Move Forgejo NSC runtime into agenix

2026-03-18 22:40:44 -07:00 · 2026-03-18 22:40:44 -07:00 · 48b8a3c32f
commit 48b8a3c32f
parent 251922da9e
14 changed files with 217 additions and 18 deletions
--- a/Scripts/agenix-load-file.sh
+++ b/Scripts/agenix-load-file.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: agenix-load-file.sh <destination-file>" >&2
+  exit 1
+fi
+
+dest="${!#}"
+source_path="${SECRET_SOURCE_FILE:-}"
+
+if [[ -z "$source_path" ]]; then
+  echo "SECRET_SOURCE_FILE is not set; point it at the source file to encrypt." >&2
+  exit 1
+fi
+
+if [[ ! -f "$source_path" ]]; then
+  echo "Source file '$source_path' does not exist." >&2
+  exit 1
+fi
+
+cp "$source_path" "$dest"
--- a/Scripts/provision-forgejo-nsc.sh
+++ b/Scripts/provision-forgejo-nsc.sh
@ -272,4 +272,5 @@ PY
 chmod 600 "${dispatcher_out}" "${autoscaler_out}"

 echo "Rendered intake/forgejo_nsc_token.txt, intake/forgejo_nsc_dispatcher.yaml, and intake/forgejo_nsc_autoscaler.yaml."
+echo "Re-encrypt them into secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age before deploying the forge host."
 echo "Minted Forgejo PAT ${token_name} for ${CONTACT_USER} on ${HOST}."