Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s

This commit is contained in:
Conrad Kramer 2026-06-07 05:51:12 -07:00
parent 97c569fb35
commit 002bd382e9
199 changed files with 14268 additions and 185 deletions

View file

@ -10,6 +10,8 @@ let
dataVolume = "burrow-authentik-data:/data";
directorySyncScript = ../../Scripts/authentik-sync-burrow-directory.sh;
forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
grafanaOidcSyncScript = ../../Scripts/authentik-sync-grafana-oidc.sh;
googleWifOidcSyncScript = ../../Scripts/authentik-sync-google-wif-oidc.sh;
tailscaleOidcSyncScript = ../../Scripts/authentik-sync-tailscale-oidc.sh;
onePasswordOidcSyncScript = ../../Scripts/authentik-sync-1password-oidc.sh;
zulipSamlSyncScript = ../../Scripts/authentik-sync-zulip-saml.sh;
@ -136,6 +138,60 @@ in
description = "Authentik application slug for Forgejo.";
};
grafanaDomain = lib.mkOption {
type = lib.types.str;
default = "graphs.burrow.net";
description = "Grafana public domain used for the bundled OIDC client.";
};
grafanaProviderSlug = lib.mkOption {
type = lib.types.str;
default = "grafana";
description = "Authentik application slug for Grafana.";
};
grafanaClientId = lib.mkOption {
type = lib.types.str;
default = "graphs.burrow.net";
description = "Client ID Authentik should present to Grafana.";
};
grafanaClientSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Host-local file containing the Authentik Grafana OIDC client secret.";
};
grafanaAccessGroupName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Authentik group allowed to launch Grafana.";
};
googleWifProviderSlug = lib.mkOption {
type = lib.types.str;
default = "google-cloud";
description = "Authentik application slug for Google Cloud Workload Identity Federation.";
};
googleWifClientId = lib.mkOption {
type = lib.types.str;
default = "google-wif.burrow.net";
description = "Client ID Authentik should present to Google Cloud WIF consumers.";
};
googleWifClientSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Host-local file containing the Authentik Google WIF OIDC client secret.";
};
googleWifAccessGroupName = lib.mkOption {
type = lib.types.str;
default = "burrow-automation";
description = "Authentik group allowed to mint Google WIF tokens.";
};
tailscaleProviderSlug = lib.mkOption {
type = lib.types.str;
default = "tailscale";
@ -388,6 +444,12 @@ in
description = "Authentik group granted Burrow administrator access.";
};
extraGroupNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Additional Authentik groups that should exist even if no bootstrap user currently belongs to them.";
};
bootstrapUsers = lib.mkOption {
type = with lib.types; listOf (submodule {
options = {
@ -490,6 +552,13 @@ in
fi
''}
${lib.optionalString (cfg.googleWifClientSecretFile != null) ''
if [ ! -s ${lib.escapeShellArg cfg.googleWifClientSecretFile} ]; then
echo "Google WIF client secret missing: ${cfg.googleWifClientSecretFile}" >&2
exit 1
fi
''}
install -d -m 0750 -o root -g root ${runtimeDir} ${blueprintDir}
install -m 0644 -o root -g root ${authentikBlueprint} ${blueprintFile}
@ -517,6 +586,7 @@ AUTHENTIK_BOOTSTRAP_PASSWORD=$AUTHENTIK_BOOTSTRAP_PASSWORD
AUTHENTIK_BOOTSTRAP_TOKEN=$AUTHENTIK_BOOTSTRAP_TOKEN
AUTHENTIK_BURROW_TS_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.headscaleClientSecretFile})
${lib.optionalString (cfg.forgejoClientSecretFile != null) "AUTHENTIK_BURROW_FORGEJO_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.forgejoClientSecretFile})"}
${lib.optionalString (cfg.googleWifClientSecretFile != null) "AUTHENTIK_BURROW_GOOGLE_WIF_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.googleWifClientSecretFile})"}
EOF
chown root:root ${envFile}
chmod 0600 ${envFile}
@ -667,7 +737,7 @@ EOF
'';
};
systemd.services.burrow-authentik-directory = lib.mkIf (cfg.bootstrapUsers != [ ]) {
systemd.services.burrow-authentik-directory = lib.mkIf (cfg.bootstrapUsers != [ ] || cfg.extraGroupNames != [ ]) {
description = "Reconcile Burrow Authentik users and groups";
after =
[
@ -706,6 +776,7 @@ EOF
export AUTHENTIK_URL=https://${cfg.domain}
export AUTHENTIK_BURROW_USERS_GROUP=${lib.escapeShellArg cfg.userGroupName}
