hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Rotate operator secrets into agenix and deepen caches
Some checks failed
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details
Build Apple / Build App (iOS Simulator) (push) Failing after 52s
Details
Build Apple / Build App (macOS) (push) Failing after 1m1s
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-03-19 00:28:18 -07:00
parent 7039bf5aad
commit 03415e579b
28 changed files with 526 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

36
Tools/forwardemail-hetzner-storage.py
View file

@ -6,6 +6,7 @@ import argparse
import datetime as dt
import hashlib
import hmac
import subprocess
import sys
import textwrap
from pathlib import Path
@ -13,11 +14,38 @@ from urllib.parse import urlencode, urlparse
import requests
REPO_ROOT = Path(__file__).resolve().parent.parent
def default_secret_path(age_rel: str, intake_rel: str) -> str:
age_path = REPO_ROOT / age_rel
if age_path.exists():
return str(age_path)
return intake_rel
def read_secret(path: str) -> str:
value = Path(path).read_text(encoding="utf-8").strip()
file_path = Path(path)
if not file_path.is_absolute():
file_path = REPO_ROOT / file_path
if file_path.suffix == ".age":
value = subprocess.check_output(
[
"nix",
"--extra-experimental-features",
"nix-command flakes",
"run",
f"{REPO_ROOT}#agenix",
"--",
"-d",
str(file_path),
],
text=True,
).strip()
else:
value = file_path.read_text(encoding="utf-8").strip()
if not value:
raise SystemExit(f"error: empty secret file: {path}")
raise SystemExit(f"error: empty secret file: {file_path}")
return value
@ -212,12 +240,12 @@ def parse_args() -> argparse.Namespace:
parser.add_argument("--region", default="hel1", help="S3 region.")
parser.add_argument(
"--access-key-file",
default="intake/hetzner-s3-user.txt",
default=default_secret_path("secrets/forwardemail/hetzner-s3-user.age", "intake/hetzner-s3-user.txt"),
help="File containing the S3 access key id.",
)
parser.add_argument(
"--secret-key-file",
default="intake/hetzner-s3-secret.txt",
default=default_secret_path("secrets/forwardemail/hetzner-s3-secret.age", "intake/hetzner-s3-secret.txt"),
help="File containing the S3 secret key.",
)
parser.add_argument(