scripts/setup_dagger_remote.sh

#!/usr/bin/env bash
set -euo pipefail

if [ -z "${SOPS_AGE_KEY:-}" ]; then
    echo "Error: SOPS_AGE_KEY must be set."
    exit 1
fi

echo "Decrypting secrets with SOPS..."
export SOPS_AGE_KEY="$SOPS_AGE_KEY"
SECRETS_JSON=$(mktemp)
trap "rm -f $SECRETS_JSON" EXIT

sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"

DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")

# Setup SSH
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
chmod 600 ~/.ssh/dagger_key

# Use ssh-agent to manage the key for Dagger's internal SSH client
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/dagger_key

# Export _EXPERIMENTAL_DAGGER_RUNNER_HOST for redirection
# Dagger's Go SSH client will now use the agent to find the key
export _EXPERIMENTAL_DAGGER_RUNNER_HOST="ssh://dagger@$DAGGER_ENGINE_HOST"
if [ -n "${GITHUB_ENV:-}" ]; then
    echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=ssh://dagger@$DAGGER_ENGINE_HOST" >> "$GITHUB_ENV"
    # Also pass the agent socket if needed, though Dagger usually handles this if exported
    echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
    echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV"
fi

# Verify
echo "Verifying connection to remote Dagger engine..."
# Ensure remote dagger knows which socket to use
if ! timeout 45 dagger query --progress=plain '{ version }' ; then
    echo "Error: Dagger engine unreachable via SSH at $DAGGER_ENGINE_HOST"
    # Debug: try to just run id over ssh
    ssh -i ~/.ssh/dagger_key -o StrictHostKeyChecking=no "dagger@$DAGGER_ENGINE_HOST" "id"
    exit 1
fi
echo "Dagger connection verified."
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00			`#!/usr/bin/env bash`
			`set -euo pipefail`

chore: migrate to SOPS and SSH for Dagger engine access 2026-06-02 11:10:29 +02:00			`if [ -z "${SOPS_AGE_KEY:-}" ]; then`
			`echo "Error: SOPS_AGE_KEY must be set."`
			`exit 1`
refactor(ci): replace dual DAGGER_STUNNEL_URL1/2 with single DAGGER_STUNNEL_URL 2026-05-20 15:48:38 +02:00			`fi`
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00
chore: migrate to SOPS and SSH for Dagger engine access 2026-06-02 11:10:29 +02:00			`echo "Decrypting secrets with SOPS..."`
			`export SOPS_AGE_KEY="$SOPS_AGE_KEY"`
			`SECRETS_JSON=$(mktemp)`
			`trap "rm -f $SECRETS_JSON" EXIT`

fix: use --output-type json for SOPS decryption 2026-06-02 12:45:34 +02:00			`sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"`
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00
chore: migrate to SOPS and SSH for Dagger engine access 2026-06-02 11:10:29 +02:00			`DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")`
			`DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")`
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00
fix: use explicit ssh wrapper for dagger commands 2026-06-02 13:19:16 +02:00			`# Setup SSH`
chore: migrate to SOPS and SSH for Dagger engine access 2026-06-02 11:10:29 +02:00			`mkdir -p ~/.ssh`
			`chmod 700 ~/.ssh`
			`echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key`
			`chmod 600 ~/.ssh/dagger_key`
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00
fix: use ssh-agent for Dagger remote connection 2026-06-02 16:18:06 +02:00			`# Use ssh-agent to manage the key for Dagger's internal SSH client`
			`eval "$(ssh-agent -s)"`
			`ssh-add ~/.ssh/dagger_key`
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00
fix: use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger SSH redirection 2026-06-02 13:31:11 +02:00			`# Export _EXPERIMENTAL_DAGGER_RUNNER_HOST for redirection`
fix: use ssh-agent for Dagger remote connection 2026-06-02 16:18:06 +02:00			`# Dagger's Go SSH client will now use the agent to find the key`
			`export _EXPERIMENTAL_DAGGER_RUNNER_HOST="ssh://dagger@$DAGGER_ENGINE_HOST"`
fix: use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger SSH redirection 2026-06-02 13:31:11 +02:00			`if [ -n "${GITHUB_ENV:-}" ]; then`
fix: use ssh-agent for Dagger remote connection 2026-06-02 16:18:06 +02:00			`echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=ssh://dagger@$DAGGER_ENGINE_HOST" >> "$GITHUB_ENV"`
			`# Also pass the agent socket if needed, though Dagger usually handles this if exported`
			`echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"`
			`echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV"`
fix: use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger SSH redirection 2026-06-02 13:31:11 +02:00			`fi`
chore: migrate to SOPS and SSH for Dagger engine access 2026-06-02 11:10:29 +02:00
fix: use explicit ssh wrapper for dagger commands 2026-06-02 13:19:16 +02:00			`# Verify`
fix: use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger SSH redirection 2026-06-02 13:31:11 +02:00			`echo "Verifying connection to remote Dagger engine..."`
fix: use ssh-agent for Dagger remote connection 2026-06-02 16:18:06 +02:00			`# Ensure remote dagger knows which socket to use`
fix: use full SSH URL for Dagger remote to avoid config include issues 2026-06-02 16:14:51 +02:00			`if ! timeout 45 dagger query --progress=plain '{ version }' ; then`
fix: use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger SSH redirection 2026-06-02 13:31:11 +02:00			`echo "Error: Dagger engine unreachable via SSH at $DAGGER_ENGINE_HOST"`
			`# Debug: try to just run id over ssh`
fix: use full SSH URL for Dagger remote to avoid config include issues 2026-06-02 16:14:51 +02:00			`ssh -i ~/.ssh/dagger_key -o StrictHostKeyChecking=no "dagger@$DAGGER_ENGINE_HOST" "id"`
chore: migrate to SOPS and SSH for Dagger engine access 2026-06-02 11:10:29 +02:00			`exit 1`
ci: add remote Dagger server setup with port probing 2026-05-17 11:50:39 +02:00			`fi`
fix: use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger SSH redirection 2026-06-02 13:31:11 +02:00			`echo "Dagger connection verified."`