Rotate operator secrets into agenix and deepen caches

2026-03-19 00:28:18 -07:00 · 2026-03-19 00:28:18 -07:00 · 03415e579b
commit 03415e579b
parent 7039bf5aad
28 changed files with 526 additions and 126 deletions
--- a/Scripts/nsc-build-and-upload-image.sh
+++ b/Scripts/nsc-build-and-upload-image.sh
@ -6,11 +6,13 @@ REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"

 # shellcheck source=Scripts/_burrow-flake.sh
 source "${SCRIPT_DIR}/_burrow-flake.sh"
+# shellcheck source=Scripts/_burrow-secrets.sh
+source "${SCRIPT_DIR}/_burrow-secrets.sh"

 CONFIG="${HCLOUD_IMAGE_CONFIG:-burrow-forge}"
 FLAKE="${HCLOUD_IMAGE_FLAKE:-.}"
 LOCATION="${HCLOUD_IMAGE_LOCATION:-hel1}"
-TOKEN_FILE="${HCLOUD_TOKEN_FILE:-${REPO_ROOT}/intake/hetzner-api-token.txt}"
+TOKEN_FILE="${HCLOUD_TOKEN_FILE:-}"
 NSC_SSH_HOST="${NSC_SSH_HOST:-ssh.ord2.namespace.so}"
 NSC_MACHINE_TYPE="${NSC_MACHINE_TYPE:-linux/amd64:32x64}"
 NSC_BUILDER_DURATION="${NSC_BUILDER_DURATION:-4h}"
@ -26,6 +28,13 @@ EXTRA_LABELS=()
 BURROW_FLAKE_TMPDIRS=()
 BUILDER_ID=""

+cleanup() {
+  burrow_cleanup_secret_tmpfiles
+  burrow_cleanup_flake_tmpdirs
+}
+
+trap cleanup EXIT
+
 usage() {
  cat <<'EOF'
 Usage: Scripts/nsc-build-and-upload-image.sh [options]
@ -37,7 +46,7 @@ Options:
  --config <name>         images.<name>-raw output to build (default: burrow-forge)
  --flake <path>          Flake path to build from (default: .)
  --location <code>       Hetzner upload location (default: hel1)
-  --token-file <path>     Hetzner API token file (default: intake/hetzner-api-token.txt)
+  --token-file <path>     Hetzner API token file (default: secrets/hetzner/api-token.age, then intake/hetzner-api-token.txt)
  --machine-type <type>   Namespace machine type (default: linux/amd64:32x64)
  --ssh-host <host>       Namespace SSH endpoint (default: ssh.ord2.namespace.so)
  --duration <ttl>        Namespace builder lifetime (default: 4h)
@ -126,6 +135,17 @@ while [[ $# -gt 0 ]]; do
  esac
 done

+TOKEN_FILE="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "${TOKEN_FILE}" \
+    "${REPO_ROOT}/intake/hetzner-api-token.txt" \
+    "${REPO_ROOT}/secrets/hetzner/api-token.age"
+)" || {
+  echo "Hetzner API token file could not be resolved" >&2
+  exit 1
+}
+
 cleanup() {
  if [[ -n "${BUILDER_ID}" && -n "${NSC_BIN}" ]]; then
    "${NSC_BIN}" destroy "${BUILDER_ID}" --force >/dev/null 2>&1 || true