Move Forgejo NSC runtime into agenix

2026-03-18 22:40:44 -07:00 · 2026-03-18 22:40:44 -07:00 · 48b8a3c32f
commit 48b8a3c32f
parent 251922da9e
14 changed files with 217 additions and 18 deletions
--- a/services/forgejo-nsc/README.md
+++ b/services/forgejo-nsc/README.md
@ -152,19 +152,21 @@ instances:
 ```

 For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT,
-generate a Namespace token from the logged-in namespace account, and render the
-dispatcher/autoscaler configs into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml`
-plus `intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a
+generate a Namespace token from the logged-in namespace account, and render
+bootstrap artifacts into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml` plus
+`intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a
 `bearer_token` field so both the Compute API path and the `nsc` CLI fallback can
 consume the same secret material.

-For ongoing operations, use `Scripts/sync-forgejo-nsc-config.sh`:
+Long-lived runtime state is now sourced from age-encrypted files:

- `Scripts/sync-forgejo-nsc-config.sh` copies the intake-backed configs and
-  Namespace token onto `/var/lib/burrow/intake/` on the forge host, reapplies
-  file ownership for `forgejo-nsc`, and restarts the dispatcher/autoscaler.
- `Scripts/sync-forgejo-nsc-config.sh --rotate-pat` additionally mints a new
-  Forgejo PAT on the Burrow forge host and refreshes the local intake files.
+- `secrets/forgejo/nsc-token.age`
+- `secrets/forgejo/nsc-dispatcher-config.age`
+- `secrets/forgejo/nsc-autoscaler-config.age`
+
+After refreshing the intake files, re-encrypt them into `secrets/forgejo/*.age`
+and deploy the forge host so `config.age.secrets.*` updates the live paths for
+`services.burrow.forgejoNsc`.

 Run it next to the dispatcher: