Rotate operator secrets into agenix and deepen caches

Scripts/hetzner-forge.sh

@@ -2,6 +2,9 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+# shellcheck source=Scripts/_burrow-secrets.sh
+source "${SCRIPT_DIR}/_burrow-secrets.sh"
 
 usage() {
   cat <<'EOF'
@@ -31,7 +34,7 @@ Options:
   -h, --help               Show this help text.
 
 Environment:
-  HCLOUD_TOKEN_FILE        Defaults to intake/hetzner-api-token.txt
+  HCLOUD_TOKEN_FILE        Defaults to secrets/hetzner/api-token.age, then intake/hetzner-api-token.txt
 EOF
 }
 
@@ -43,10 +46,15 @@ IMAGE="ubuntu-24.04"
 CONFIG="burrow-forge"
 FLAKE="."
 UPLOAD_LOCATION=""
-TOKEN_FILE="${HCLOUD_TOKEN_FILE:-intake/hetzner-api-token.txt}"
+TOKEN_FILE="${HCLOUD_TOKEN_FILE:-}"
 YES=0
 SSH_KEYS=("contact@burrow.net" "agent@burrow.net")
 
+cleanup() {
+  burrow_cleanup_secret_tmpfiles
+}
+trap cleanup EXIT
+
 if [[ $# -gt 0 ]]; then
   case "$1" in
     show|create|delete|recreate|build-image|create-from-image|recreate-from-image)
@@ -110,10 +118,16 @@ while [[ $# -gt 0 ]]; do
   esac
 done
 
-if [[ ! -f "${TOKEN_FILE}" ]]; then
-  echo "Hetzner API token file not found: ${TOKEN_FILE}" >&2
+TOKEN_FILE="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "${TOKEN_FILE}" \
+    "${REPO_ROOT}/intake/hetzner-api-token.txt" \
+    "${REPO_ROOT}/secrets/hetzner/api-token.age"
+)" || {
+  echo "Hetzner API token file could not be resolved" >&2
   exit 1
-fi
+}
 
 if [[ -z "${UPLOAD_LOCATION}" ]]; then
   UPLOAD_LOCATION="${LOCATION}"