Add OpenBAO-backed git credential helper for gitea pushes

Store the gitea PAT in OpenBAO KV (secret/gitea/push) and fetch it via a
git credential helper instead of keeping it in ~/.git-credentials:

- scripts/git-credential-openbao.sh: helper that reads the cred from the
  OpenBAO API using a scoped, read-only periodic token
- scripts/store-gitea-cred.sh: one-time hidden-input store of the PAT
- README: usage + rotation notes

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

README.md

@@ -167,6 +167,23 @@ sudo systemctl list-timers openbao-cert-renew.timer   # next run
 sudo /home/lutz/Projects/OpenBAO/scripts/renew-openbao-cert.sh --force  # renew now
 ```
 
+## Git credential via OpenBAO
+
+The push credential for the gitea remote is stored in OpenBAO KV
+(`secret/gitea/push`) and served to git by a credential helper — no token in
+`~/.git-credentials`.
+
+- `scripts/git-credential-openbao.sh` — git credential helper; on `get` it
+  reads `secret/gitea/push` from OpenBAO (API + scoped read-only token at
+  `~/.config/openbao/git-cred.token`) and returns username/password.
+- `scripts/store-gitea-cred.sh` — one-time: prompt (hidden) for the gitea PAT
+  and write it to `secret/gitea/push`.
+- Wired per-host so it only answers for gitea:
+  `git config credential.http://192.168.0.234:8765.helper <path>`
+
+Rotate the PAT by re-running `store-gitea-cred.sh`. The helper token is a
+periodic, read-only token scoped to just that one KV path.
+
 ## Backups (Raft snapshots) — automated
 
 `scripts/backup-raft-snapshots.sh` snapshots **both** instances and prunes to

scripts/git-credential-openbao.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# git credential helper backed by OpenBAO KV (secret/gitea/push).
+# Configured per-host (see README), so it only answers for the gitea remote.
+# git invokes it as:  git-credential-openbao.sh get   (request on stdin)
+set -euo pipefail
+
+[ "${1:-}" = "get" ] || exit 0   # we only serve credentials; ignore store/erase
+
+ADDR="${BAO_ADDR:-http://127.0.0.1:8200}"
+TOKF="${OPENBAO_GIT_TOKEN_FILE:-$HOME/.config/openbao/git-cred.token}"
+[ -r "$TOKF" ] || exit 0
+TOK="$(cat "$TOKF")"
+
+resp="$(curl -sS --max-time 5 -H "X-Vault-Token: ${TOK}" \
+  "${ADDR}/v1/secret/data/gitea/push" 2>/dev/null)" || exit 0
+user="$(printf '%s' "$resp" | jq -r '.data.data.username // empty')"
+pass="$(printf '%s' "$resp" | jq -r '.data.data.token // empty')"
+[ -n "$user" ] && [ -n "$pass" ] || exit 0
+
+printf 'username=%s\npassword=%s\n' "$user" "$pass"

scripts/store-gitea-cred.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Store a gitea username + PAT into OpenBAO KV at secret/gitea/push.
+# Prompts for the PAT silently so it never appears in shell history or logs.
+# Run from the project dir:  ./scripts/store-gitea-cred.sh
+set -euo pipefail
+
+ADDR="${BAO_ADDR:-http://127.0.0.1:8200}"
+INIT="/home/lutz/Projects/OpenBAO/init-output.json"
+
+read -rp "gitea username [lutz]: " U; U="${U:-lutz}"
+read -rsp "gitea personal access token (input hidden): " P; echo
+[ -n "$P" ] || { echo "no token entered, aborting"; exit 1; }
+
+# Use the root token locally to write the secret (admin would also work).
+TOKEN="$(python3 -c "import json;print(json.load(open('$INIT'))['root_token'])")"
+
+# Build JSON safely with python (handles any special chars in the token).
+payload="$(U="$U" P="$P" python3 -c 'import json,os;print(json.dumps({"data":{"username":os.environ["U"],"token":os.environ["P"]}}))')"
+
+code="$(curl -sS -o /dev/null -w '%{http_code}' \
+  -H "X-Vault-Token: ${TOKEN}" --data "$payload" \
+  "${ADDR}/v1/secret/data/gitea/push")"
+case "$code" in
+  200|204) echo "stored secret/gitea/push (HTTP $code)";;
+  *) echo "FAILED storing secret (HTTP $code)"; exit 1;;
+esac