#!/usr/bin/env bash # Prerequisites: # 1password vault created with a single item in it with the property 'runner_token'. # Define the vault and item used. # Usage: ./push_token.sh set -euo pipefail # Check if instance name is provided if [ "$#" -ne 1 ]; then echo "Usage: $0 " >&2 exit 1 fi INCUS_INSTANCE="$1" # Use the provided instance name # Set variables OP_ITEM_NAME="forgejo-runner" # Name of the 1Password item containing the runner token OP_VAULT_NAME="forgejo-runner" # Name of the 1Password vault TOKEN_FILE="tokenfile" # Name of the temporary file to store the token INCUS_PATH="$INCUS_INSTANCE/var/lib/gitea-runner/default/$TOKEN_FILE" # Check if OP_SESSION environment variable exists, if not, sign in if [ -z "${OP_SESSION:-}" ]; then echo "Not logged in to 1Password CLI. Attempting to sign in..." if ! eval $(op signin); then echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 exit 1 fi fi # Ensure the target directory exists in the Incus instance #incus exec "$INCUS_INSTANCE" -- mkdir -p /var/lib/gitea-runner/default #incus exec "$INCUS_INSTANCE" -- chown gitea-runner:gitea-runner /var/lib/gitea-runner/default # Retrieve the token from 1Password TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token) if [ -z "$TOKEN" ]; then echo "Failed to retrieve token from 1Password" >&2 exit 1 fi # Create the token file echo "TOKEN=$TOKEN" > "$TOKEN_FILE" # Push the file to Incus echo "Running: incus file push $INCUS_PATH" if incus file push "$TOKEN_FILE" "$INCUS_PATH"; then echo "Token file successfully pushed to Incus instance $INCUS_INSTANCE" else echo "Failed to push token file to Incus instance $INCUS_INSTANCE" >&2 rm "$TOKEN_FILE" exit 1 fi # Clean up the local token file rm "$TOKEN_FILE" echo "Operation completed successfully"