#!/usr/bin/env bash set -euo pipefail usage() { cat <<'EOF' Usage: Scripts/sync-forgejo-nsc-config.sh [options] Deploy Burrow forgejo-nsc runtime inputs from age secrets onto the forge host. Options: --host SSH target (default: root@git.burrow.net) --ssh-key SSH private key (default: secrets/forgejo/agent-ssh-key.age, then intake/) --rotate-pat Re-render the encrypted runtime inputs before deploying. --no-restart Validate the encrypted inputs only; do not deploy. -h, --help Show this help text. EOF } SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)" # shellcheck source=Scripts/_burrow-secrets.sh source "${SCRIPT_DIR}/_burrow-secrets.sh" HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}" SSH_KEY="${BURROW_FORGE_SSH_KEY:-}" KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}" ROTATE_PAT=0 NO_RESTART=0 TMP_DIR="" cleanup() { [[ -n "${TMP_DIR}" ]] && rm -rf "${TMP_DIR}" >/dev/null 2>&1 || true burrow_cleanup_secret_tmpfiles } trap cleanup EXIT while [[ $# -gt 0 ]]; do case "$1" in --host) HOST="${2:?missing value for --host}" shift 2 ;; --ssh-key) SSH_KEY="${2:?missing value for --ssh-key}" shift 2 ;; --rotate-pat) ROTATE_PAT=1 shift ;; --no-restart) NO_RESTART=1 shift ;; -h|--help) usage exit 0 ;; *) echo "unknown option: $1" >&2 usage >&2 exit 64 ;; esac done mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")" burrow_require_cmd() { if ! command -v "$1" >/dev/null 2>&1; then echo "missing required command: $1" >&2 exit 1 fi } burrow_require_cmd ssh SSH_KEY="$( burrow_resolve_secret_file \ "${REPO_ROOT}" \ "${SSH_KEY}" \ "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \ "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \ "${HOME}/.ssh/agent_at_burrow_net_ed25519" )" if [[ "${ROTATE_PAT}" -eq 1 ]]; then "${SCRIPT_DIR}/provision-forgejo-nsc.sh" --host "${HOST}" --ssh-key "${SSH_KEY}" fi token_file="${REPO_ROOT}/secrets/forgejo/nsc-token.age" dispatcher_file="${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age" autoscaler_file="${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age" for path in "${token_file}" "${dispatcher_file}" "${autoscaler_file}"; do if [[ ! -s "${path}" ]]; then echo "required runtime input missing or empty: ${path}" >&2 exit 1 fi done if [[ "${NO_RESTART}" -eq 0 ]]; then BURROW_FORGE_HOST="${HOST}" \ BURROW_FORGE_SSH_KEY="${SSH_KEY}" \ BURROW_FORGE_KNOWN_HOSTS_FILE="${KNOWN_HOSTS_FILE}" \ "${SCRIPT_DIR}/forge-deploy.sh" --switch fi echo "forgejo-nsc runtime sync complete (host=${HOST}, deployed=$((1 - NO_RESTART)))."