Fix dev-add.sh random password generation, update Forgejo token scope

- Replace openssl rand with /dev/urandom (openssl not in NixOS path) - Update forgejo-api-token with admin scope for user provisioning Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 17:58:49 -08:00 · 2026-01-08 17:58:49 -08:00 · 1575e44ca2
parent fafc04cb0d
commit 1575e44ca2
2 changed files with 21 additions and 21 deletions
--- a/scripts/dev-add.sh
+++ b/scripts/dev-add.sh
@ -201,7 +201,7 @@ provision_forgejo() {

    # Try to create Forgejo user (ignore if already exists)
    local random_pass
-    random_pass=$(openssl rand -base64 16)
+    random_pass=$(head -c 16 /dev/urandom | base64 | tr -d '/+=' | head -c 16)

    local http_code
    http_code=$(curl -s -o /dev/null -w "%{http_code}" \
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -1,32 +1,32 @@
-matrix-registration-token: ENC[AES256_GCM,data:Ke4d2viAHn7ZYnsUth4nHqspp+UfjpO3bpGsmcc2YDNuUxSsNMzfYbymVilNsS+zea0YH3JNOwLxH71DIRF1sA==,iv:Ir/jjDfyhPJl9s8q5JWg1F3dpdywRoxv/YSSf0OP74w=,tag:7aOAdVKwRJd4/XKohL9mxQ==,type:str]
-acme-email: ENC[AES256_GCM,data:rIBSvT4uf59g0CBU/Q==,iv:FLkGQOPNwFmb339iAjwnMnzDzZNUNOYOer4yRkPWjyg=,tag:r2kAPnSCTTu11SAonMJyzA==,type:str]
-slack-app-token: ENC[AES256_GCM,data:JDYVHdOownAfxdmNX+pZPOBMC4r6rHMRKlIcGGJ607ZMNn+pFKTksSzHR5/4lANio686Fmpj02BRn4XgRpqhTtfLxGw2iUrZP0ZM5j+7EkDGTLgbHlGQUHJp7q+W6xhQSA==,iv:mTxKt/Al+yG+1F+v9xA6FICNTjjOcaEievee4bDZDcI=,tag:awPnXSL7TAGJYfHW+ENjUA==,type:str]
-maubot-admin-password: ENC[AES256_GCM,data:jDEm9rkhSkK0GR3xA/DXPq08hkon8Nx5S46HmyvyilddDxmTiSbCNMLkiBw=,iv:RBrU/ulycENV2danmlPccGaLHKi15GMKlvm9bQreXHw=,tag:fslKkla7/B1zrOKAxaOSJA==,type:str]
-maubot-secret-key: ENC[AES256_GCM,data:pzxxkheCMRHMM4oWlgqhwnWJUealFsARct5JJAtpdzwJcvQNod57PfJmtpA3tkVQwvuGO5enYrJ/FqDod4cZrQ==,iv:cumexXE17TSJAkEQw/ketGPhDzLzxxdDMsQuJMKHYTo=,tag:0rEkiVB7rLypv7pCDm6KRw==,type:str]
-slack-bot-token: ENC[AES256_GCM,data:BJ7B2YmzMlXFfFERSGr/ndSGncpq+q4gRFGCvREoBsyOkboaPcUAYbBhxdz7pTopBKRe4glMXVU=,iv:QUcQ2ui+cpAIOxnTPqpV+z9tXOkyf4YfR2TzCkVTFO0=,tag:6sOl5f6RJg0ydHNPeYoKvg==,type:str]
