Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
This commit is contained in:
parent
97c569fb35
commit
002bd382e9
199 changed files with 14268 additions and 185 deletions
|
|
@ -10,6 +10,8 @@ let
|
|||
dataVolume = "burrow-authentik-data:/data";
|
||||
directorySyncScript = ../../Scripts/authentik-sync-burrow-directory.sh;
|
||||
forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
|
||||
grafanaOidcSyncScript = ../../Scripts/authentik-sync-grafana-oidc.sh;
|
||||
googleWifOidcSyncScript = ../../Scripts/authentik-sync-google-wif-oidc.sh;
|
||||
tailscaleOidcSyncScript = ../../Scripts/authentik-sync-tailscale-oidc.sh;
|
||||
onePasswordOidcSyncScript = ../../Scripts/authentik-sync-1password-oidc.sh;
|
||||
zulipSamlSyncScript = ../../Scripts/authentik-sync-zulip-saml.sh;
|
||||
|
|
@ -136,6 +138,60 @@ in
|
|||
description = "Authentik application slug for Forgejo.";
|
||||
};
|
||||
|
||||
grafanaDomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "graphs.burrow.net";
|
||||
description = "Grafana public domain used for the bundled OIDC client.";
|
||||
};
|
||||
|
||||
grafanaProviderSlug = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "grafana";
|
||||
description = "Authentik application slug for Grafana.";
|
||||
};
|
||||
|
||||
grafanaClientId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "graphs.burrow.net";
|
||||
description = "Client ID Authentik should present to Grafana.";
|
||||
};
|
||||
|
||||
grafanaClientSecretFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Host-local file containing the Authentik Grafana OIDC client secret.";
|
||||
};
|
||||
|
||||
grafanaAccessGroupName = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Authentik group allowed to launch Grafana.";
|
||||
};
|
||||
|
||||
googleWifProviderSlug = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "google-cloud";
|
||||
description = "Authentik application slug for Google Cloud Workload Identity Federation.";
|
||||
};
|
||||
|
||||
googleWifClientId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "google-wif.burrow.net";
|
||||
description = "Client ID Authentik should present to Google Cloud WIF consumers.";
|
||||
};
|
||||
|
||||
googleWifClientSecretFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Host-local file containing the Authentik Google WIF OIDC client secret.";
|
||||
};
|
||||
|
||||
googleWifAccessGroupName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "burrow-automation";
|
||||
description = "Authentik group allowed to mint Google WIF tokens.";
|
||||
};
|
||||
|
||||
tailscaleProviderSlug = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "tailscale";
|
||||
|
|
@ -388,6 +444,12 @@ in
|
|||
description = "Authentik group granted Burrow administrator access.";
|
||||
};
|
||||
|
||||
extraGroupNames = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
description = "Additional Authentik groups that should exist even if no bootstrap user currently belongs to them.";
|
||||
};
|
||||
|
||||
bootstrapUsers = lib.mkOption {
|
||||
type = with lib.types; listOf (submodule {
|
||||
options = {
|
||||
|
|
@ -490,6 +552,13 @@ in
|
|||
fi
|
||||
''}
|
||||
|
||||
${lib.optionalString (cfg.googleWifClientSecretFile != null) ''
|
||||
if [ ! -s ${lib.escapeShellArg cfg.googleWifClientSecretFile} ]; then
