forked from public/stack
25 lines
1.1 KiB
Markdown
25 lines
1.1 KiB
Markdown
# Secrets
|
|
|
|
Forgejo requires three secret keys, each protecting a specific component. They
|
|
are generated using the Forgejo container, to ensure they are in the correct
|
|
format. These keys can be generated by running:
|
|
|
|
```sh
|
|
sh kustomizations/forgejo/scripts/generate-forgejo-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-config.enc.yaml
|
|
```
|
|
|
|
Forgejo supports SSH but requires host keys to be pregenerated:
|
|
|
|
```sh
|
|
sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml
|
|
```
|
|
|
|
To get the database credentials, run:
|
|
|
|
```sh
|
|
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.forgejo' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/forgejo/postgres-auth.enc.yaml
|
|
```
|
|
|
|
Check the Keycloak Kustomization documentation for information on generating
|
|
a Client ID and Secret.
|