Rotate operator secrets into agenix and deepen caches

2026-03-19 00:28:18 -07:00 · 2026-03-19 00:28:18 -07:00 · 03415e579b
commit 03415e579b
parent 7039bf5aad
28 changed files with 526 additions and 126 deletions
--- a/Scripts/check-forge-host.sh
+++ b/Scripts/check-forge-host.sh
@ -3,6 +3,8 @@ set -euo pipefail

 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+# shellcheck source=Scripts/_burrow-secrets.sh
+source "${SCRIPT_DIR}/_burrow-secrets.sh"

 usage() {
  cat <<'EOF'
@ -12,17 +14,22 @@ Run a post-boot verification pass against the Burrow forge host.

 Options:
  --host <user@host>    SSH target (default: root@git.burrow.net)
-  --ssh-key <path>      SSH private key (default: intake/agent_at_burrow_net_ed25519)
+  --ssh-key <path>      SSH private key (default: secrets/forgejo/agent-ssh-key.age, then intake/)
  --expect-nsc          Fail if forgejo-nsc services are not active
  -h, --help            Show this help text
 EOF
 }

 HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
-SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
+SSH_KEY="${BURROW_FORGE_SSH_KEY:-}"
 KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
 EXPECT_NSC=0

+cleanup() {
+  burrow_cleanup_secret_tmpfiles
+}
+trap cleanup EXIT
+
 while [[ $# -gt 0 ]]; do
  case "$1" in
    --host)
@ -51,10 +58,17 @@ done

 mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")"

-if [[ ! -f "${SSH_KEY}" ]]; then
-  echo "forge SSH key not found: ${SSH_KEY}" >&2
+SSH_KEY="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "${SSH_KEY}" \
+    "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
+    "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
+    "${HOME}/.ssh/agent_at_burrow_net_ed25519"
+)" || {
+  echo "forge SSH key could not be resolved" >&2
  exit 1
-fi
+}

 ssh \
  -i "${SSH_KEY}" \