fix: allow key rotation

.env.sample

@@ -68,6 +68,13 @@ GITEA_STORAGE_TYPE=local
 # MINIO_CHECKSUM_ALGORITHM=default
 # COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
 
+# Instance Commit Signing
+# https://forgejo.org/docs/latest/admin/advanced/signing/
+# COMPOSE_FILE="$COMPOSE_FILE:compose.signing.yml"
+# GITEA_SIGNING_ENABLED=1
+# SECRET_SIGNING_PUBLIC_KEY_VERSION=v1
+# SECRET_SIGNING_PRIVATE_KEY_VERSION=v1
+
 # SMTP Mailer
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1

README.md

@@ -66,3 +66,16 @@ Note that gitea should be configured to listen to port 2222, i.e. `GITEA_SSH_POR
 Uncomment the Anubis compose file from the `.env` file and re-deploy the
 app.  Don't forget to actually [enable Anubis on the Traefik app
 too](https://recipes.coopcloud.tech/traefik)!
+
+## [Instance Commit Signing](https://forgejo.org/docs/latest/admin/advanced/signing/)
+
+To allow Forgejo to sign commits, uncomment the corresponding
+configuration block, and then generate and insert the SSH keys:
+
+```sh
+abra app config git.example.coop
+ssh-keygen -t ed25519
+app app secret insert git.example.coop signing_public_key v1 -f ~/.ssh/id_ed25519.pub
+app app secret insert git.example.coop signing_private_key v1 -f ~/.ssh/id_ed25519
+app app deploy git.example.coop
+```

abra.sh

@@ -1,5 +1,5 @@
 export APP_INI_VERSION=v25
-export DOCKER_SETUP_SH_VERSION=v1
+export DOCKER_SETUP_SH_VERSION=v2
 export PG_BACKUP_VERSION=v1
 
 abra_backup_app() {

app.ini.tmpl

@@ -62,6 +62,18 @@ ALLOWED_TYPES = {{ env "GITEA_REPO_UPLOAD_ALLOWED_TYPES" }}
 FILE_MAX_SIZE = {{ env "GITEA_REPO_UPLOAD_MAX_SIZE" }}
 MAX_FILES = {{ env "GITEA_REPO_UPLOAD_MAX_FILES" }}
 
+{{ if eq (env "GITEA_SIGNING_ENABLED") "1" }}
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = /var/lib/gitea/signing_key.pub
+SIGNING_NAME = {{ env "GITEA_APP_NAME" }}
+SIGNING_EMAIL = {{ env "GITEA_MAILER_FROM" }}
+INITIAL_COMMIT = always
+WIKI = always
+CRUD_ACTIONS = always
+MERGES = always
+{{ end }}
+
 [ui]
 SHOW_USER_EMAIL = {{ env "GITEA_SHOW_USER_EMAIL" }}
 
@@ -126,3 +138,4 @@ MODE=console
 LEVEL=WARN
 STACKTRACE_LEVEL=None
 ENABLE_XORM_LOG=false
+

compose.signing.yml

@@ -0,0 +1,14 @@
+version: '3.8'
+
+services:
+  app:
+    secrets:
+    - signing_public_key
+    - signing_private_key
+secrets:
+  signing_public_key:
+    name: ${STACK_NAME}_signing_public_key_${SECRET_SIGNING_PUBLIC_KEY_VERSION}
+    external: true
+  signing_private_key:
+    name: ${STACK_NAME}_signing_private_key_${SECRET_SIGNING_PRIVATE_KEY_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: codeberg.org/forgejo/forgejo:15.0.0-rootless
+    image: codeberg.org/forgejo/forgejo:15.0.2-rootless
     configs:
       - source: app_ini
         target: /var/lib/gitea/custom/conf/app.ini
@@ -90,7 +90,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-        - coop-cloud.${STACK_NAME}.version=5.3.0+15.0.0-rootless
+        - coop-cloud.${STACK_NAME}.version=5.3.1+15.0.2-rootless
 
 
 networks:

docker-setup.sh.tmpl

@@ -13,3 +13,10 @@ mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
 # Prepare temp folder
 mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
 if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi
+
+if [ -e /run/secrets/signing_public_key ] ; then
+  cat /run/secrets/signing_public_key > /var/lib/gitea/signing_key.pub
+  cat /run/secrets/signing_private_key > /var/lib/gitea/signing_key
+
+  chmod 600 /var/lib/gitea/signing_key*
+fi