barrettruth/nix
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

feat(vps): forgejo gpg merge-signing #14

Merged
barrettruth merged 1 commit from feat/forgejo-signing into main 2026-04-30 02:33:52 +00:00
Conversation 0 Commits 1 Files changed 1 +73
barrettruth commented 2026-04-30 02:33:46 +00:00
Copy link

Adds Forgejo merge-signing via Barrett's GPG key (A6C96C9349D2FC81) on the VPS.

Wires:

  • services.forgejo.settings."repository.signing" with INITIAL_COMMIT/CRUD_ACTIONS/MERGES set to always.
  • forgejo-gpg-import.service (idempotent oneshot) that imports the secret key from /etc/forgejo-gpg-secret.asc using /etc/forgejo-gpg-passphrase on first boot.
  • forgejo-gpg-preset.service (oneshot, RemainAfterExit=true, KillMode=none) that spawns a long-lived gpg-agent and presets the cached passphrase via PRESET_PASSPHRASE.
  • gpg-agent.conf symlinked from a Nix-store-managed file with allow-preset-passphrase and a one-year cache TTL.

Bootstrap files (/etc/forgejo-gpg-secret.asc, /etc/forgejo-gpg-passphrase, both 0600 root:root) are loaded into the relevant services via systemd LoadCredential. Documented in AGENTS.md.

Verified: VPS reboot, signing cache restored automatically; throwaway PR on tmux-mosaic merged with a real gpgsig block on the resulting merge commit.

Adds Forgejo merge-signing via Barrett's GPG key (`A6C96C9349D2FC81`) on the VPS. Wires: - `services.forgejo.settings."repository.signing"` with `INITIAL_COMMIT`/`CRUD_ACTIONS`/`MERGES` set to `always`. - `forgejo-gpg-import.service` (idempotent oneshot) that imports the secret key from `/etc/forgejo-gpg-secret.asc` using `/etc/forgejo-gpg-passphrase` on first boot. - `forgejo-gpg-preset.service` (oneshot, `RemainAfterExit=true`, `KillMode=none`) that spawns a long-lived `gpg-agent` and presets the cached passphrase via `PRESET_PASSPHRASE`. - `gpg-agent.conf` symlinked from a Nix-store-managed file with `allow-preset-passphrase` and a one-year cache TTL. Bootstrap files (`/etc/forgejo-gpg-secret.asc`, `/etc/forgejo-gpg-passphrase`, both `0600 root:root`) are loaded into the relevant services via systemd `LoadCredential`. Documented in `AGENTS.md`. Verified: VPS reboot, signing cache restored automatically; throwaway PR on `tmux-mosaic` merged with a real `gpgsig` block on the resulting merge commit.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
barrettruth/nix!14
No description provided.