|
||||
echo "Google WIF client secret missing: ${cfg.googleWifClientSecretFile}" >&2
|
||||
exit 1
|
||||
fi
|
||||
''}
|
||||
|
||||
install -d -m 0750 -o root -g root ${runtimeDir} ${blueprintDir}
|
||||
install -m 0644 -o root -g root ${authentikBlueprint} ${blueprintFile}
|
||||
|
||||
|
|
@ -517,6 +586,7 @@ AUTHENTIK_BOOTSTRAP_PASSWORD=$AUTHENTIK_BOOTSTRAP_PASSWORD
|
|||
AUTHENTIK_BOOTSTRAP_TOKEN=$AUTHENTIK_BOOTSTRAP_TOKEN
|
||||
AUTHENTIK_BURROW_TS_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.headscaleClientSecretFile})
|
||||
${lib.optionalString (cfg.forgejoClientSecretFile != null) "AUTHENTIK_BURROW_FORGEJO_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.forgejoClientSecretFile})"}
|
||||
${lib.optionalString (cfg.googleWifClientSecretFile != null) "AUTHENTIK_BURROW_GOOGLE_WIF_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.googleWifClientSecretFile})"}
|
||||
EOF
|
||||
chown root:root ${envFile}
|
||||
chmod 0600 ${envFile}
|
||||
|
|
@ -667,7 +737,7 @@ EOF
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.services.burrow-authentik-directory = lib.mkIf (cfg.bootstrapUsers != [ ]) {
|
||||
systemd.services.burrow-authentik-directory = lib.mkIf (cfg.bootstrapUsers != [ ] || cfg.extraGroupNames != [ ]) {
|
||||
description = "Reconcile Burrow Authentik users and groups";
|
||||
after =
|
||||
[
|
||||
|
|
@ -706,6 +776,7 @@ EOF
|
|||
export AUTHENTIK_URL=https://${cfg.domain}
|
||||
export AUTHENTIK_BURROW_USERS_GROUP=${lib.escapeShellArg cfg.userGroupName}
|
||||
export AUTHENTIK_BURROW_ADMINS_GROUP=${lib.escapeShellArg cfg.adminGroupName}
|
||||
export AUTHENTIK_BURROW_EXTRA_GROUPS_JSON='${builtins.toJSON cfg.extraGroupNames}'
|
||||
export AUTHENTIK_FORGEJO_APPLICATION_SLUG=${lib.escapeShellArg cfg.forgejoProviderSlug}
|
||||
export AUTHENTIK_BURROW_DIRECTORY_JSON='${builtins.toJSON (map (user: {
|
||||
inherit (user) username name email isAdmin passwordFile;
|
||||
|
|
@ -810,12 +881,110 @@ EOF
|
|||
export AUTHENTIK_FORGEJO_CLIENT_ID=${lib.escapeShellArg cfg.forgejoClientId}
|
||||
export AUTHENTIK_FORGEJO_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.forgejoClientSecretFile})"
|
||||
export AUTHENTIK_FORGEJO_LAUNCH_URL=https://${cfg.forgejoDomain}/
|
||||
export AUTHENTIK_FORGEJO_REDIRECT_URIS_JSON='["https://${cfg.forgejoDomain}/user/oauth2/burrow.net/callback","https://${cfg.forgejoDomain}/user/oauth2/authentik/callback","https://${cfg.forgejoDomain}/user/oauth2/GitHub/callback"]'
|
||||
export AUTHENTIK_FORGEJO_REDIRECT_URIS_JSON='["https://${cfg.forgejoDomain}/user/oauth2/burrow.net/callback","https://${cfg.forgejoDomain}/user/oauth2/authentik/callback"]'
|
||||
|
||||
${pkgs.bash}/bin/bash ${forgejoOidcSyncScript}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.burrow-authentik-grafana-oidc = lib.mkIf (cfg.grafanaClientSecretFile != null) {
|
||||
description = "Reconcile the Burrow Authentik Grafana OIDC application";
|
||||
after = [
|
||||
"burrow-authentik-ready.service"
|
||||
"network-online.target"
|
||||
];
|
||||
wants = [
|
||||
"burrow-authentik-ready.service"
|
||||
"network-online.target"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [
|
||||
grafanaOidcSyncScript
|
||||
cfg.envFile
|
||||
cfg.grafanaClientSecretFile
|
||||
