hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Rotate operator secrets into agenix and deepen caches
Some checks failed
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details
Build Apple / Build App (iOS Simulator) (push) Failing after 52s
Details
Build Apple / Build App (macOS) (push) Failing after 1m1s
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-03-19 00:28:18 -07:00
parent 7039bf5aad
commit 03415e579b
28 changed files with 526 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

52
Tools/forwardemail-custom-s3.sh
View file

@ -3,17 +3,22 @@
set -euo pipefail
umask 077
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
# shellcheck source=Scripts/_burrow-secrets.sh
source "${REPO_ROOT}/Scripts/_burrow-secrets.sh"
usage() {
cat <<'EOF'
Usage:
Tools/forwardemail-custom-s3.sh \
--domain burrow.net \
--api-token-file intake/forwardemail_api_token.txt \
--api-token-file secrets/forwardemail/api-token.age \
--s3-endpoint https://<endpoint> \
--s3-region <region> \
--s3-bucket <bucket> \
--s3-access-key-file intake/hetzner-s3-user.txt \
--s3-secret-key-file intake/hetzner-s3-secret.txt
--s3-access-key-file secrets/forwardemail/hetzner-s3-user.age \
--s3-secret-key-file secrets/forwardemail/hetzner-s3-secret.age
Options:
--domain <domain> Forward Email domain to update.
@ -54,13 +59,18 @@ read_secret() {
printf '%s' "$value"
}
cleanup() {
burrow_cleanup_secret_tmpfiles
}
trap cleanup EXIT
domain=""
api_token_file=""
api_token_file="${FORWARDEMAIL_API_TOKEN_FILE:-}"
s3_endpoint=""
s3_region=""
s3_bucket=""
s3_access_key_file=""
s3_secret_key_file=""
s3_access_key_file="${FORWARDEMAIL_S3_ACCESS_KEY_FILE:-}"
s3_secret_key_file="${FORWARDEMAIL_S3_SECRET_KEY_FILE:-}"
test_only=false
while [[ $# -gt 0 ]]; do
@ -108,16 +118,38 @@ while [[ $# -gt 0 ]]; do
done
[[ -n "$domain" ]] || fail "--domain is required"
[[ -n "$api_token_file" ]] || fail "--api-token-file is required"
[[ -n "$s3_endpoint" || "$test_only" == true ]] || fail "--s3-endpoint is required unless --test-only is set"
[[ -n "$s3_region" || "$test_only" == true ]] || fail "--s3-region is required unless --test-only is set"
[[ -n "$s3_bucket" || "$test_only" == true ]] || fail "--s3-bucket is required unless --test-only is set"
[[ -n "$s3_access_key_file" || "$test_only" == true ]] || fail "--s3-access-key-file is required unless --test-only is set"
[[ -n "$s3_secret_key_file" || "$test_only" == true ]] || fail "--s3-secret-key-file is required unless --test-only is set"
api_token_file="$(
burrow_resolve_secret_file \
"${REPO_ROOT}" \
"${api_token_file}" \
"${REPO_ROOT}/intake/forwardemail_api_token.txt" \
"${REPO_ROOT}/secrets/forwardemail/api-token.age"
)" || fail "unable to resolve Forward Email API token file"
require_file "$api_token_file"
api_token="$(read_secret "$api_token_file")"
if [[ "$test_only" != true ]]; then
s3_access_key_file="$(
burrow_resolve_secret_file \
"${REPO_ROOT}" \
"${s3_access_key_file}" \
"${REPO_ROOT}/intake/hetzner-s3-user.txt" \
"${REPO_ROOT}/secrets/forwardemail/hetzner-s3-user.age"
)" || fail "unable to resolve Hetzner S3 access key file"
s3_secret_key_file="$(
burrow_resolve_secret_file \
"${REPO_ROOT}" \
"${s3_secret_key_file}" \
"${REPO_ROOT}/intake/hetzner-s3-secret.txt" \
"${REPO_ROOT}/secrets/forwardemail/hetzner-s3-secret.age"
)" || fail "unable to resolve Hetzner S3 secret key file"
require_file "$s3_access_key_file"
require_file "$s3_secret_key_file"
fi
if [[ "$test_only" == false ]]; then
require_file "$s3_access_key_file"
require_file "$s3_secret_key_file"