#!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)" # shellcheck source=Scripts/_burrow-secrets.sh source "${SCRIPT_DIR}/_burrow-secrets.sh" usage() { cat <<'EOF' Usage: Scripts/bootstrap-forge-intake.sh [options] Copy the minimum Burrow forge bootstrap secrets onto the target host under /var/lib/burrow/intake with the ownership expected by the NixOS services. Legacy path only: the current forge runtime consumes agenix secrets directly. Options: --host SSH target (default: root@git.burrow.net) --ssh-key SSH private key used to reach the host (default: secrets/forgejo/agent-ssh-key.age, then intake/) --password-file Forgejo admin bootstrap password file (default: secrets/forgejo/admin-password.age, then intake/) --agent-key-file Agent SSH private key copied for runner bootstrap (default: secrets/forgejo/agent-ssh-key.age, then intake/) --no-verify Skip remote ls/stat verification after install -h, --help Show this help text EOF } HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}" SSH_KEY="${BURROW_FORGE_SSH_KEY:-}" PASSWORD_FILE="${BURROW_FORGE_PASSWORD_FILE:-}" AGENT_KEY_FILE="${BURROW_FORGE_AGENT_KEY_FILE:-}" KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}" VERIFY=1 cleanup() { burrow_cleanup_secret_tmpfiles } trap cleanup EXIT while [[ $# -gt 0 ]]; do case "$1" in --host) HOST="${2:?missing value for --host}" shift 2 ;; --ssh-key) SSH_KEY="${2:?missing value for --ssh-key}" shift 2 ;; --password-file) PASSWORD_FILE="${2:?missing value for --password-file}" shift 2 ;; --agent-key-file) AGENT_KEY_FILE="${2:?missing value for --agent-key-file}" shift 2 ;; --no-verify) VERIFY=0 shift ;; -h|--help) usage exit 0 ;; *) echo "unknown option: $1" >&2 usage >&2 exit 64 ;; esac done mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")" SSH_KEY="$( burrow_resolve_secret_file \ "${REPO_ROOT}" \ "${SSH_KEY}" \ "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \ "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \ "${HOME}/.ssh/agent_at_burrow_net_ed25519" )" PASSWORD_FILE="$( burrow_resolve_secret_file \ "${REPO_ROOT}" \ "${PASSWORD_FILE}" \ "${REPO_ROOT}/intake/forgejo_pass_contact_at_burrow_net.txt" \ "${REPO_ROOT}/secrets/forgejo/admin-password.age" )" AGENT_KEY_FILE="$( burrow_resolve_secret_file \ "${REPO_ROOT}" \ "${AGENT_KEY_FILE}" \ "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \ "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \ "${HOME}/.ssh/agent_at_burrow_net_ed25519" )" ssh_opts=( -i "${SSH_KEY}" -o IdentitiesOnly=yes -o UserKnownHostsFile="${KNOWN_HOSTS_FILE}" -o StrictHostKeyChecking=accept-new ) remote_tmp="$(ssh "${ssh_opts[@]}" "${HOST}" "mktemp -d")" cleanup() { if [[ -n "${remote_tmp:-}" ]]; then ssh "${ssh_opts[@]}" "${HOST}" "rm -rf '${remote_tmp}'" >/dev/null 2>&1 || true fi } trap cleanup EXIT scp "${ssh_opts[@]}" \ "${PASSWORD_FILE}" \ "${AGENT_KEY_FILE}" \ "${HOST}:${remote_tmp}/" ssh "${ssh_opts[@]}" "${HOST}" " set -euo pipefail install -d -m 0755 /var/lib/burrow/intake install -m 0400 -o forgejo -g forgejo '${remote_tmp}/$(basename "${PASSWORD_FILE}")' /var/lib/burrow/intake/forgejo_pass_contact_at_burrow_net.txt install -m 0400 -o root -g root '${remote_tmp}/$(basename "${AGENT_KEY_FILE}")' /var/lib/burrow/intake/agent_at_burrow_net_ed25519 " if [[ "${VERIFY}" -eq 1 ]]; then ssh "${ssh_opts[@]}" "${HOST}" " set -euo pipefail ls -l \ /var/lib/burrow/intake/forgejo_pass_contact_at_burrow_net.txt \ /var/lib/burrow/intake/agent_at_burrow_net_ed25519 " fi echo "Burrow forge bootstrap intake sync complete (host=${HOST})."