Extract config secrets into separate files

I'm glad I read the docs and found the canonical way to do this before
inventing some custom thing!!

files/app.ini

@@ -35,7 +35,7 @@ APP_DATA_PATH = /var/lib/forgejo/data
 DISABLE_SSH = false
 SSH_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = <REDACTED 2024-01-14>
+LFS_JWT_SECRET_URI = file:/etc/forgejo/secrets/lfs_jwt_secret
 OFFLINE_MODE = true
 LANDING_PAGE = /OpenNeo
 
@@ -80,8 +80,8 @@ DEFAULT_TRUST_MODEL = committer
 
 [security]
 INSTALL_LOCK = true
-INTERNAL_TOKEN = <REDACTED 2024-01-14>
+INTERNAL_TOKEN_URI = file:/etc/forgejo/secrets/internal_token
 PASSWORD_HASH_ALGO = pbkdf2_hi
 
 [oauth2]
-JWT_SECRET = <REDACTED 2024-01-14>
+JWT_SECRET_URI = file:/etc/forgejo/secrets/oauth2_jwt_secret

files/secrets/.gitignore

@@ -0,0 +1,3 @@
+*
+!.gitignore
+!README

files/secrets/README

@@ -0,0 +1,10 @@
+This folder should have three files:
+
+- internal_token
+- lfs_jwt_secret
+- oauth2_jwt_secret
+
+Each of these should contain a long securely-generated token, which will be
+copied to /etc/forgejo/secrets, and loaded by app.ini.
+
+These are secret information, so they're not committed to this public codebase!

setup-forgejo.yml

@@ -54,6 +54,17 @@
       notify:
         - Restart Forgejo
 
+    - name: Copy secrets directory to Forgejo's config directory
+      copy:
+        src: files/secrets
+        dest: /etc/forgejo
+        directory_mode: "750"
+        mode: "640"
+        owner: root
+        group: git
+      notify:
+        - Restart Forgejo
+
     - name: Install systemd service for Forgejo
       copy:
         src: files/forgejo.service