#!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" # shellcheck source=Scripts/_burrow-flake.sh source "${SCRIPT_DIR}/_burrow-flake.sh" # shellcheck source=Scripts/_burrow-secrets.sh source "${SCRIPT_DIR}/_burrow-secrets.sh" usage() { cat <<'EOF' Usage: Scripts/forge-deploy.sh [--test|--switch] [--flake-attr ] [--allow-dirty] Standardized remote deploy path for the Burrow forge host. Defaults: --switch --flake-attr burrow-forge Environment: BURROW_FORGE_HOST root@git.burrow.net BURROW_FORGE_SSH_KEY explicit path, otherwise secrets/forgejo/agent-ssh-key.age EOF } MODE="switch" FLAKE_ATTR="burrow-forge" ALLOW_DIRTY=0 BURROW_FLAKE_TMPDIRS=() cleanup() { burrow_cleanup_secret_tmpfiles burrow_cleanup_flake_tmpdirs } trap cleanup EXIT while [[ $# -gt 0 ]]; do case "$1" in --test) MODE="test" shift ;; --switch) MODE="switch" shift ;; --flake-attr) FLAKE_ATTR="${2:?missing value for --flake-attr}" shift 2 ;; --allow-dirty) ALLOW_DIRTY=1 shift ;; -h|--help) usage exit 0 ;; *) echo "Unknown argument: $1" >&2 usage >&2 exit 2 ;; esac done REPO_ROOT="$(git rev-parse --show-toplevel)" cd "${REPO_ROOT}" if [[ ${ALLOW_DIRTY} -ne 1 ]] && [[ -n "$(git status --short)" ]]; then echo "Refusing to deploy from a dirty checkout. Commit first, or pass --allow-dirty for incident-only work." >&2 exit 1 fi FORGE_HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}" FORGE_SSH_KEY="$( burrow_resolve_secret_file \ "${REPO_ROOT}" \ "${BURROW_FORGE_SSH_KEY:-}" \ "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \ "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \ "${HOME}/.ssh/agent_at_burrow_net_ed25519" )" || { echo "Unable to resolve the forge SSH key." >&2 exit 1 } FORGE_KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}" mkdir -p "$(dirname "${FORGE_KNOWN_HOSTS_FILE}")" export NIX_SSHOPTS="-i ${FORGE_SSH_KEY} -o IdentitiesOnly=yes -o UserKnownHostsFile=${FORGE_KNOWN_HOSTS_FILE} -o StrictHostKeyChecking=accept-new" flake_ref="$(burrow_prepare_flake_ref "${REPO_ROOT}")" nix --extra-experimental-features "nix-command flakes" shell nixpkgs#nixos-rebuild -c \ nixos-rebuild "${MODE}" \ --flake "${flake_ref}#${FLAKE_ATTR}" \ --build-host "${FORGE_HOST}" \ --target-host "${FORGE_HOST}"