export AUTHENTIK_BURROW_ADMINS_GROUP=${lib.escapeShellArg cfg.adminGroupName}
export AUTHENTIK_BURROW_EXTRA_GROUPS_JSON='${builtins.toJSON cfg.extraGroupNames}'
export AUTHENTIK_FORGEJO_APPLICATION_SLUG=${lib.escapeShellArg cfg.forgejoProviderSlug}
export AUTHENTIK_BURROW_DIRECTORY_JSON='${builtins.toJSON (map (user: {
inherit (user) username name email isAdmin passwordFile;
@ -810,12 +881,110 @@ EOF
export AUTHENTIK_FORGEJO_CLIENT_ID=${lib.escapeShellArg cfg.forgejoClientId}
export AUTHENTIK_FORGEJO_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.forgejoClientSecretFile})"
export AUTHENTIK_FORGEJO_LAUNCH_URL=https://${cfg.forgejoDomain}/
export AUTHENTIK_FORGEJO_REDIRECT_URIS_JSON='["https://${cfg.forgejoDomain}/user/oauth2/burrow.net/callback","https://${cfg.forgejoDomain}/user/oauth2/authentik/callback","https://${cfg.forgejoDomain}/user/oauth2/GitHub/callback"]'
export AUTHENTIK_FORGEJO_REDIRECT_URIS_JSON='["https://${cfg.forgejoDomain}/user/oauth2/burrow.net/callback","https://${cfg.forgejoDomain}/user/oauth2/authentik/callback"]'
${pkgs.bash}/bin/bash ${forgejoOidcSyncScript}
'';
};
systemd.services.burrow-authentik-grafana-oidc = lib.mkIf (cfg.grafanaClientSecretFile != null) {
description = "Reconcile the Burrow Authentik Grafana OIDC application";
after = [
"burrow-authentik-ready.service"
"network-online.target"
];
wants = [
"burrow-authentik-ready.service"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
grafanaOidcSyncScript
cfg.envFile
cfg.grafanaClientSecretFile
];
path = [
pkgs.bash
pkgs.coreutils
pkgs.curl
pkgs.jq
];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
set -a
source ${lib.escapeShellArg cfg.envFile}
set +a
export AUTHENTIK_URL=https://${cfg.domain}
export AUTHENTIK_GRAFANA_APPLICATION_SLUG=${lib.escapeShellArg cfg.grafanaProviderSlug}
export AUTHENTIK_GRAFANA_APPLICATION_NAME="Burrow Grafana"
export AUTHENTIK_GRAFANA_PROVIDER_NAME="Burrow Grafana"
export AUTHENTIK_GRAFANA_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
export AUTHENTIK_GRAFANA_CLIENT_ID=${lib.escapeShellArg cfg.grafanaClientId}
export AUTHENTIK_GRAFANA_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.grafanaClientSecretFile})"
export AUTHENTIK_GRAFANA_LAUNCH_URL=https://${cfg.grafanaDomain}/
export AUTHENTIK_GRAFANA_REDIRECT_URIS_JSON='["https://${cfg.grafanaDomain}/login/generic_oauth"]'
${lib.optionalString (cfg.grafanaAccessGroupName != null) ''
export AUTHENTIK_GRAFANA_ACCESS_GROUP=${lib.escapeShellArg cfg.grafanaAccessGroupName}
''}
${pkgs.bash}/bin/bash ${grafanaOidcSyncScript}
'';
};
systemd.services.burrow-authentik-google-wif-oidc = lib.mkIf (cfg.googleWifClientSecretFile != null) {
description = "Reconcile the Burrow Authentik Google WIF OIDC application";
after = [
"burrow-authentik-ready.service"
"network-online.target"
];
wants = [
"burrow-authentik-ready.service"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
googleWifOidcSyncScript
cfg.envFile
cfg.googleWifClientSecretFile
];
path = [
pkgs.bash
pkgs.coreutils
pkgs.curl
pkgs.jq
];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
set -a
source ${lib.escapeShellArg cfg.envFile}
set +a
export AUTHENTIK_URL=https://${cfg.domain}
export AUTHENTIK_GOOGLE_WIF_APPLICATION_SLUG=${lib.escapeShellArg cfg.googleWifProviderSlug}
export AUTHENTIK_GOOGLE_WIF_APPLICATION_NAME="Google Cloud WIF"
export AUTHENTIK_GOOGLE_WIF_PROVIDER_NAME="Google Cloud WIF"
export AUTHENTIK_GOOGLE_WIF_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
export AUTHENTIK_GOOGLE_WIF_CLIENT_ID=${lib.escapeShellArg cfg.googleWifClientId}
export AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleWifClientSecretFile})"
export AUTHENTIK_GOOGLE_WIF_LAUNCH_URL=https://console.cloud.google.com/
export AUTHENTIK_GOOGLE_WIF_REDIRECT_URIS_JSON='[]'
export AUTHENTIK_GOOGLE_WIF_ACCESS_GROUP=${lib.escapeShellArg cfg.googleWifAccessGroupName}
${pkgs.bash}/bin/bash ${googleWifOidcSyncScript}
'';
};
systemd.services.burrow-authentik-tailscale-oidc = lib.mkIf (cfg.tailscaleClientSecretFile != null) {
description = "Reconcile the Burrow Authentik Tailscale OIDC application";
after = [