Wire Forgejo sign-in through Authentik

2026-04-01 01:12:15 -07:00 · 2026-04-01 01:12:15 -07:00 · 0e68c25a99
commit 0e68c25a99
parent 7f280c08cf
7 changed files with 434 additions and 3 deletions
--- a/nixos/README.md
+++ b/nixos/README.md
@ -33,7 +33,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
 6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/`.
-7. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
+7. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, `secrets/infra/forgejo-oidc-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
 8. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
 9. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
 10. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@ -33,6 +33,12 @@
    group = "root";
    mode = "0400";
  };
+  age.secrets.burrowForgejoOidcClientSecret = {
+    file = ../../../secrets/infra/forgejo-oidc-client-secret.age;
+    owner = "forgejo";
+    group = "forgejo";
+    mode = "0440";
+  };
  age.secrets.burrowAuthentikGoogleClientId = {
    file = ../../../secrets/infra/authentik-google-client-id.age;
    owner = "root";
@ -54,6 +60,7 @@
  services.burrow.forge = {
    enable = true;
    adminPasswordFile = "/var/lib/burrow/intake/forgejo_pass_contact_at_burrow_net.txt";
+    oidcClientSecretFile = config.age.secrets.burrowForgejoOidcClientSecret.path;
    authorizedKeys = [
      (builtins.readFile ../../keys/contact_at_burrow_net.pub)
      (builtins.readFile ../../keys/agent_at_burrow_net.pub)
@ -80,6 +87,7 @@
  services.burrow.authentik = {
    enable = true;
    envFile = config.age.secrets.burrowAuthentikEnv.path;
+    forgejoClientSecretFile = config.age.secrets.burrowForgejoOidcClientSecret.path;
    headscaleClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
    googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
    googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
--- a/nixos/modules/burrow-authentik.nix
+++ b/nixos/modules/burrow-authentik.nix
@ -8,6 +8,7 @@ let
  blueprintFile = "${blueprintDir}/burrow-authentik.yaml";
  postgresVolume = "burrow-authentik-postgresql:/var/lib/postgresql/data";
  dataVolume = "burrow-authentik-data:/data";
+  forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
  googleSourceSyncScript = ../../Scripts/authentik-sync-google-source.sh;
  authentikBlueprint = pkgs.writeText "burrow-authentik-blueprint.yaml" ''
    version: 1
@ -102,6 +103,30 @@ in
      description = "Authentik provider slug for Headscale.";
    };

+    forgejoDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "git.burrow.net";
+      description = "Forgejo public domain used for the bundled OIDC client.";
+    };
+
+    forgejoProviderSlug = lib.mkOption {
+      type = lib.types.str;
+      default = "git";
+      description = "Authentik application slug for Forgejo.";
+    };
+
+    forgejoClientId = lib.mkOption {
+      type = lib.types.str;
+      default = "git.burrow.net";
+      description = "Client ID Authentik should present to Forgejo.";
+    };
+
+    forgejoClientSecretFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Host-local file containing the Authentik Forgejo OIDC client secret.";
+    };
+
    headscaleClientSecretFile = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/burrow/intake/authentik_headscale_client_secret.txt";
@ -182,6 +207,13 @@ in
          exit 1
        fi

+        ${lib.optionalString (cfg.forgejoClientSecretFile != null) ''
+          if [ ! -s ${lib.escapeShellArg cfg.forgejoClientSecretFile} ]; then
+            echo "Forgejo client secret missing: ${cfg.forgejoClientSecretFile}" >&2
+            exit 1
+          fi
+        ''}
+
        install -d -m 0750 -o root -g root ${runtimeDir} ${blueprintDir}
        install -m 0644 -o root -g root ${authentikBlueprint} ${blueprintFile}

@ -208,6 +240,7 @@ AUTHENTIK_SECRET_KEY=$AUTHENTIK_SECRET_KEY
 AUTHENTIK_BOOTSTRAP_PASSWORD=$AUTHENTIK_BOOTSTRAP_PASSWORD
 AUTHENTIK_BOOTSTRAP_TOKEN=$AUTHENTIK_BOOTSTRAP_TOKEN
 AUTHENTIK_BURROW_TS_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.headscaleClientSecretFile})
+${lib.optionalString (cfg.forgejoClientSecretFile != null) "AUTHENTIK_BURROW_FORGEJO_CLIENT_SECRET=$(read_secret ${lib.escapeShellArg cfg.forgejoClientSecretFile})"}
 EOF
        chown root:root ${envFile}
        chmod 0600 ${envFile}
@ -320,8 +353,6 @@ EOF
        Type = "oneshot";
        User = "root";
        Group = "root";
-        Restart = "on-failure";
-        RestartSec = 5;
      };
      script = ''
        set -euo pipefail
@ -340,6 +371,52 @@ EOF
      '';
    };

