From c306e061ab9557d2c0a871405163b345d765cb7e Mon Sep 17 00:00:00 2001
From: bunker-admin <admin@thebunkerops.ca>
Date: Tue, 31 Mar 2026 12:13:32 -0600
Subject: [PATCH] Generate GITEA_SSO_SECRET and SERVICE_PASSWORD_SALT in config
 wizard

New installs now get dedicated secrets for Gitea SSO cookie signing and
service password derivation, rather than falling back to JWT_ACCESS_SECRET.
Existing installs are unaffected (update_env_var_if_empty preserves values).

Bunker Admin
---
 config.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/config.sh b/config.sh
index 03bf68bf..39b3ce78 100755
--- a/config.sh
+++ b/config.sh
@@ -350,6 +350,21 @@ generate_all_secrets() {
     ((kept+=4))
   fi
 
+  # Gitea SSO + service password salt (isolated from JWT secrets)
+  local sso_secret svc_salt
+  sso_secret=$(generate_secret)
+  svc_salt=$(generate_secret)
+  local sso_changed=false
+  update_env_var_if_empty "GITEA_SSO_SECRET" "$sso_secret" && sso_changed=true
+  update_env_var_if_empty "SERVICE_PASSWORD_SALT" "$svc_salt" && sso_changed=true
+  if [[ "$sso_changed" == "true" ]]; then
+    success "Gitea SSO secret + service password salt"
+    ((generated+=2))
+  else
+    info "Gitea SSO secret + service password salt (kept existing)"
+    ((kept+=2))
+  fi
+
   # Database passwords (24-char alphanum)
   local pg_pass redis_pass
   pg_pass=$(generate_password 24)