];
|
||||
path = [
|
||||
pkgs.bash
|
||||
pkgs.coreutils
|
||||
pkgs.curl
|
||||
pkgs.jq
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
Group = "root";
|
||||
};
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
set -a
|
||||
source ${lib.escapeShellArg cfg.envFile}
|
||||
set +a
|
||||
|
||||
export AUTHENTIK_URL=https://${cfg.domain}
|
||||
export AUTHENTIK_GRAFANA_APPLICATION_SLUG=${lib.escapeShellArg cfg.grafanaProviderSlug}
|
||||
export AUTHENTIK_GRAFANA_APPLICATION_NAME="Burrow Grafana"
|
||||
export AUTHENTIK_GRAFANA_PROVIDER_NAME="Burrow Grafana"
|
||||
export AUTHENTIK_GRAFANA_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
|
||||
export AUTHENTIK_GRAFANA_CLIENT_ID=${lib.escapeShellArg cfg.grafanaClientId}
|
||||
export AUTHENTIK_GRAFANA_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.grafanaClientSecretFile})"
|
||||
export AUTHENTIK_GRAFANA_LAUNCH_URL=https://${cfg.grafanaDomain}/
|
||||
export AUTHENTIK_GRAFANA_REDIRECT_URIS_JSON='["https://${cfg.grafanaDomain}/login/generic_oauth"]'
|
||||
${lib.optionalString (cfg.grafanaAccessGroupName != null) ''
|
||||
export AUTHENTIK_GRAFANA_ACCESS_GROUP=${lib.escapeShellArg cfg.grafanaAccessGroupName}
|
||||
''}
|
||||
|
||||
${pkgs.bash}/bin/bash ${grafanaOidcSyncScript}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.burrow-authentik-google-wif-oidc = lib.mkIf (cfg.googleWifClientSecretFile != null) {
|
||||
description = "Reconcile the Burrow Authentik Google WIF OIDC application";
|
||||
after = [
|
||||
"burrow-authentik-ready.service"
|
||||
"network-online.target"
|
||||
];
|
||||
wants = [
|
||||
"burrow-authentik-ready.service"
|
||||
"network-online.target"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [
|
||||
googleWifOidcSyncScript
|
||||
cfg.envFile
|
||||
cfg.googleWifClientSecretFile
|
||||
];
|
||||
path = [
|
||||
pkgs.bash
|
||||
pkgs.coreutils
|
||||
pkgs.curl
|
||||
pkgs.jq
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
Group = "root";
|
||||
};
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
set -a
|
||||
source ${lib.escapeShellArg cfg.envFile}
|
||||
set +a
|
||||
|
||||
export AUTHENTIK_URL=https://${cfg.domain}
|
||||
export AUTHENTIK_GOOGLE_WIF_APPLICATION_SLUG=${lib.escapeShellArg cfg.googleWifProviderSlug}
|
||||
export AUTHENTIK_GOOGLE_WIF_APPLICATION_NAME="Google Cloud WIF"
|
||||
export AUTHENTIK_GOOGLE_WIF_PROVIDER_NAME="Google Cloud WIF"
|
||||
export AUTHENTIK_GOOGLE_WIF_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
|
||||
export AUTHENTIK_GOOGLE_WIF_CLIENT_ID=${lib.escapeShellArg cfg.googleWifClientId}
|
||||
export AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleWifClientSecretFile})"
|
||||
export AUTHENTIK_GOOGLE_WIF_LAUNCH_URL=https://console.cloud.google.com/
|
||||
export AUTHENTIK_GOOGLE_WIF_REDIRECT_URIS_JSON='[]'
|
||||
export AUTHENTIK_GOOGLE_WIF_ACCESS_GROUP=${lib.escapeShellArg cfg.googleWifAccessGroupName}
|
||||
|
||||
${pkgs.bash}/bin/bash ${googleWifOidcSyncScript}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.burrow-authentik-tailscale-oidc = lib.mkIf (cfg.tailscaleClientSecretFile != null) {
|
||||
description = "Reconcile the Burrow Authentik Tailscale OIDC application";
|
||||
after = [
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue