Rotate operator secrets into agenix and deepen caches

2026-03-19 00:28:18 -07:00 · 2026-03-19 00:28:18 -07:00 · 03415e579b
commit 03415e579b
parent 7039bf5aad
28 changed files with 526 additions and 126 deletions
--- a/Scripts/sync-forgejo-nsc-config.sh
+++ b/Scripts/sync-forgejo-nsc-config.sh
@ -5,12 +5,12 @@ usage() {
  cat <<'EOF'
 Usage: Scripts/sync-forgejo-nsc-config.sh [options]

-Copy Burrow forgejo-nsc runtime inputs from intake/ onto the forge host and
+Copy Burrow forgejo-nsc runtime inputs from age secrets or intake/ onto the forge host and
 restart the dispatcher/autoscaler units.

 Options:
  --host <user@host>       SSH target (default: root@git.burrow.net)
-  --ssh-key <path>         SSH private key (default: intake/agent_at_burrow_net_ed25519)
+  --ssh-key <path>         SSH private key (default: secrets/forgejo/agent-ssh-key.age, then intake/)
  --rotate-pat             Re-render the intake files before syncing.
  --no-restart             Copy files only.
  -h, --help               Show this help text.
@ -19,12 +19,21 @@ EOF

 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+# shellcheck source=Scripts/_burrow-secrets.sh
+source "${SCRIPT_DIR}/_burrow-secrets.sh"

 HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
-SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
+SSH_KEY="${BURROW_FORGE_SSH_KEY:-}"
 KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
 ROTATE_PAT=0
 NO_RESTART=0
+TMP_DIR=""
+
+cleanup() {
+  [[ -n "${TMP_DIR}" ]] && rm -rf "${TMP_DIR}" >/dev/null 2>&1 || true
+  burrow_cleanup_secret_tmpfiles
+}
+trap cleanup EXIT

 while [[ $# -gt 0 ]]; do
  case "$1" in
@ -68,18 +77,41 @@ burrow_require_cmd() {
 burrow_require_cmd ssh
 burrow_require_cmd scp

-if [[ ! -f "${SSH_KEY}" ]]; then
-  echo "forge SSH key not found: ${SSH_KEY}" >&2
-  exit 1
-fi
+SSH_KEY="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "${SSH_KEY}" \
+    "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
+    "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
+    "${HOME}/.ssh/agent_at_burrow_net_ed25519"
+)"

 if [[ "${ROTATE_PAT}" -eq 1 ]]; then
  "${SCRIPT_DIR}/provision-forgejo-nsc.sh" --host "${HOST}" --ssh-key "${SSH_KEY}"
 fi

-token_file="${REPO_ROOT}/intake/forgejo_nsc_token.txt"
-dispatcher_file="${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
-autoscaler_file="${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
+TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/burrow-nsc-sync.XXXXXX")"
+token_file="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "" \
+    "${REPO_ROOT}/intake/forgejo_nsc_token.txt" \
+    "${REPO_ROOT}/secrets/forgejo/nsc-token.age"
+)"
+dispatcher_file="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "" \
+    "${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml" \
+    "${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age"
+)"
+autoscaler_file="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "" \
+    "${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml" \
+    "${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age"
+)"

 for path in "${token_file}" "${dispatcher_file}" "${autoscaler_file}"; do
  if [[ ! -s "${path}" ]]; then
@ -96,12 +128,12 @@ ssh_opts=(
 )

 remote_tmp="$(ssh "${ssh_opts[@]}" "${HOST}" "mktemp -d")"
-cleanup() {
+cleanup_remote() {
  if [[ -n "${remote_tmp:-}" ]]; then
    ssh "${ssh_opts[@]}" "${HOST}" "rm -rf '${remote_tmp}'" >/dev/null 2>&1 || true
  fi
 }
-trap cleanup EXIT
+trap 'cleanup_remote; cleanup' EXIT

 scp "${ssh_opts[@]}" \
  "${token_file}" \