#!/usr/bin/env bash # # Log the local Docker daemon into the Forgejo container registry using a token stored in # the Ansible vault — so registry pushes (make caddy-image-push / molecule-image-push) are # agent-completable non-interactively, like every other vault-backed action. # (2026-06-17 kaizen, docs/FRICTION.md: the push half silently needed an interactive # `docker login`; the creds weren't in the vault, so an agent couldn't complete a push.) # # Reads vault.forgejo.registry_token from the vault (rbw must be unlocked) and pipes it to # `docker login --password-stdin`. The token never lands on argv or on disk and is never # echoed (no `set -x`). Binaries/paths are overridable via env so the Makefile can pass the # venv ansible-vault/python; defaults work when run from the repo root with the venv present. # set -euo pipefail ANSIBLE_VAULT="${ANSIBLE_VAULT:-.venv/bin/ansible-vault}" PYTHON="${PYTHON:-.venv/bin/python}" VAULT="${VAULT:-inventories/production/group_vars/all/vault.yml}" REGISTRY_HOST="${REGISTRY_HOST:-forgejo.nyumbani.baobab.band}" REGISTRY_USER="${REGISTRY_USER:-sjat}" token="$("$ANSIBLE_VAULT" view "$VAULT" \ | "$PYTHON" -c 'import sys, yaml; d = yaml.safe_load(sys.stdin) or {}; print((((d.get("vault") or {}).get("forgejo") or {}).get("registry_token")) or "", end="")')" if [ -z "$token" ] || [ "$token" = "CHANGEME" ]; then echo "registry-login: vault.forgejo.registry_token is unset or still CHANGEME." >&2 echo " Mint a Forgejo token (Settings -> Applications -> Generate Token, with package" >&2 echo " read+write scope, user $REGISTRY_USER) and set it via: make edit-vault" >&2 exit 1 fi printf '%s' "$token" | docker login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin