-04 09:33:08 -05:00
4 changed files with 224 additions and 117 deletions
@@ -2,6 +2,7 @@
  flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
    let
      cfg = config.forgejo;
+      needsPrivilegedPort = cfg.port < 1024;
    in
    {
      options.forgejo = {
@@ -25,40 +26,102 @@
      config = lib.mkIf cfg.enable {
        networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];

-        services.forgejo = {
-          enable = true;
-          lfs.enable = true;
-          settings.server = lib.mkMerge [
-            {
-              HTTP_PORT = cfg.port;
-              DISABLE_SSH = true;
-            }
-            (lib.mkIf cfg.https {
-              ROOT_URL = "https://forgejo.john-stream.com";
-              PROTOCOL = "https";
-              COOKIE_SECURE = true;
-              KEY_FILE = config.mtls.keyFile;
-              CERT_FILE = config.mtls.certFile;
-            })
+        systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+          PrivateUsers = lib.mkForce false;
+        };
+
+        sops.secrets = {
+          "forgejo/secret_key".owner = config.services.forgejo.user;
+          "forgejo/internal_token".owner = config.services.forgejo.user;
+          "forgejo/jwt_secret".owner = config.services.forgejo.user;
+          "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
+        };
+
+        services = {
+          forgejo = {
+            enable = true;
+            lfs.enable = true;
+            settings = {
+              DEFAULT = {
+                RUN_MODE = "dev";
+              };
+              server = lib.mkMerge [
+                {
+                  HTTP_PORT = cfg.port;
+                  DISABLE_SSH = true;
+                  ROOT_URL = "https://forgejo.john-stream.com";
+                }
+                (lib.mkIf cfg.https {
+                  PROTOCOL = "https";
+                  COOKIE_SECURE = true;
+                  KEY_FILE = config.mtls.keyFile;
+                  CERT_FILE = config.mtls.certFile;
+                })
+              ];
+              repository = {
+                ENABLE_PUSH_CREATE_USER = true;
+              };
+              ui.SHOW_USER_EMAIL = false;
+              markup = {
+                ENABLED = true;
+              };
+            };
+
+            secrets = {
+              security = {
+                SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
+                INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
+              };
+              oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
+              server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
+            };
+
+            database = {
+              type = "postgres";
+              port = config.services.postgresql.settings.port;
+              # createDatabase = false;
+            };
+            # dump = {
+            #   enable = true;
+            #   interval = "12h";
+            # };
+          };
+
+          postgresql = {
+            enable = true;
+            enableTCPIP = false;
+          };
+        };
+
+        environment.systemPackages =
+          let
+            systemctl = lib.getExe' pkgs.systemd "systemctl";
+            clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
+              set -e
+              sudo ${systemctl} stop forgejo.service
+              ${lib.getExe' pkgs.coreutils "echo"} "Stopped Forgejo"
+              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
+            '');
+            clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
+              set -e
+              sudo ${systemctl} stop postgresql.service
+              ${lib.getExe' pkgs.coreutils "echo"} "Stopped PostgreSQL"
+              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
+            '');
+          in [
+            clean-forgejo
+            clean-postgres
+            (pkgs.writeShellScriptBin "clean-all" ''
+              set -e
+              ${lib.getExe clean-forgejo}
+              ${lib.getExe clean-postgres}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo"
+            '')
          ];
-
-          database = {
-            type = "postgres";
-            port = config.services.postgresql.settings.port;
-            # createDatabase = false;
-          };
-          # dump = {
-          #   enable = true;
-          #   interval = "12h";
-          # };
-        };
-
-        services.postgresql = {
-          enable = true;
-          settings = {
-
-          };
-        };
      };
    };
 }
@@ -66,9 +66,9 @@ let
        default = "root";
      };
      group = lib.mkOption {
-        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
+        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
        type = lib.types.nullOr lib.types.str;
-        default = null;
+        default = "mtls";
      };
      reloadUnits = lib.mkOption {
        description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -92,8 +92,13 @@ let
    keyFile,
    bundleFile,
    lifetime,
+    user,
+    group,
  }:
  let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
    stepCmd = lib.getExe pkgs.step-cli;
    sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
  in
@@ -105,7 +110,10 @@ let
        --provisioner ${provisioner} \
        ${sanArgs} \
        "$@"
-      cat ${certFile} ${keyFile} > ${bundleFile}
+      (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
+      printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
    '';
  
  mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -117,75 +125,83 @@ let

  mkMtlsRenewScript = {
    pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
+    cfg,
    systemctlArgs ? [ ],
  }:
  let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
    echoCmd = lib.getExe' pkgs.coreutils "echo";
-    systemctl = lib.getExe' pkgs.systemd "systemctl";
-    escapedArgs = lib.escapeShellArgs systemctlArgs;
-    systemctlCommand = "${systemctl} ${escapedArgs}";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
+    stepCmd = lib.getExe pkgs.step-cli;
+    systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
+
+    hasReloadUnits = cfg.renew.reloadUnits != [ ];
    renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${systemctlCommand} --quiet is-active "${unit}"; then
-        ${systemctlCommand} try-reload-or-restart "${unit}"
+      if ${systemctlCmd} --quiet is-active "${unit}"; then
+        ${systemctlCmd} try-reload-or-restart "${unit}"
      fi
-    '') reloadUnits;
-    renewPostCommands = lib.concatStringsSep "\n" postCommands;
+    '') cfg.renew.reloadUnits;
+
+    hasPostCommands = cfg.renew.postCommands != [ ];
+    renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
+
+    fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
  in
    pkgs.writeShellScriptBin "mtls-renew" ''
      set -euo pipefail

-      if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then
-        ${echoCmd} "Renewing mTLS certificate"
-      else
+      YELLOW_BANG="\e[33m!\e[0m"
+
+      force=0
+      while [[ $# -gt 0 ]]; do
+      case $1 in
+        --force)
+        force=1
+        shift
+        ;;
+        *)
+        ${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+        exit 1
+        ;;
+      esac
+      done
+
+      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then
        ${echoCmd} "Skipping renew"
-        exit "$?"
+        exit 0
      fi

-      ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}"
+      ${echoCmd} "Renewing mTLS certificate"
+      ${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
+      (umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
+      ${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
+      ${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}

-      umask 077
-      ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}"
-
-      ${echoCmd} "Reloading units:"
+      ${lib.optionalString hasReloadUnits ''
+      ${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
      ${renewReloadScript}
+      ''}

+      ${lib.optionalString hasPostCommands ''
      ${echoCmd} "Post commands:"
      ${renewPostCommands}
+      ''}
    '';

-  mkNixosMtlsRenewService = {
-    pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
-    user ? "root",
-    group ? null,
-  }:
-  let
-    serviceGroup = if group == null then user else group;
-    renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
+  mkNixosMtlsRenewService = { pkgs, cfg, ... }:
+    {
+      description = "Renew the mTLS certificate when Smallstep marks it ready";
+      wantedBy = [ ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = cfg.renew.user;
+        Group = cfg.renew.group;
+        ExecStart = lib.getExe (mkMtlsRenewScript { inherit pkgs cfg; });
+      };
    };
-  in
-  {
-    description = "Renew the mTLS certificate when Smallstep marks it ready";
-    wantedBy = [ ];
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      User = user;
-      Group = serviceGroup;
-      ExecStart = lib.getExe renewScript;
-    };
-  };

  mkNixosMtlsRenewTimer = {
    onCalendar,
@@ -203,17 +219,10 @@ let
    };
  };

