improving renew script

modules/features/forgejo.nix

@@ -2,6 +2,7 @@
   flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
     let
       cfg = config.forgejo;
+      needsPrivilegedPort = cfg.port < 1024;
     in
     {
       options.forgejo = {
@@ -25,40 +26,103 @@
       config = lib.mkIf cfg.enable {
         networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
 
-        services.forgejo = {
+        systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
-          enable = true;
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-          lfs.enable = true;
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-          settings.server = lib.mkMerge [
+          PrivateUsers = lib.mkForce false;
-            {
+        };
-              HTTP_PORT = cfg.port;
+
-              DISABLE_SSH = true;
+        sops.secrets = {
-            }
+          "forgejo/secret_key".owner = config.services.forgejo.user;
-            (lib.mkIf cfg.https {
+          "forgejo/internal_token".owner = config.services.forgejo.user;
-              ROOT_URL = "https://forgejo.john-stream.com";
+          "forgejo/jwt_secret".owner = config.services.forgejo.user;
-              PROTOCOL = "https";
+          "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
-              COOKIE_SECURE = true;
+        };
-              KEY_FILE = config.mtls.keyFile;
+
-              CERT_FILE = config.mtls.certFile;
+        services = {
-            })
+          forgejo = {
+            enable = true;
+            lfs.enable = true;
+            settings = {
+              DEFAULT = {
+                RUN_MODE = "dev";
+              };
+              server = lib.mkMerge [
+                {
+                  HTTP_PORT = cfg.port;
+                  DISABLE_SSH = true;
+                  ROOT_URL = "https://forgejo.john-stream.com";
+                }
+                (lib.mkIf cfg.https {
+                  PROTOCOL = "https";
+                  COOKIE_SECURE = true;
+                  KEY_FILE = config.mtls.keyFile;
+                  CERT_FILE = config.mtls.certFile;
+                })
+              ];
+              repository = {
+                ENABLE_PUSH_CREATE_USER = true;
+              };
+              ui.SHOW_USER_EMAIL = false;
+              markup = {
+                ENABLED = true;
+              };
+            };
+
+            secrets = {
+              security = {
+                SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
+                INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
+              };
+              oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
+              server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
+            };
+
+            database = {
+              type = "postgres";
+              port = config.services.postgresql.settings.port;
+              # createDatabase = false;
+            };
+            # dump = {
+            #   enable = true;
+            #   interval = "12h";
+            # };
+          };
+
+          postgresql = {
+            enable = true;
+            settings = {
+            };
+          };
+        };
+
+        environment.systemPackages =
+          let
+            systemctl = lib.getExe' pkgs.systemd "systemctl";
+            clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
+              set -e
+              sudo ${systemctl} stop forgejo.service
+              ${lib.getExe' pkgs.coreutils "echo"} "Stopped Forgejo"
+              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
+            '');
+            clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
+              set -e
+              sudo ${systemctl} stop postgresql.service
+              ${lib.getExe' pkgs.coreutils "echo"} "Stopped PostgreSQL"
+              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
+            '');
+          in [
+            clean-forgejo
+            clean-postgres
+            (pkgs.writeShellScriptBin "clean-all" ''
+              set -e
+              ${lib.getExe clean-forgejo}
+              ${lib.getExe clean-postgres}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo"
+            '')
           ];
-
-          database = {
-            type = "postgres";
-            port = config.services.postgresql.settings.port;
-            # createDatabase = false;
-          };
-          # dump = {
-          #   enable = true;
-          #   interval = "12h";
-          # };
-        };
-
-        services.postgresql = {
-          enable = true;
-          settings = {
-
-          };
-        };
       };
     };
 }

modules/features/mtls.nix

@@ -66,9 +66,9 @@ let
         default = "root";
       };
       group = lib.mkOption {
-        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
+        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
         type = lib.types.nullOr lib.types.str;
-        default = null;
+        default = cfg.user;
       };
       reloadUnits = lib.mkOption {
         description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -92,8 +92,14 @@ let
     keyFile,
     bundleFile,
     lifetime,
+    user,
+    group,
   }:
   let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
+    echoCmd = lib.getExe' pkgs.coreutils "echo";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
     stepCmd = lib.getExe pkgs.step-cli;
     sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
   in
@@ -105,7 +111,9 @@ let
         --provisioner ${provisioner} \
         ${sanArgs} \
         "$@"
-      cat ${certFile} ${keyFile} > ${bundleFile}
+      (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
     '';
   
   mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -120,18 +128,24 @@ let
     certFile,
     keyFile,
     bundleFile,
+    user,
+    group,
     reloadUnits ? [ ],
     postCommands ? [ ],
     systemctlArgs ? [ ],
   }:
   let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
     echoCmd = lib.getExe' pkgs.coreutils "echo";
-    systemctl = lib.getExe' pkgs.systemd "systemctl";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
-    escapedArgs = lib.escapeShellArgs systemctlArgs;
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
-    systemctlCommand = "${systemctl} ${escapedArgs}";
+    stepCmd = lib.getExe pkgs.step-cli;
+    hasReloadUnits = reloadUnits != [ ];
+    hasPostCommands = postCommands != [ ];
+    systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${systemctlCommand} --quiet is-active "${unit}"; then
+      if ${systemctlCmd} --quiet is-active "${unit}"; then
-        ${systemctlCommand} try-reload-or-restart "${unit}"
+        ${systemctlCmd} try-reload-or-restart "${unit}"
       fi
     '') reloadUnits;
     renewPostCommands = lib.concatStringsSep "\n" postCommands;
@@ -139,23 +153,42 @@ let
     pkgs.writeShellScriptBin "mtls-renew" ''
       set -euo pipefail
 
