burrow/Scripts/bootstrap-forge-intake.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
# shellcheck source=Scripts/_burrow-secrets.sh
source "${SCRIPT_DIR}/_burrow-secrets.sh"

usage() {
  cat <<'EOF'
Usage: Scripts/bootstrap-forge-intake.sh [options]

Copy the minimum Burrow forge bootstrap secrets onto the target host under
/var/lib/burrow/intake with the ownership expected by the NixOS services.
Legacy path only: the current forge runtime consumes agenix secrets directly.

Options:
  --host <user@host>          SSH target (default: root@git.burrow.net)
  --ssh-key <path>            SSH private key used to reach the host
                              (default: secrets/forgejo/agent-ssh-key.age, then intake/)
  --password-file <path>      Forgejo admin bootstrap password file
                              (default: secrets/forgejo/admin-password.age, then intake/)
  --agent-key-file <path>     Agent SSH private key copied for runner bootstrap
                              (default: secrets/forgejo/agent-ssh-key.age, then intake/)
  --no-verify                 Skip remote ls/stat verification after install
  -h, --help                  Show this help text
EOF
}

HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
SSH_KEY="${BURROW_FORGE_SSH_KEY:-}"
PASSWORD_FILE="${BURROW_FORGE_PASSWORD_FILE:-}"
AGENT_KEY_FILE="${BURROW_FORGE_AGENT_KEY_FILE:-}"
KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
VERIFY=1

cleanup() {
  burrow_cleanup_secret_tmpfiles
}
trap cleanup EXIT

while [[ $# -gt 0 ]]; do
  case "$1" in
    --host)
      HOST="${2:?missing value for --host}"
      shift 2
      ;;
    --ssh-key)
      SSH_KEY="${2:?missing value for --ssh-key}"
      shift 2
      ;;
    --password-file)
      PASSWORD_FILE="${2:?missing value for --password-file}"
      shift 2
      ;;
    --agent-key-file)
      AGENT_KEY_FILE="${2:?missing value for --agent-key-file}"
      shift 2
      ;;
    --no-verify)
      VERIFY=0
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "unknown option: $1" >&2
      usage >&2
      exit 64
      ;;
  esac
done

mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")"

SSH_KEY="$(
  burrow_resolve_secret_file \
    "${REPO_ROOT}" \
    "${SSH_KEY}" \
    "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
    "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
    "${HOME}/.ssh/agent_at_burrow_net_ed25519"
)"
PASSWORD_FILE="$(
  burrow_resolve_secret_file \
    "${REPO_ROOT}" \
    "${PASSWORD_FILE}" \
    "${REPO_ROOT}/intake/forgejo_pass_contact_at_burrow_net.txt" \
    "${REPO_ROOT}/secrets/forgejo/admin-password.age"
)"
AGENT_KEY_FILE="$(
  burrow_resolve_secret_file \
    "${REPO_ROOT}" \
    "${AGENT_KEY_FILE}" \
    "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
    "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
    "${HOME}/.ssh/agent_at_burrow_net_ed25519"
)"

ssh_opts=(
  -i "${SSH_KEY}"
  -o IdentitiesOnly=yes
  -o UserKnownHostsFile="${KNOWN_HOSTS_FILE}"
  -o StrictHostKeyChecking=accept-new
)

remote_tmp="$(ssh "${ssh_opts[@]}" "${HOST}" "mktemp -d")"
cleanup() {
  if [[ -n "${remote_tmp:-}" ]]; then
    ssh "${ssh_opts[@]}" "${HOST}" "rm -rf '${remote_tmp}'" >/dev/null 2>&1 || true
  fi
}
trap cleanup EXIT

scp "${ssh_opts[@]}" \
  "${PASSWORD_FILE}" \
  "${AGENT_KEY_FILE}" \
  "${HOST}:${remote_tmp}/"

ssh "${ssh_opts[@]}" "${HOST}" "
  set -euo pipefail
  install -d -m 0755 /var/lib/burrow/intake
  install -m 0400 -o forgejo -g forgejo '${remote_tmp}/$(basename "${PASSWORD_FILE}")' /var/lib/burrow/intake/forgejo_pass_contact_at_burrow_net.txt
  install -m 0400 -o root -g root '${remote_tmp}/$(basename "${AGENT_KEY_FILE}")' /var/lib/burrow/intake/agent_at_burrow_net_ed25519
"

if [[ "${VERIFY}" -eq 1 ]]; then
  ssh "${ssh_opts[@]}" "${HOST}" "
    set -euo pipefail
    ls -l \
      /var/lib/burrow/intake/forgejo_pass_contact_at_burrow_net.txt \
      /var/lib/burrow/intake/agent_at_burrow_net_ed25519
  "
fi

echo "Burrow forge bootstrap intake sync complete (host=${HOST})."