Enable ShellCheck and improve shell scripts

modules/system/services/forgejo/default.nix

@@ -70,22 +70,33 @@ in
       };
     };
 
-    systemd = {
-      services.forgejo.preStart =
-        let
-          userCmd = "${lib.getExe config.services.forgejo.package} admin user";
-          credentials = lib.concatStringsSep " " [
-            "--username SebastianStork"
-            "--password \"$PASSWORD\""
-          ];
-        in
-        ''
-          PASSWORD="$(< ${config.sops.secrets."forgejo/admin-password".path})"
+    systemd.services.forgejo.preStart =
+      let
+        userCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      in
+      ''
+        username="SebastianStork"
+        password="$(cat ${config.sops.secrets."forgejo/admin-password".path})"
 
-          ${userCmd} create ${credentials} --email "sebastian.stork@pm.me" --admin \
-            || ${userCmd} change-password ${credentials} --must-change-password=false
-        '';
-    };
+        create_user() {
+          ${userCmd} create \
+            --username "$username" \
+            --password "$password" \
+            --email "sebastian.stork@pm.me" \
+            --admin
+        }
+
+        reset_password() {
+          ${userCmd} change-password \
+            --username "$username" \
+            --password "$password" \
+            --must-change-password=false
+        }
+
+        if ! create_user; then
+          reset_password
+        fi
+      '';
 
     custom.services.resticBackups.forgejo = lib.mkIf cfg.doBackups {
       conflictingService = "forgejo.service";

modules/system/services/hedgedoc.nix

@@ -55,16 +55,16 @@ in
     };
 
     # Ensure session-secret
-    systemd.services.hedgedoc.preStart =
-      let
-        sessionSecret = "/var/lib/hedgedoc/session-secret";
-      in
-      lib.mkBefore ''
-        if [ ! -f ${sessionSecret} ]; then
-          ${lib.getExe pkgs.pwgen} -s 64 1 > ${sessionSecret}
-        fi
-        export SESSION_SECRET=$(cat ${sessionSecret})
-      '';
+    systemd.services.hedgedoc.preStart = lib.mkBefore ''
+      secret_file="/var/lib/hedgedoc/session-secret"
+
+      if [ ! -f $secret_file ]; then
+        ${lib.getExe pkgs.pwgen} -s 64 1 > $secret_file
+      fi
+
+      SESSION_SECRET="$(cat $secret_file)"
+      export SESSION_SECRET
+    '';
 
     custom.services.resticBackups.hedgedoc = lib.mkIf cfg.doBackups {
       conflictingService = "hedgedoc.service";

modules/system/services/radicale.nix

@@ -49,8 +49,6 @@ in
 
         storage.hook =
           let
-            createBirthdayCalendar = "${inputs.radicale-birthday-calendar}/create_birthday_calendar.py";
-
             hookScript = pkgs.writeShellApplication {
               name = "radicale-git-hook";
               runtimeInputs = [
@@ -64,9 +62,10 @@ in
                 ))
               ];
               text = ''
-                readonly username="$1"
+                username="$1"
+                create_birthday_calendar="${inputs.radicale-birthday-calendar}/create_birthday_calendar.py"
 
-                git status --porcelain | awk '{print $2}' | python3 ${createBirthdayCalendar}
+                git status --porcelain | awk '{print $2}' | python3 $create_birthday_calendar
 
                 git add -A
                 if ! git diff --cached --quiet; then

modules/system/services/restic-backups/healthchecks.nix

@@ -31,9 +31,15 @@ in
           serviceConfig.Type = "oneshot";
           scriptArgs = "%i";
           script = ''
-            ${lib.getExe pkgs.curl} --fail --silent --show-error --max-time 10 --retry 5  https://hc-ping.com/$(cat ${
-              config.sops.secrets."healthchecks/ping-key".path
-            })/$(echo $1 | tr _ /)
+            ping_key="$(cat ${config.sops.secrets."healthchecks/ping-key".path})"
+            slug="$(echo "$1" | tr _ /)"
+
+            ${lib.getExe pkgs.curl} \
+              --fail \
+              --silent \
+              --show-error \
+              --max-time 10 \
+              --retry 5 "https://hc-ping.com/$ping_key/$slug"
           '';
         };
       }