improving renew script

renew script tweaks
privileged port permissions for https
2026-04-04 09:46:55 -05:00 · 2026-04-04 09:33:08 -05:00 · 2026-04-03 18:16:29 -05:00 · 2026-04-03 18:16:12 -05:00 · 2026-04-02 17:28:06 -05:00 · 2026-04-02 17:24:32 -05:00
3 changed files with 167 additions and 56 deletions
@@ -2,6 +2,7 @@
  flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
    let
      cfg = config.forgejo;
+      needsPrivilegedPort = cfg.port < 1024;
    in
    {
      options.forgejo = {
@@ -25,22 +26,57 @@
      config = lib.mkIf cfg.enable {
        networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];

-        services.forgejo = {
+        systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+          PrivateUsers = lib.mkForce false;
+        };
+
+        sops.secrets = {
+          "forgejo/secret_key".owner = config.services.forgejo.user;
+          "forgejo/internal_token".owner = config.services.forgejo.user;
+          "forgejo/jwt_secret".owner = config.services.forgejo.user;
+          "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
+        };
+
+        services = {
+          forgejo = {
            enable = true;
            lfs.enable = true;
-          settings.server = lib.mkMerge [
+            settings = {
+              DEFAULT = {
+                RUN_MODE = "dev";
+              };
+              server = lib.mkMerge [
                {
                  HTTP_PORT = cfg.port;
                  DISABLE_SSH = true;
+                  ROOT_URL = "https://forgejo.john-stream.com";
                }
                (lib.mkIf cfg.https {
-              ROOT_URL = "https://forgejo.john-stream.com";
                  PROTOCOL = "https";
                  COOKIE_SECURE = true;
                  KEY_FILE = config.mtls.keyFile;
                  CERT_FILE = config.mtls.certFile;
                })
              ];
+              repository = {
+                ENABLE_PUSH_CREATE_USER = true;
+              };
+              ui.SHOW_USER_EMAIL = false;
+              markup = {
+                ENABLED = true;
+              };
+            };
+
+            secrets = {
+              security = {
+                SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
+                INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
+              };
+              oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
+              server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
+            };

            database = {
              type = "postgres";
@@ -53,12 +89,40 @@
            # };
          };

-        services.postgresql = {
+          postgresql = {
            enable = true;
            settings = {
+            };
+          };
+        };

-          };
-        };
+        environment.systemPackages =
+          let
+            systemctl = lib.getExe' pkgs.systemd "systemctl";
+            clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
+              set -e
+              sudo ${systemctl} stop forgejo.service
+              ${lib.getExe' pkgs.coreutils "echo"} "Stopped Forgejo"
+              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
+            '');
+            clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
+              set -e
+              sudo ${systemctl} stop postgresql.service
+              ${lib.getExe' pkgs.coreutils "echo"} "Stopped PostgreSQL"
+              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
+            '');
+          in [
+            clean-forgejo
+            clean-postgres
+            (pkgs.writeShellScriptBin "clean-all" ''
+              set -e
+              ${lib.getExe clean-forgejo}
+              ${lib.getExe clean-postgres}
+              ${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo"
+            '')
+          ];
      };
    };
 }
@@ -66,9 +66,9 @@ let
        default = "root";
      };
      group = lib.mkOption {
-        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
+        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
        type = lib.types.nullOr lib.types.str;
-        default = null;
+        default = cfg.user;
      };
      reloadUnits = lib.mkOption {
        description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -92,8 +92,14 @@ let
    keyFile,
    bundleFile,
    lifetime,
+    user,
+    group,
  }:
  let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
+    echoCmd = lib.getExe' pkgs.coreutils "echo";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
    stepCmd = lib.getExe pkgs.step-cli;
    sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
  in
@@ -105,7 +111,9 @@ let
        --provisioner ${provisioner} \
        ${sanArgs} \
        "$@"
-      cat ${certFile} ${keyFile} > ${bundleFile}
+      (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
    '';
  
  mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -120,18 +128,24 @@ let
    certFile,
    keyFile,
    bundleFile,
+    user,
+    group,
    reloadUnits ? [ ],
    postCommands ? [ ],
    systemctlArgs ? [ ],
  }:
  let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
    echoCmd = lib.getExe' pkgs.coreutils "echo";
-    systemctl = lib.getExe' pkgs.systemd "systemctl";
-    escapedArgs = lib.escapeShellArgs systemctlArgs;
-    systemctlCommand = "${systemctl} ${escapedArgs}";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
+    stepCmd = lib.getExe pkgs.step-cli;
+    hasReloadUnits = reloadUnits != [ ];
+    hasPostCommands = postCommands != [ ];
+    systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
    renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${systemctlCommand} --quiet is-active "${unit}"; then
-        ${systemctlCommand} try-reload-or-restart "${unit}"
+      if ${systemctlCmd} --quiet is-active "${unit}"; then
+        ${systemctlCmd} try-reload-or-restart "${unit}"
      fi
    '') reloadUnits;
    renewPostCommands = lib.concatStringsSep "\n" postCommands;
@@ -139,23 +153,42 @@ let
    pkgs.writeShellScriptBin "mtls-renew" ''
      set -euo pipefail

-      if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then
-        ${echoCmd} "Renewing mTLS certificate"
-      else
+      YELLOW_BANG="\e[33m!\e[0m"
+
+      force=0
+      while [[ $# -gt 0 ]]; do
+      case $1 in
+        --force)
+        force=1
+        shift
+        ;;
+        *)
+        ${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+        exit 1
+        ;;
+      esac
+      done
+
+      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${certFile}"; then
        ${echoCmd} "Skipping renew"
-        exit "$?"
+        exit 0
      fi

-      ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}"
-
-      umask 077
-      ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}"
+      ${echoCmd} "Renewing mTLS certificate"
+      ${stepCmd} ca renew --force "${certFile}" "${keyFile}"
+      (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}")
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}

+      ${lib.optionalString hasReloadUnits ''
      ${echoCmd} "Reloading units:"
      ${renewReloadScript}
+      ''}

+      ${lib.optionalString hasPostCommands ''
      ${echoCmd} "Post commands:"
      ${renewPostCommands}
+      ''}
    '';

  mkNixosMtlsRenewService = {
@@ -171,7 +204,7 @@ let
  let
    serviceGroup = if group == null then user else group;
    renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
+      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands user group;
    };
  in
  {
@@ -271,13 +304,18 @@ in
          (mkMtlsGenerateScript {
            inherit pkgs;
            inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
+            inherit (cfg.renew) user group;
          })
          (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; })
+          (mkMtlsRenewScript {
+            inherit pkgs;
+            inherit (cfg) certFile keyFile bundleFile;
+            inherit (cfg.renew) user group;
+          })
        ];

        systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
        ];

        systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
@@ -314,10 +352,11 @@ in
          # step-cli
          (mkMtlsGenerateScript {
            inherit (cfg) subject provisioner san lifetime;
+            inherit (cfg.renew) user group;
            inherit pkgs certFile keyFile bundleFile;
          })
          (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; })
+          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) user group; })
        ];

        systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
@@ -1,5 +1,13 @@
 janus:
    admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str]
+forgejo:
+    #ENC[AES256_GCM,data:/wtm0uXbiWFoGNWtlTzVuNxBR7CPm2FMB98t3AxSj5V5rltLvzF9BjgWoJCiX3ltzmU=,iv:xaZXbUIGJHxPrLRQzEQI7hgRgc0y061jIhoE3zlcMaA=,tag:fQGheCIdBKm6wE+vtj7g6A==,type:comment]
+    secret_key: ENC[AES256_GCM,data:/jcyeDcsryLqu9Q3VnNaENb71/Tl5JUr0zDzxt8L5UCtnJ/YHA6MKItrQ9ZHFv1XROtnSfZl9D5kKomeM8EVqA==,iv:HxMKAMVQ08gkq6SWENj0/d8i9PhcgPCp5eqbztj9bSg=,tag:nO2dFWT/vfgGc/9JIDZrGw==,type:str]
+    #ENC[AES256_GCM,data:TADqVsZwXpH/zfrXNclavH8Sv++jX081UjK/Mkys5x52gU5fU0ikk478EmwzeergsHpmxxon,iv:v9HsIsud+eiko7F0u622MBrTVDsIxlpqru0Viifvqow=,tag:FLgNTW0EcGhHT6iI9I6Bsg==,type:comment]
+    internal_token: ENC[AES256_GCM,data:7eZM+misgHZz1p6HH9VzCAPIIFjp2vT0kyc9B1KllE+x2URyrgs5IR9SZ+T5vNdMdnlNzF25pUhKzjbak8tVN554rYWp06SczzqhLyaoHKs8iGBohMqfJkoZxxIVSB7g7GC+/SAsb719,iv:XbBXqXh/PqjEcAj0qsajR7Ij56KGT/9Spdp5T549p9I=,tag:o4ONucOkIE2VJ6VjOlPb6w==,type:str]
+    #ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
+    jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
+    lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
 sops:
    age:
        - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
@@ -29,7 +37,7 @@ sops:
            Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
            E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-29T22:44:20Z"
-    mac: ENC[AES256_GCM,data:f2QVZsCNZJIxnsWsBXVyD6JFSmsMktZqCXQWAJcLfSaojEld9CMu1rJjDyCbG3GPJStrMS20WZbtQvx7H6gosnkxXL401L8SwIoy/gNNEIx0qVLUneoEsuvjSTIiiUG7B2Y9lBKQ/kO/iKrJMURSke0wWWC1Ng5mUePfZ94FVTg=,iv:xOFeak0pjBt4iTFr9vt4cuA9WzFD/ipVThgulNOp100=,tag:YPLXK4RmQLa+ADl6DohmBQ==,type:str]
+    lastmodified: "2026-04-02T03:47:52Z"
+    mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.12.1
+    version: 3.12.2
Author	SHA1	Message	Date
John Lancaster	6c26e898b2	improving renew script	2026-04-04 09:46:55 -05:00
John Lancaster	710f13ace4	renew script tweaks	2026-04-04 09:33:08 -05:00
John Lancaster	1a7a1189e7	privileged port permissions for https	2026-04-03 18:16:29 -05:00
John Lancaster	ff74205c57	mtls file permissions	2026-04-03 18:16:12 -05:00
John Lancaster	32b7932916	script tweaks	2026-04-02 17:28:06 -05:00
John Lancaster	f05a3af30d	forgejo secrets	2026-04-02 17:24:32 -05:00
John Lancaster	3e84eb641f	added forgejo secrets to soteria	2026-04-02 07:56:35 -05:00