Generate GITEA_SSO_SECRET and SERVICE_PASSWORD_SALT in config wizard

New installs now get dedicated secrets for Gitea SSO cookie signing and service password derivation, rather than falling back to JWT_ACCESS_SECRET. Existing installs are unaffected (update_env_var_if_empty preserves values). Bunker Admin
2026-03-31 12:13:32 -06:00 · 2026-03-31 12:13:32 -06:00 · c306e061ab
commit c306e061ab
parent f378db89b5
1 changed files with 15 additions and 0 deletions
--- a/config.sh
+++ b/config.sh
@ -350,6 +350,21 @@ generate_all_secrets() {
    ((kept+=4))
  fi

+  # Gitea SSO + service password salt (isolated from JWT secrets)
+  local sso_secret svc_salt
+  sso_secret=$(generate_secret)
+  svc_salt=$(generate_secret)
+  local sso_changed=false
+  update_env_var_if_empty "GITEA_SSO_SECRET" "$sso_secret" && sso_changed=true
+  update_env_var_if_empty "SERVICE_PASSWORD_SALT" "$svc_salt" && sso_changed=true
+  if [[ "$sso_changed" == "true" ]]; then
+    success "Gitea SSO secret + service password salt"
+    ((generated+=2))
+  else
+    info "Gitea SSO secret + service password salt (kept existing)"
+    ((kept+=2))
+  fi
+
  # Database passwords (24-char alphanum)
  local pg_pass redis_pass
  pg_pass=$(generate_password 24)