-forgejo-admin-password: ENC[AES256_GCM,data:ra3hv+Hdp+Z2lpQAMaBHmft01D1jwu1H,iv:Mk/aOAVq1SKDQxa0bNiA+IPMmT7tW7YXGujV0sv36Aw=,tag:hGug+tB07gNTtbUJEK+kYQ==,type:str]
-forgejo-api-token: ENC[AES256_GCM,data:NfWY8mFOICnrUkCF1CP+yrATPC1Xr9smLRtrigAV8JL3Z0C+rx6Vig==,iv:wABOMZsGhgMFxXFt3PAd4PtHHODlNmxy04l18ZK8nXo=,tag:AyIy57DGT+8EnO/RY8nBUQ==,type:str]
+matrix-registration-token: ENC[AES256_GCM,data:j7i/qtPol4dFtIdcBBfiJPrmIcNv0oeGU0Et/rbYwiC7eqAfh4v0xcS9ymzMJZXt75ikLEy8gJBm0i3kzuY8Tw==,iv:t5vQ7NQ3Mq1xnplgkdWu/XJlN/YEedVp+hRCbazy7YM=,tag:soQm891iwqgxZuYNoNFVYw==,type:str]
+acme-email: ENC[AES256_GCM,data:178eat1kqzemxmHJ4w==,iv:27x07i90//RA/Lvs/N8ITOU+abcrfpOoCZiOV932MAY=,tag:NStHMV22Bsq/nbyobbR54w==,type:str]
+slack-app-token: ENC[AES256_GCM,data:s9TAQvQH4QpRyBQFAU3aVgjyLzLLIqqTCXVV8mHv2ITNyFNWd5lveyGFzmuDmU3qPW5/S0ZuYMkuSkZrREVPH57Kbv19dR9/fTe0keIbtLC9FmZn2yRZdjKvjgGMIKeWsA==,iv:mwxEVj6bsghkXZ0v6IH6JA2JZfCoknjyOa8FTdOP2OQ=,tag:9N5EoUXsMU41hICaWMtVaw==,type:str]
+maubot-admin-password: ENC[AES256_GCM,data:iJ3lZKaPWIOoVrkC0qx5tzxOdbks7c3J9WrR1c3KgpSrtzfiZtl36PPZFqs=,iv:P708rzoWfrcUWqDdU1Vw80xGQVYwwRYI1g/i6rDhOMU=,tag:x/Xjq7w/k7Qr4hcuuSEHYg==,type:str]
+maubot-secret-key: ENC[AES256_GCM,data:8GZjOJo/Txl7aQf/jlHgctcmwk47CFP75tZyLfnbnlcgsEjCbclxxKJEv0zYZ4z270pQ9ieMx6JNGD6z61iSpw==,iv:3H9DJYAZiNaW4DSbREajaLnUXufxo1h9BUm2gYFPW/Y=,tag:y+7hQDlszhopnTaoHZ48yg==,type:str]
+slack-bot-token: ENC[AES256_GCM,data:JRV8Fw2I9YMXttXWqPTlm1/2chF4m8KOilzsPuIyX8V7BYYb4uXlgW53MgfVcScXrgp981q7jL0=,iv:xJGHpI1WkZmRt5n9ZJmiu8IbdazrQJAb/ztHw5v7mXA=,tag:ajjAtWsOkXLV1iNQOf/h1g==,type:str]
+forgejo-admin-password: ENC[AES256_GCM,data:+ckJhKS7ive6h/dxru7IZ2fjW7MRnMW2,iv:om0MfDwFRTqPgVETcelnmmKX4BtZfbO1feBseZ2kO0s=,tag:FirgrQwCM+fUab85liBWiw==,type:str]
+forgejo-api-token: ENC[AES256_GCM,data:a7IZXAnzg6CS+GHS/grqaw5InbMoTs9igDI66sMe4z+A3tH4xDCtWQ==,iv:u+cSLF5w4MxO4yWblHscfEi1KzJnbSqONL5LMYBpQE4=,tag:XaxX1t3gcxfN2Z/xKfN8SA==,type:str]
 sops:
    age:
        - recipient: age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TlJUWjFoeE0wYW8xNFpi
-            TnBWb2JMYkpRaTlqTDVnSDFSeUk4aDhxa2drClVacVJwTXgyTU5KcjJUaGZBb0l2
-            Vmd4cVZvQXhNb0owM2lFdytqUDFyWEUKLS0tIGpqaUFOenh3bVVjUlY3d05sZEo1
-            RURxaEZzZ0hYcWFkUVpQTG81VWVuZDgKFzkb3NFjmgBz1vVoPCgJpZ8UhMs3Qm67
-            Or13vxvNbbgRunTYjyH5h9clFiCzLyOOwGwPAnABAhdCgBXr48Ji4Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMUhsUGl6dncxaGVScTVo
+            a3crTjdGaXpvNm5Xb2lHN3UwNWFzckRUempJCmNzK1E4dW5BVlZPMk5JS3ZtS21K
+            Nm40bGZzV0M3Z3JjaFA1Qit6S001dVkKLS0tIGQwODVJT1ZTeTNsSHZNd0IvSnNu
+            SmhqQ1RtUHloL1RwTWhlN0NxMTFrc0kKiJRArc6hfwRNQqI9zWnJjvgpD+RrYT8S
+            huj/komeDL3+gUJgXdbxvXKczLjtUf6bOjSm/BgwFiLG/dr1meWV/Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18ue40q4fw8uggdlfag7jf5nrawvfvsnv93nurschhuynus200yjsd775v3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRE9kalpQRkh1czY0bHJ4
-            elVEOVd5cUlIYm1xVlY1bGpWTms1MzV0Z1dVCjF2MGgxc1p1RTV1OXhPQ3c4Rk1q
-            TTY5cnJ5K2x6aGozQjhtNWpLS3pOb1UKLS0tIGprQ0ljMFJvVE9PUXhXK1haR0dm
-            QkFDdDlZT3ljSy9Ud1V4YWdQc21yblUKBSzNXvKeQ8FM8b+U1axKdgZFlD8/dMcJ
-            eEeCt9hcSEjcaohoWmYRb6qEsy1s194y10G+v/J/fu0dLqrGIcObMA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBazZpazREcER4OGpRVEhl
+            UFE4My9paDdZMW45ZUQzbC9IT0s5NXc1NldNCm5GaHIvM29lN1ZiL0FobVJvWjBP
+            MEVQVFpMSHZWTkxOQkgyYkxzVjVYN00KLS0tIHVHeE5MU2QwSVNzcldaWURzdDlo
+            RU1TR24zOGxnd0syeVlvc3JHeGFhTTAKwg1TvZ6ixaDgBfz+3auoLVjdXnHuzvGv
+            pN+pUklEsaymDCun3rEUGiI0xA08WML1HAE7AyfqKa32wSJUOpmcMA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-09T01:06:29Z"
-    mac: ENC[AES256_GCM,data:vQl0M5zuA5vavxoo+FtVMbLfU4wMkiEtkctM/YvkGRRUZw0K0KhJeg1RH0Ag7YTjKz1gapbXQIXYh2OtHx3eC6BAl5VePdEGgPUhaAxok8K3vRj2a8t1bsPMa3pLFDyXAsCUEctFG4jZSYqZaA8iUX0hloSebpNEJ+FxkfoWeso=,iv:mVEDFlllze0K1YcoFp7hP4xIiTt9MFebwP5q5MkUpMs=,tag:cPy+DeIy3oMF4nNj9QnnXQ==,type:str]
+    lastmodified: "2026-01-09T01:45:06Z"
+    mac: ENC[AES256_GCM,data:gbYiINSWDI0Bhgrlv8A1ImUciQg17WT47RlN8VZfrbGfa6PKdnUQncrjuKBjMdVXhk2e6sIvLO2OGXJp2dznK8DEKJOeeHamKo6k5PnrAe81tLLI5wub6+q4vARwqV8SC5JJAMDT8+H+PQZ25ao98usJ4A9EJ4zD6EQ4Tbff4g8=,iv:CElQ1xzT7Z0VZW452hTR/DcSnfplW5GBfYOUalOP4nU=,tag:+nSgn2eEstS8aZD99jxuYw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0