-  mkHomeManagerMtlsRenewService = {
-    pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
-  }:
+  mkHomeManagerMtlsRenewService = { pkgs, cfg, ... }:
  let
    renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
+      inherit pkgs cfg;
      systemctlArgs = [ "--user" ];
    };
  in
@@ -263,28 +272,36 @@ in
          type = lib.types.str;
          default = "/etc/step-ca/certs";
        };
+        certReaders = lib.mkOption {
+          description = "";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
      };

      config = lib.mkIf cfg.enable {
+        users.groups.certReaders = {
+          name = cfg.renew.group;
+          members = cfg.certReaders;
+        };
+
        environment.systemPackages = with pkgs; lib.optionals cfg.enable [
          # step-cli
          (mkMtlsGenerateScript {
            inherit pkgs;
            inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
+            inherit (cfg.renew) user group;
          })
          (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; })
+          (mkMtlsRenewScript { inherit pkgs cfg; })
        ];

        systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
        ];

-        systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
-          inherit pkgs;
-          inherit (cfg) certFile keyFile bundleFile;
-          inherit (cfg.renew) reloadUnits postCommands user group;
-        });
+        systemd.services.mtls-renew = lib.mkIf cfg.renew.enable
+          (mkNixosMtlsRenewService { inherit pkgs cfg; });

        systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
          inherit (cfg.renew) onCalendar randomizedDelaySec;
@@ -314,20 +331,19 @@ in
          # step-cli
          (mkMtlsGenerateScript {
            inherit (cfg) subject provisioner san lifetime;
+            inherit (cfg.renew) user group;
            inherit pkgs certFile keyFile bundleFile;
          })
          (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; })
+          (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
        ];

        systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
          "d ${cfg.certDir} 0700 - - -"
        ];

-        systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
-          inherit pkgs certFile keyFile bundleFile;
-          inherit (cfg.renew) reloadUnits postCommands;
-        });
+        systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable
+          (mkHomeManagerMtlsRenewService { inherit pkgs cfg; });

        systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
          inherit (cfg.renew) onCalendar randomizedDelaySec;
@@ -9,25 +9,45 @@ in
  flake.modules.nixos.janus-ca =
    { config, lib, ... }:
    let
+      cfg = config.janus-ca;
      johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
      johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
+      cfgInEtc = lib.hasPrefix "/etc/" cfg.certDir;
+      certDirEtcPath =
+        if cfgInEtc then
+          lib.removePrefix "/etc/" cfg.certDir
+        else
+          cfg.certDir;
+      certRootEtcPath = "${certDirEtcPath}/root_ca.crt";
      mkStepRules = home: user: group: [
        "d ${home}/.step 0700 ${user} ${group} -"
        "d ${home}/.step/config 0700 ${user} ${group} -"
        "d ${home}/.step/certs 0700 ${user} ${group} -"
-        "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json"
-        "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt"
+        "L+ ${home}/.step/config/defaults.json - - - - /etc/step-ca/defaults.json"
+        "L+ ${home}/.step/certs/root_ca.crt - - - - ${cfg.certDir}/root_ca.crt"
      ];
    in
    {
-      environment.etc."step/config/defaults.json".text = builtins.toJSON {
-        inherit ca-url fingerprint;
-        root = "/etc/step-ca/certs/root_ca.crt";
+      options.janus-ca = {
+        certDir = lib.mkOption {
+          description = "String path to where the mtls certs will be stored.";
+          type = lib.types.str;
+          default = "/etc/step-ca/certs";
+        };
+      };
+
+      config = {
+        environment.etc = lib.mkIf cfgInEtc {
+          "step-ca/defaults.json".text = builtins.toJSON {
+            inherit ca-url fingerprint;
+            root = "/etc/${certRootEtcPath}";
+          };
+          "${certRootEtcPath}".source = ./root_ca.crt;
+        };
+        systemd.tmpfiles.rules =
+          mkStepRules johnHome username johnGroup
+          ++ mkStepRules "/root" "root" "root";
      };
-      environment.etc."step-ca/certs/root_ca.crt".source = ./root_ca.crt;
-      systemd.tmpfiles.rules =
-        mkStepRules johnHome username johnGroup
-        ++ mkStepRules "/root" "root" "root";
    };

