burrow/Scripts/sync-forgejo-nsc-config.sh

#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<'EOF'
Usage: Scripts/sync-forgejo-nsc-config.sh [options]

Deploy Burrow forgejo-nsc runtime inputs from age secrets onto the forge host.

Options:
  --host <user@host>       SSH target (default: root@git.burrow.net)
  --ssh-key <path>         SSH private key (default: secrets/forgejo/agent-ssh-key.age, then intake/)
  --rotate-pat             Re-render the encrypted runtime inputs before deploying.
  --no-restart             Validate the encrypted inputs only; do not deploy.
  -h, --help               Show this help text.
EOF
}

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
# shellcheck source=Scripts/_burrow-secrets.sh
source "${SCRIPT_DIR}/_burrow-secrets.sh"

HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
SSH_KEY="${BURROW_FORGE_SSH_KEY:-}"
KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
ROTATE_PAT=0
NO_RESTART=0
TMP_DIR=""

cleanup() {
  [[ -n "${TMP_DIR}" ]] && rm -rf "${TMP_DIR}" >/dev/null 2>&1 || true
  burrow_cleanup_secret_tmpfiles
}
trap cleanup EXIT

while [[ $# -gt 0 ]]; do
  case "$1" in
    --host)
      HOST="${2:?missing value for --host}"
      shift 2
      ;;
    --ssh-key)
      SSH_KEY="${2:?missing value for --ssh-key}"
      shift 2
      ;;
    --rotate-pat)
      ROTATE_PAT=1
      shift
      ;;
    --no-restart)
      NO_RESTART=1
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "unknown option: $1" >&2
      usage >&2
      exit 64
      ;;
  esac
done

mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")"

burrow_require_cmd() {
  if ! command -v "$1" >/dev/null 2>&1; then
    echo "missing required command: $1" >&2
    exit 1
  fi
}

burrow_require_cmd ssh

SSH_KEY="$(
  burrow_resolve_secret_file \
    "${REPO_ROOT}" \
    "${SSH_KEY}" \
    "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
    "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
    "${HOME}/.ssh/agent_at_burrow_net_ed25519"
)"

if [[ "${ROTATE_PAT}" -eq 1 ]]; then
  "${SCRIPT_DIR}/provision-forgejo-nsc.sh" --host "${HOST}" --ssh-key "${SSH_KEY}"
fi

token_file="${REPO_ROOT}/secrets/forgejo/nsc-token.age"
dispatcher_file="${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age"
autoscaler_file="${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age"

for path in "${token_file}" "${dispatcher_file}" "${autoscaler_file}"; do
  if [[ ! -s "${path}" ]]; then
    echo "required runtime input missing or empty: ${path}" >&2
    exit 1
  fi
done

if [[ "${NO_RESTART}" -eq 0 ]]; then
  BURROW_FORGE_HOST="${HOST}" \
  BURROW_FORGE_SSH_KEY="${SSH_KEY}" \
  BURROW_FORGE_KNOWN_HOSTS_FILE="${KNOWN_HOSTS_FILE}" \
    "${SCRIPT_DIR}/forge-deploy.sh" --switch
fi

echo "forgejo-nsc runtime sync complete (host=${HOST}, deployed=$((1 - NO_RESTART)))."