test: drop plain-text secrets from fixtures, use <attr>File indirection

  - services/keycloak/checks.nix: openid_clients.acme_app.client_secret
    "topsecret" -> client_secretFile = /etc/acme-app-client-secret.
    Asserts the literal stays out of the generated .tf.json.
  - services/forgejo/checks.nix: users.alice.password "hackme" in the
    widenScope specialisation -> passwordFile = /etc/forgejo-alice-password.
    (bob already used passwordFile; alice was the one literal left.)

The fixtures now exclusively exercise the secret-file indirection, so
the tests stay honest examples for operators.

Author: kmein

services/forgejo/checks.nix

@@ -24,9 +24,10 @@
         # curl drives the post-convergence API assertions.
         environment.systemPackages = [ pkgs.curl ];
 
-        # Stand-in for an operator-managed secret file (sops/agenix in production):
-        # bob's password, fed to the reconciler via LoadCredential, never the store.
+        # mock agenix secrets: passwords supplied as host files, fed to the
+        # reconciler via LoadCredential and never the world-readable store.
         environment.etc."forgejo-bob-password".text = "hackme";
+        environment.etc."forgejo-alice-password".text = "hackme";
 
         services.forgejo = {
           enable = true;
@@ -98,7 +99,7 @@
         specialisation.widenScope.configuration = {
           services.forgejo.runtime.users.alice = {
             email = "alice@localhost.localdomain";
-            password = "hackme";
+            passwordFile = "/etc/forgejo-alice-password";
             must_change_password = false;
           };
         };

services/keycloak/checks.nix

@@ -247,6 +247,7 @@ in
     name = "declarative-keycloak-clients";
 
     containers.keycloak = mkHost {
+      extraEtc."acme-app-client-secret".text = "topsecret";
       runtime = {
         realms.acme.display_name = "ACME";
 
@@ -264,7 +265,7 @@ in
           client_id = "acme-app";
           name = "ACME App";
           access_type = "CONFIDENTIAL";
-          client_secret = "topsecret";
+          client_secretFile = "/etc/acme-app-client-secret";
           standard_flow_enabled = true;
           direct_access_grants_enabled = true;
           service_accounts_enabled = true;
@@ -320,6 +321,13 @@ in
           assert "acme-profile" in names, \
               f"acme-profile not bound as default scope: {names}"
 
+      with subtest("client_secret was supplied via <attr>File, never written to .tf.json"):
+          tfjson = keycloak.succeed(
+              "cat /var/lib/keycloak/declarative-terraform/main.tf.json"
+          )
+          assert "topsecret" not in tfjson, \
+              "openid_clients.acme_app.client_secret leaked into .tf.json"
+
       with subtest("protocol mapper attached to client scope"):
           # protocolMappers ride along on the client-scope representation.
           scopes = admin_get(keycloak, "acme/client-scopes")