From 0a948d53f5f31887e584c85387c25d79b3bc051d Mon Sep 17 00:00:00 2001
From: TheGeneralist <180094941+thegeneralist01@users.noreply.github.com>
Date: Sat, 24 Jan 2026 17:43:08 +0100
Subject: [PATCH] forgejo: allow runner to read deploy token

---
 hosts/thegeneralist-central/forgejo/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/thegeneralist-central/forgejo/default.nix b/hosts/thegeneralist-central/forgejo/default.nix
index 24f2ed5..3ba7af7 100644
--- a/hosts/thegeneralist-central/forgejo/default.nix
+++ b/hosts/thegeneralist-central/forgejo/default.nix
@@ -11,6 +11,9 @@ in
 
   age.secrets.forgejoRunnerToken.file = ./forgejo-runner-token.age;
   age.secrets.forgejoFamilySiteDeployToken.file = ./forgejo-family-site-deploy-token.age;
+  age.secrets.forgejoFamilySiteDeployToken.owner = "gitea-runner";
+  age.secrets.forgejoFamilySiteDeployToken.group = "gitea-runner";
+  age.secrets.forgejoFamilySiteDeployToken.mode = "0400";
 
   services.forgejo = {
     enable = true;