added automation scripts for easy agent rebuilds.

.gitignore

@@ -1,5 +1,6 @@
 result*
 /secrets
+.secrets
 age.key
 **/*.tmp.sops.yaml
 **/*.sops.tmp.yaml

.taskfiles/_scripts/build_import_and_push.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Function to check if a command was successful
+check_command() {
+    if [ $? -ne 0 ]; then
+        echo "Error: $1 failed"
+        exit 1
+    fi
+}
+
+# Build the qemu image and get the path
+qemuImageBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths)
+check_command "Building qemu image"
+
+# Build the metadata and get the path
+metadataBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths)
+check_command "Building metadata"
+
+# Set the paths for the metadata and qemu image
+MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz"
+QBP="${qemuImageBuildPath}/nixos.qcow2"
+
+# Import the image to Incus and capture the instance name
+instance_name=$(incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" | grep -oP '(?<=Instance ).*(?= created)')
+check_command "Importing image to Incus"
+
+echo "Instance created: $instance_name"
+
+# Call the push_token.sh script with the new instance name
+./push_token.sh "$instance_name"
+check_command "Pushing token to instance"
+
+echo "Process completed successfully"

.taskfiles/_scripts/push_token.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Prerequisites:
+# 1password vault created with a single item in it with the property 'runner_token'.
+# Define the vault and item used.
+# Usage: ./push_token.sh <incus vm instance name>
+
+set -euo pipefail
+
+# Check if instance name is provided
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <instance-name>" >&2
+    exit 1
+fi
+
+INCUS_INSTANCE="$1"  # Use the provided instance name
+
+# Set variables
+OP_ITEM_NAME="forgejo-runner"  # Name of the 1Password item containing the runner token
+OP_VAULT_NAME="forgejo-runner"  # Name of the 1Password vault
+TOKEN_FILE="tokenfile"  # Name of the temporary file to store the token
+INCUS_PATH="$INCUS_INSTANCE/var/lib/gitea-runner/default/$TOKEN_FILE"
+
+# Check if OP_SESSION environment variable exists, if not, sign in
+if [ -z "${OP_SESSION:-}" ]; then
+    echo "Not logged in to 1Password CLI. Attempting to sign in..."
+    if ! eval $(op signin); then
+        echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
+        exit 1
+    fi
+fi
+
+# Ensure the target directory exists in the Incus instance
+#incus exec "$INCUS_INSTANCE" -- mkdir -p /var/lib/gitea-runner/default
+#incus exec "$INCUS_INSTANCE" -- chown gitea-runner:gitea-runner /var/lib/gitea-runner/default
+
+# Retrieve the token from 1Password
+TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token)
+
+if [ -z "$TOKEN" ]; then
+    echo "Failed to retrieve token from 1Password" >&2
+    exit 1
+fi
+
+# Create the token file
+echo "TOKEN=$TOKEN" > "$TOKEN_FILE"
+
+# Push the file to Incus
+echo "Running: incus file push $INCUS_PATH"
+if incus file push "$TOKEN_FILE" "$INCUS_PATH"; then
+    echo "Token file successfully pushed to Incus instance $INCUS_INSTANCE"
+else
+    echo "Failed to push token file to Incus instance $INCUS_INSTANCE" >&2
+    rm "$TOKEN_FILE"
+    exit 1
+fi
+
+# Clean up the local token file
+rm "$TOKEN_FILE"
+
+echo "Operation completed successfully"