  flake.modules.homeManager.janus-ca = { config, ... }: {
@@ -1,5 +1,13 @@
 janus:
    admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str]
+forgejo:
+    #ENC[AES256_GCM,data:/wtm0uXbiWFoGNWtlTzVuNxBR7CPm2FMB98t3AxSj5V5rltLvzF9BjgWoJCiX3ltzmU=,iv:xaZXbUIGJHxPrLRQzEQI7hgRgc0y061jIhoE3zlcMaA=,tag:fQGheCIdBKm6wE+vtj7g6A==,type:comment]
+    secret_key: ENC[AES256_GCM,data:/jcyeDcsryLqu9Q3VnNaENb71/Tl5JUr0zDzxt8L5UCtnJ/YHA6MKItrQ9ZHFv1XROtnSfZl9D5kKomeM8EVqA==,iv:HxMKAMVQ08gkq6SWENj0/d8i9PhcgPCp5eqbztj9bSg=,tag:nO2dFWT/vfgGc/9JIDZrGw==,type:str]
+    #ENC[AES256_GCM,data:TADqVsZwXpH/zfrXNclavH8Sv++jX081UjK/Mkys5x52gU5fU0ikk478EmwzeergsHpmxxon,iv:v9HsIsud+eiko7F0u622MBrTVDsIxlpqru0Viifvqow=,tag:FLgNTW0EcGhHT6iI9I6Bsg==,type:comment]
+    internal_token: ENC[AES256_GCM,data:7eZM+misgHZz1p6HH9VzCAPIIFjp2vT0kyc9B1KllE+x2URyrgs5IR9SZ+T5vNdMdnlNzF25pUhKzjbak8tVN554rYWp06SczzqhLyaoHKs8iGBohMqfJkoZxxIVSB7g7GC+/SAsb719,iv:XbBXqXh/PqjEcAj0qsajR7Ij56KGT/9Spdp5T549p9I=,tag:o4ONucOkIE2VJ6VjOlPb6w==,type:str]
+    #ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
+    jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
+    lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
 sops:
    age:
        - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
@@ -29,7 +37,7 @@ sops:
            Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
            E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-29T22:44:20Z"
-    mac: ENC[AES256_GCM,data:f2QVZsCNZJIxnsWsBXVyD6JFSmsMktZqCXQWAJcLfSaojEld9CMu1rJjDyCbG3GPJStrMS20WZbtQvx7H6gosnkxXL401L8SwIoy/gNNEIx0qVLUneoEsuvjSTIiiUG7B2Y9lBKQ/kO/iKrJMURSke0wWWC1Ng5mUePfZ94FVTg=,iv:xOFeak0pjBt4iTFr9vt4cuA9WzFD/ipVThgulNOp100=,tag:YPLXK4RmQLa+ADl6DohmBQ==,type:str]
+    lastmodified: "2026-04-02T03:47:52Z"
+    mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.12.1
+    version: 3.12.2
Author	SHA1	Message	Date
John Lancaster	0854439bdf	disabled TCP connections for postgres	2026-04-04 12:21:50 -05:00
John Lancaster	ff70a35078	janus-ca pkg updates	2026-04-04 12:09:13 -05:00
John Lancaster	b8b8a445f9	mTLS generate script improvements	2026-04-04 11:09:25 -05:00
John Lancaster	13a841c8db	mtls optimizations	2026-04-04 10:44:37 -05:00
John Lancaster	6c26e898b2	improving renew script	2026-04-04 09:46:55 -05:00
John Lancaster	710f13ace4	renew script tweaks	2026-04-04 09:33:08 -05:00
John Lancaster	1a7a1189e7	privileged port permissions for https	2026-04-03 18:16:29 -05:00
John Lancaster	ff74205c57	mtls file permissions	2026-04-03 18:16:12 -05:00
John Lancaster	32b7932916	script tweaks	2026-04-02 17:28:06 -05:00
John Lancaster	f05a3af30d	forgejo secrets	2026-04-02 17:24:32 -05:00
John Lancaster	3e84eb641f	added forgejo secrets to soteria	2026-04-02 07:56:35 -05:00