-      if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then
+      YELLOW_BANG="\e[33m!\e[0m"
-        ${echoCmd} "Renewing mTLS certificate"
+
-      else
+      force=0
+      while [[ $# -gt 0 ]]; do
+      case $1 in
+        --force)
+        force=1
+        shift
+        ;;
+        *)
+        ${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+        exit 1
+        ;;
+      esac
+      done
+
+      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${certFile}"; then
         ${echoCmd} "Skipping renew"
-        exit "$?"
+        exit 0
       fi
 
-      ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}"
+      ${echoCmd} "Renewing mTLS certificate"
-
+      ${stepCmd} ca renew --force "${certFile}" "${keyFile}"
-      umask 077
+      (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}")
-      ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}"
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
 
+      ${lib.optionalString hasReloadUnits ''
       ${echoCmd} "Reloading units:"
       ${renewReloadScript}
+      ''}
 
+      ${lib.optionalString hasPostCommands ''
       ${echoCmd} "Post commands:"
       ${renewPostCommands}
+      ''}
     '';
 
   mkNixosMtlsRenewService = {
@@ -171,7 +204,7 @@ let
   let
     serviceGroup = if group == null then user else group;
     renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
+      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands user group;
     };
   in
   {
@@ -271,13 +304,18 @@ in
           (mkMtlsGenerateScript {
             inherit pkgs;
             inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
+            inherit (cfg.renew) user group;
           })
           (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; })
+          (mkMtlsRenewScript {
+            inherit pkgs;
+            inherit (cfg) certFile keyFile bundleFile;
+            inherit (cfg.renew) user group;
+          })
         ];
 
         systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
         ];
 
         systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
@@ -314,10 +352,11 @@ in
           # step-cli
           (mkMtlsGenerateScript {
             inherit (cfg) subject provisioner san lifetime;
+            inherit (cfg.renew) user group;
             inherit pkgs certFile keyFile bundleFile;
           })
           (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; })
+          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) user group; })
         ];
 
         systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [

modules/hosts/soteria/secrets.yaml

@@ -1,5 +1,13 @@
 janus:
     admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str]
+forgejo:
+    #ENC[AES256_GCM,data:/wtm0uXbiWFoGNWtlTzVuNxBR7CPm2FMB98t3AxSj5V5rltLvzF9BjgWoJCiX3ltzmU=,iv:xaZXbUIGJHxPrLRQzEQI7hgRgc0y061jIhoE3zlcMaA=,tag:fQGheCIdBKm6wE+vtj7g6A==,type:comment]
+    secret_key: ENC[AES256_GCM,data:/jcyeDcsryLqu9Q3VnNaENb71/Tl5JUr0zDzxt8L5UCtnJ/YHA6MKItrQ9ZHFv1XROtnSfZl9D5kKomeM8EVqA==,iv:HxMKAMVQ08gkq6SWENj0/d8i9PhcgPCp5eqbztj9bSg=,tag:nO2dFWT/vfgGc/9JIDZrGw==,type:str]
+    #ENC[AES256_GCM,data:TADqVsZwXpH/zfrXNclavH8Sv++jX081UjK/Mkys5x52gU5fU0ikk478EmwzeergsHpmxxon,iv:v9HsIsud+eiko7F0u622MBrTVDsIxlpqru0Viifvqow=,tag:FLgNTW0EcGhHT6iI9I6Bsg==,type:comment]
+    internal_token: ENC[AES256_GCM,data:7eZM+misgHZz1p6HH9VzCAPIIFjp2vT0kyc9B1KllE+x2URyrgs5IR9SZ+T5vNdMdnlNzF25pUhKzjbak8tVN554rYWp06SczzqhLyaoHKs8iGBohMqfJkoZxxIVSB7g7GC+/SAsb719,iv:XbBXqXh/PqjEcAj0qsajR7Ij56KGT/9Spdp5T549p9I=,tag:o4ONucOkIE2VJ6VjOlPb6w==,type:str]
+    #ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
+    jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
+    lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
 sops:
     age:
         - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
@@ -29,7 +37,7 @@ sops:
             Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
             E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-29T22:44:20Z"
+    lastmodified: "2026-04-02T03:47:52Z"
-    mac: ENC[AES256_GCM,data:f2QVZsCNZJIxnsWsBXVyD6JFSmsMktZqCXQWAJcLfSaojEld9CMu1rJjDyCbG3GPJStrMS20WZbtQvx7H6gosnkxXL401L8SwIoy/gNNEIx0qVLUneoEsuvjSTIiiUG7B2Y9lBKQ/kO/iKrJMURSke0wWWC1Ng5mUePfZ94FVTg=,iv:xOFeak0pjBt4iTFr9vt4cuA9WzFD/ipVThgulNOp100=,tag:YPLXK4RmQLa+ADl6DohmBQ==,type:str]
+    mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.12.1
+    version: 3.12.2