Wire namespace caches and agenix secrets

Scripts/sync-forgejo-nsc-config.sh

@@ -5,14 +5,13 @@ usage() {
   cat <<'EOF'
 Usage: Scripts/sync-forgejo-nsc-config.sh [options]
 
-Copy Burrow forgejo-nsc runtime inputs from age secrets or intake/ onto the forge host and
-restart the dispatcher/autoscaler units.
+Deploy Burrow forgejo-nsc runtime inputs from age secrets onto the forge host.
 
 Options:
   --host <user@host>       SSH target (default: root@git.burrow.net)
   --ssh-key <path>         SSH private key (default: secrets/forgejo/agent-ssh-key.age, then intake/)
-  --rotate-pat             Re-render the intake files before syncing.
-  --no-restart             Copy files only.
+  --rotate-pat             Re-render the encrypted runtime inputs before deploying.
+  --no-restart             Validate the encrypted inputs only; do not deploy.
   -h, --help               Show this help text.
 EOF
 }
@@ -75,7 +74,6 @@ burrow_require_cmd() {
 }
 
 burrow_require_cmd ssh
-burrow_require_cmd scp
 
 SSH_KEY="$(
   burrow_resolve_secret_file \
@@ -90,26 +88,25 @@ if [[ "${ROTATE_PAT}" -eq 1 ]]; then
   "${SCRIPT_DIR}/provision-forgejo-nsc.sh" --host "${HOST}" --ssh-key "${SSH_KEY}"
 fi
 
-TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/burrow-nsc-sync.XXXXXX")"
 token_file="$(
   burrow_resolve_secret_file \
     "${REPO_ROOT}" \
     "" \
-    "${REPO_ROOT}/intake/forgejo_nsc_token.txt" \
+    "" \
     "${REPO_ROOT}/secrets/forgejo/nsc-token.age"
 )"
 dispatcher_file="$(
   burrow_resolve_secret_file \
     "${REPO_ROOT}" \
     "" \
-    "${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml" \
+    "" \
     "${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age"
 )"
 autoscaler_file="$(
   burrow_resolve_secret_file \
     "${REPO_ROOT}" \
     "" \
-    "${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml" \
+    "" \
     "${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age"
 )"
 
@@ -120,45 +117,11 @@ for path in "${token_file}" "${dispatcher_file}" "${autoscaler_file}"; do
   fi
 done
 
-ssh_opts=(
-  -i "${SSH_KEY}"
-  -o IdentitiesOnly=yes
-  -o UserKnownHostsFile="${KNOWN_HOSTS_FILE}"
-  -o StrictHostKeyChecking=accept-new
-)
-
-remote_tmp="$(ssh "${ssh_opts[@]}" "${HOST}" "mktemp -d")"
-cleanup_remote() {
-  if [[ -n "${remote_tmp:-}" ]]; then
-    ssh "${ssh_opts[@]}" "${HOST}" "rm -rf '${remote_tmp}'" >/dev/null 2>&1 || true
-  fi
-}
-trap 'cleanup_remote; cleanup' EXIT
-
-scp "${ssh_opts[@]}" \
-  "${token_file}" \
-  "${dispatcher_file}" \
-  "${autoscaler_file}" \
-  "${HOST}:${remote_tmp}/"
-
-ssh "${ssh_opts[@]}" "${HOST}" "
-  set -euo pipefail
-  install -d -m 0755 /var/lib/burrow/intake
-  install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${token_file}")' /var/lib/burrow/intake/forgejo_nsc_token.txt
-  install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${dispatcher_file}")' /var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml
-  install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${autoscaler_file}")' /var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml
-"
-
 if [[ "${NO_RESTART}" -eq 0 ]]; then
-  ssh "${ssh_opts[@]}" "${HOST}" "
-    set -euo pipefail
-    systemctl restart forgejo-nsc-dispatcher.service forgejo-nsc-autoscaler.service
-    systemctl is-active forgejo-nsc-dispatcher.service forgejo-nsc-autoscaler.service
-    ls -l \
-      /var/lib/burrow/intake/forgejo_nsc_token.txt \
-      /var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml \
-      /var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml
-  "
+  BURROW_FORGE_HOST="${HOST}" \
+  BURROW_FORGE_SSH_KEY="${SSH_KEY}" \
+  BURROW_FORGE_KNOWN_HOSTS_FILE="${KNOWN_HOSTS_FILE}" \
+    "${SCRIPT_DIR}/forge-deploy.sh" --switch
 fi
 
-echo "forgejo-nsc runtime sync complete (host=${HOST}, restarted=$((1 - NO_RESTART)))."
+echo "forgejo-nsc runtime sync complete (host=${HOST}, deployed=$((1 - NO_RESTART)))."