scripts: forge-login.sh + forge-create-token.sh

forge-create-token.sh mints an access token for an existing user
(prints to stdout — forgejo only shows it once). forge-login.sh
configures the operator's shell: git config --global user.name /
user.email, ~/.netrc entry for HTTP clones, and `tea login add`
when tea is on PATH. takes the token interactively (hidden input)
so it doesn't land in shell history.

scripts/forge-create-token.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Mint a Forgejo access token for an existing user.
+#
+# Usage: forge-create-token.sh <username> [--name <label>] [--scopes <csv>]
+#
+# Defaults:
+#   --name   = local-<timestamp>
+#   --scopes = all
+#
+# Prints the token to stdout — feed it to `forge-login.sh` or paste
+# into tea / .netrc. Forgejo only shows the token once, so capture it.
+set -euo pipefail
+
+if [ $# -lt 1 ]; then
+  echo "usage: $0 <username> [--name <label>] [--scopes <csv>]" >&2
+  exit 2
+fi
+
+username="$1"; shift
+name="local-$(date +%s)"
+scopes="all"
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --name)   name="$2"; shift 2 ;;
+    --scopes) scopes="$2"; shift 2 ;;
+    *) echo "unknown arg: $1" >&2; exit 2 ;;
+  esac
+done
+
+sudo nixos-container run hive-forge -- runuser -u forgejo -- \
+  forgejo --work-path /var/lib/forgejo admin user generate-access-token \
+    --username "$username" \
+    --token-name "$name" \
+    --scopes "$scopes"

scripts/forge-login.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# Configure the current shell user's git + tea for the hive-forge.
+#
+# Sets:
+#   - git config --global user.name / user.email
+#   - tea login (if `tea` is on PATH)
+#   - ~/.netrc entry so `git clone http://...` works without prompting
+#
+# Usage: forge-login.sh <username> [--email <addr>] [--url <forge-url>]
+#
+# Prompts for an access token on stdin (paste-and-enter). Generate
+# one first with `forge-create-token.sh <username>` or in the web UI
+# under Settings → Applications → Generate New Token.
+set -euo pipefail
+
+if [ $# -lt 1 ]; then
+  echo "usage: $0 <username> [--email <addr>] [--url <forge-url>]" >&2
+  exit 2
+fi
+
+username="$1"; shift
+email="${username}@hive.local"
+forge_url="http://localhost:3000"
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --email) email="$2"; shift 2 ;;
+    --url)   forge_url="$2"; shift 2 ;;
+    *) echo "unknown arg: $1" >&2; exit 2 ;;
+  esac
+done
+
+# Extract host:port for netrc.
+host=$(printf '%s' "$forge_url" | sed -E 's|^https?://||; s|/.*$||; s|:.*$||')
+
+read -r -s -p "forgejo access token for $username (input hidden): " token
+echo
+if [ -z "$token" ]; then
+  echo "no token entered; aborting" >&2
+  exit 1
+fi
+
+git config --global user.name "$username"
+git config --global user.email "$email"
+echo "git config: $username <$email>"
+
+# netrc entry — git uses this for HTTP basic auth. 0600 because it
+# contains the plaintext token.
+netrc="$HOME/.netrc"
+touch "$netrc"
+chmod 600 "$netrc"
+if grep -q "^machine $host" "$netrc" 2>/dev/null; then
+  # Remove the old block (machine line + the two following lines).
+  sed -i.bak "/^machine $host\$/,+2d" "$netrc"
+fi
+cat >>"$netrc" <<EOF
+machine $host
+login $username
+password $token
+EOF
+echo "netrc: wrote $host entry"
+
+if command -v tea >/dev/null 2>&1; then
+  mkdir -p "$HOME/.config/tea"
+  # tea refuses to add a login with a name that already exists; drop
+  # it first so re-running this script is idempotent.
+  tea login delete forge 2>/dev/null || true
+  tea login add --name forge --url "$forge_url" --token "$token"
+  echo "tea: configured 'forge' login"
+else
+  echo "tea: not on PATH — install pkgs.tea if you want the CLI"
+fi