initial commit

Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-07 20:02:59 -04:00 · 2026-05-07 20:02:59 -04:00 · 4dc1b58f2f
commit 4dc1b58f2f
20 changed files with 1398 additions and 0 deletions
--- a/scripts/bootstrap-secrets.sh
+++ b/scripts/bootstrap-secrets.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+# Generate and upload Forgejo secrets to Google Secret Manager.
+# Run once per project before the first `terraform apply`.
+# Idempotent: skips secrets that already exist.
+set -euo pipefail
+
+if [[ -z "$(gcloud config get-value project 2>/dev/null)" ]]; then
+  echo "ERROR: no active gcloud project. Run 'gcloud config set project YOUR_PROJECT' first." >&2
+  exit 1
+fi
+
+for SECRET in forgejo-secret-key forgejo-internal-token; do
+  if gcloud secrets describe "$SECRET" >/dev/null 2>&1; then
+    echo "$SECRET already exists, skipping"
+  else
+    openssl rand -hex 32 \
+      | gcloud secrets create "$SECRET" --replication-policy=automatic --data-file=-
+    echo "Created $SECRET"
+  fi
+done
+
+echo
+echo "Tip: also save these values in your password manager for cross-project recovery."
+echo "     gcloud secrets versions access latest --secret=forgejo-secret-key"
+echo "     gcloud secrets versions access latest --secret=forgejo-internal-token"