Rotate operator secrets into agenix and deepen caches

secrets/README.md

@@ -9,11 +9,19 @@ For the Forgejo Namespace Cloud runtime:
 - `secrets/forgejo/nsc-token.age`
 - `secrets/forgejo/nsc-dispatcher-config.age`
 - `secrets/forgejo/nsc-autoscaler-config.age`
+- `secrets/cloudflare/api-token.age`
+- `secrets/hetzner/api-token.age`
+- `secrets/forwardemail/api-token.age`
+- `secrets/forwardemail/hetzner-s3-user.age`
+- `secrets/forwardemail/hetzner-s3-secret.age`
 
 Use:
 
 - `make secret name=forgejo/nsc-token`
 - `make secret-file name=forgejo/agent-ssh-key file=/path/to/source`
+- `Scripts/provision-forgejo-nsc.sh` to refresh the Forgejo Namespace token and runtime configs in `secrets/forgejo/*.age`
+- `make secret-file name=cloudflare/api-token file=/path/to/cloudflare-token.txt`
+- `make secret-file name=hetzner/api-token file=/path/to/hetzner-api-token.txt`
 
 The forge host decrypts these files at activation time and feeds the resulting
 paths into `services.burrow.forge`, `services.burrow.forgeRunner`, and

secrets/cloudflare/api-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ux4N8Q rX5+bmtxyHNgD+xNdHkB1fKdjUlrX275DaKTIHssYyA
+KwbfKHx14QXRKBIGWwJDR8+DONyCdVssh8Ti8mdajyQ
+-> ssh-ed25519 IrZmAg SOG/KvURA6PrxVhtZyIbazFGNQZyp0BR4MH+YInHGB4
+79pENXhtLwlCQVnqkPEzoFgrXMmTqRsfs4ULluTevWA
+--- gDA64KNbgN+eGHsQbIbKvhOg1T/Nqui6I/wy2MK8VWE
+û<EFBFBD>[|V{[ƒöŽ’ýö¯'E	.Í{CÃǶÕö{ha

secrets/forwardemail/api-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ux4N8Q ICuXuDsZiw1ShfUX9qjq8bCkeNdsbHWnG4e+3ZOC3jg
+wswxqzQtf7jumSYB8ZeQzRBpMrBPVsUnWOYsmlDvpSs
+-> ssh-ed25519 IrZmAg Xrvp/tXzXrHF1+NxgTZs9nNufyxtTq5NoYT5gaW6p1M
+UWGlhZpV19CWMR9abp30vkQwZUMb/ylvInGEBlDdjjE
+--- qhAaAECwhmAY4g3/e+Dz9RvL1MBQkHGWyoe1NkdTuqA
+ìÑd
Íéé?)¼ ñ<3ïŽ6ÜF:a•Ë<E280A2>
ųñÖ²Ä

secrets/forwardemail/hetzner-s3-secret.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ux4N8Q jwJzvmXUV5rCB6ku7ILLQUDInuQJL2gN+pjmX/ccXWE
+q9OSyVhTuzERRRZZOCQzbwAwLOvOFIT/l9MxJ0V3UTo
+-> ssh-ed25519 IrZmAg 8IutYG3CnNP9gw5fTFOaXm1Ue4i/cVs1apA88bNs9mo
+daaf+6HoE3bmUEKR8/zu9jKTstVFCXqBlBxBdNVpQ90
+--- gRGNkWqoh+lZWpDG7yNLd4fjoX2jCyHTWbzImzoFGko
+R@+‰fu9ËÏRB‘±áÎX³2öúæ<C3BA>“[I¤<49>®

secrets/forwardemail/hetzner-s3-user.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ux4N8Q jwyFpeVX18Q/1vnK2A1gwETTTH/QDUmW7vhCA+E/1lc
+vtG1Ra+hR0cc/o9oJw7YTWMc2+JmrehzBE5QkIHQMKY
+-> ssh-ed25519 IrZmAg KljcDNRlBmn7ElVfXq/E2prFHnRQD2TkQY9Vto+OQUA
+T37sFc3xVrhky6e0n4KbsX18/fBqP3VjS/mNbxX6bfI
+--- lvSjWGriUCYC14eI2eH9MdO2cB76Pe3gWD7pidw8Qjo
+s‘&¾Ùßxö™<C3B6>*‘°4–}‰<1D>Í”z&¢F¥Å

secrets/hetzner/api-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ux4N8Q pEJA2VJkPC+NzA9yFvBrpXHD8qFMTD9iIHYSkx8P2RI
+AGE1QJya77d92ERA1yQYylvZPNAJEQKoCL32BY5XBzo
+-> ssh-ed25519 IrZmAg VMpoTBpNG/TAlnbJ2APwc4VMt2CX5rQwlrrihtmojFo
+caOwayLgVDGPrjqLLH8hHHQ3Fy2WeRI2tf+R02HFqx0
+--- Ey1DYpyA4lnVqPaabNsEuSihl4fvZ2vpSc/IRGZwYBw
+¥Uï2Q÷
‘âÖã*
ð÷m¹¼†<C2BC>F<EFBFBD>ÒÞž|^–EVÜ"

secrets/secrets.nix

@@ -3,6 +3,7 @@ let
   agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
   forge = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlkGo4lwpwIIZ0J01KjTuJuf/U/wGgy4/aKwPIUzutL root@burrow-forge";
 
+  operatorSecrets = [ contact agent ];
   forgeAutomation = [ contact agent forge ];
 in {
   "secrets/forgejo/admin-password.age".publicKeys = forgeAutomation;
@@ -10,4 +11,9 @@ in {
   "secrets/forgejo/nsc-token.age".publicKeys = forgeAutomation;
   "secrets/forgejo/nsc-dispatcher-config.age".publicKeys = forgeAutomation;
   "secrets/forgejo/nsc-autoscaler-config.age".publicKeys = forgeAutomation;
+  "secrets/cloudflare/api-token.age".publicKeys = operatorSecrets;
+  "secrets/hetzner/api-token.age".publicKeys = operatorSecrets;
+  "secrets/forwardemail/api-token.age".publicKeys = operatorSecrets;
+  "secrets/forwardemail/hetzner-s3-user.age".publicKeys = operatorSecrets;
+  "secrets/forwardemail/hetzner-s3-secret.age".publicKeys = operatorSecrets;
 }