Move forgejo-nsc credentials into agenix

Scripts/seal-forgejo-nsc-secrets.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+usage() {
+  cat <<'EOF'
+Usage: Scripts/seal-forgejo-nsc-secrets.sh [options]
+
+Encrypt Burrow forgejo-nsc runtime inputs from intake/ into the agenix secrets
+consumed by burrow-forge.
+
+Options:
+  --provision            Re-render the local intake files before sealing.
+  --host <user@host>     SSH target forwarded to provision-forgejo-nsc.sh.
+  --ssh-key <path>       SSH private key forwarded to provision-forgejo-nsc.sh.
+  --nsc-bin <path>       Override the nsc binary for provisioning.
+  -h, --help             Show this help text.
+EOF
+}
+
+PROVISION=0
+HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
+SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
+NSC_BIN="${NSC_BIN:-}"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --provision)
+      PROVISION=1
+      shift
+      ;;
+    --host)
+      HOST="${2:?missing value for --host}"
+      shift 2
+      ;;
+    --ssh-key)
+      SSH_KEY="${2:?missing value for --ssh-key}"
+      shift 2
+      ;;
+    --nsc-bin)
+      NSC_BIN="${2:?missing value for --nsc-bin}"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "unknown option: $1" >&2
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+require_cmd() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "missing required command: $1" >&2
+    exit 1
+  fi
+}
+
+require_cmd age
+require_cmd nix
+require_cmd python3
+
+if [[ "${PROVISION}" -eq 1 ]]; then
+  provision_args=(--host "${HOST}" --ssh-key "${SSH_KEY}")
+  if [[ -n "${NSC_BIN}" ]]; then
+    provision_args+=(--nsc-bin "${NSC_BIN}")
+  fi
+  "${SCRIPT_DIR}/provision-forgejo-nsc.sh" "${provision_args[@]}"
+fi
+
+tmpdir="$(mktemp -d)"
+cleanup() {
+  rm -rf "${tmpdir}"
+}
+trap cleanup EXIT
+
+seal_secret() {
+  local target="$1"
+  local source_path="$2"
+  recipients_file="${tmpdir}/$(basename "${target}").recipients"
+  if [[ ! -s "${source_path}" ]]; then
+    echo "required runtime input missing or empty: ${source_path}" >&2
+    exit 1
+  fi
+  nix eval --impure --json --expr "let s = import ${REPO_ROOT}/secrets.nix; in s.\"${target}\".publicKeys" \
+    | python3 -c 'import json, sys; [print(item) for item in json.load(sys.stdin)]' \
+    > "${recipients_file}"
+
+  age -R "${recipients_file}" -o "${REPO_ROOT}/${target}" "${source_path}"
+}
+
+seal_secret "secrets/infra/forgejo-nsc-token.age" "${REPO_ROOT}/intake/forgejo_nsc_token.txt"
+seal_secret "secrets/infra/forgejo-nsc-dispatcher-config.age" "${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
+seal_secret "secrets/infra/forgejo-nsc-autoscaler-config.age" "${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
+
+chmod 600 \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-token.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-dispatcher-config.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-autoscaler-config.age"
+
+echo "Sealed forgejo-nsc runtime inputs into:"
+printf '  %s\n' \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-token.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-dispatcher-config.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-autoscaler-config.age"
+echo "Deploy burrow-forge to apply the new CI credentials."