From d2b73e1e9d3c4dd84de1449b48e315beeeb534c9 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Sun, 1 Jun 2025 22:57:27 +0200
Subject: [PATCH] Make forgejo user setup more robust

---
 modules/system/services/forgejo/default.nix | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/modules/system/services/forgejo/default.nix b/modules/system/services/forgejo/default.nix
index f017984..8612c5d 100644
--- a/modules/system/services/forgejo/default.nix
+++ b/modules/system/services/forgejo/default.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 let
   cfg = config.custom.services.forgejo;
 
@@ -53,10 +48,18 @@ in
 
     systemd.services.forgejo.preStart =
       let
-        createCmd = "${lib.getExe config.services.forgejo.package} admin user create";
-        passwordPath = config.sops.secrets."forgejo/admin-password".path;
+        userCmd = "${lib.getExe config.services.forgejo.package} admin user";
+        credentials = lib.concatStringsSep " " [
+          "--username SebastianStork"
+          "--password \"$PASSWORD\""
+        ];
       in
-      ''${createCmd} --username SebastianStork --password "$(cat ${passwordPath})" --email "sebastian.stork@pm.me" --admin || true'';
+      ''
+        PASSWORD="$(< ${config.sops.secrets."forgejo/admin-password".path})"
+
+        ${userCmd} create ${credentials} --email "sebastian.stork@pm.me" --admin \
+          || ${userCmd} change-password ${credentials} --must-change-password=false
+      '';
 
     systemd.tmpfiles.rules =
       let