+    systemd.services.burrow-authentik-forgejo-oidc = lib.mkIf (cfg.forgejoClientSecretFile != null) {
+      description = "Reconcile the Burrow Authentik Forgejo OIDC application";
+      after = [
+        "burrow-authentik-ready.service"
+        "network-online.target"
+      ];
+      wants = [
+        "burrow-authentik-ready.service"
+        "network-online.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [
+        forgejoOidcSyncScript
+        cfg.envFile
+        cfg.forgejoClientSecretFile
+      ];
+      path = [
+        pkgs.bash
+        pkgs.coreutils
+        pkgs.curl
+        pkgs.jq
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+      };
+      script = ''
+        set -euo pipefail
+        set -a
+        source ${lib.escapeShellArg cfg.envFile}
+        set +a
+
+        export AUTHENTIK_URL=https://${cfg.domain}
+        export AUTHENTIK_FORGEJO_APPLICATION_SLUG=${lib.escapeShellArg cfg.forgejoProviderSlug}
+        export AUTHENTIK_FORGEJO_APPLICATION_NAME=burrow.net
+        export AUTHENTIK_FORGEJO_PROVIDER_NAME=burrow.net
+        export AUTHENTIK_FORGEJO_CLIENT_ID=${lib.escapeShellArg cfg.forgejoClientId}
+        export AUTHENTIK_FORGEJO_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.forgejoClientSecretFile})"
+        export AUTHENTIK_FORGEJO_LAUNCH_URL=https://${cfg.forgejoDomain}/
+        export AUTHENTIK_FORGEJO_REDIRECT_URIS_JSON='["https://${cfg.forgejoDomain}/user/oauth2/burrow.net/callback","https://${cfg.forgejoDomain}/user/oauth2/authentik/callback","https://${cfg.forgejoDomain}/user/oauth2/GitHub/callback"]'
+
+        ${pkgs.bash}/bin/bash ${forgejoOidcSyncScript}
+      '';
+    };
+
    services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
      encode gzip zstd
      reverse_proxy 127.0.0.1:${toString cfg.port}
--- a/nixos/modules/burrow-forge.nix
+++ b/nixos/modules/burrow-forge.nix
@ -68,6 +68,30 @@ in
      description = "Host-local path to the plaintext bootstrap password file for the initial Forgejo admin.";
    };

+    oidcDisplayName = lib.mkOption {
+      type = lib.types.str;
+      default = "burrow.net";
+      description = "Login button label for the Forgejo OIDC provider.";
+    };
+
+    oidcClientId = lib.mkOption {
+      type = lib.types.str;
+      default = "git.burrow.net";
+      description = "OIDC client ID that Forgejo should use against Authentik.";
+    };
+
+    oidcClientSecretFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Host-local path to the Forgejo OIDC client secret.";
+    };
+
+    oidcDiscoveryUrl = lib.mkOption {
+      type = lib.types.str;
+      default = "https://auth.burrow.net/application/o/git/.well-known/openid-configuration";
+      description = "OpenID Connect discovery URL for the Forgejo login source.";
+    };
+
    authorizedKeys = lib.mkOption {
      type = with lib.types; listOf str;
      default = [ ];
@ -243,5 +267,113 @@ in
        fi
      '';
    };
+
+    systemd.services.burrow-forgejo-oidc-bootstrap = lib.mkIf (cfg.oidcClientSecretFile != null) {
+      description = "Seed the Burrow Forgejo OIDC login source";
+      after = [
+        "forgejo.service"
+        "postgresql.service"
+      ] ++ lib.optionals config.services.burrow.authentik.enable [
+        "burrow-authentik-ready.service"
+      ];
+      wants = lib.optionals config.services.burrow.authentik.enable [
+        "burrow-authentik-ready.service"
+      ];
+      requires = [
+        "forgejo.service"
+        "postgresql.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [
+        cfg.oidcClientSecretFile
+      ];
+      path = [
+        pkgs.coreutils
+        pkgs.gnugrep
+        pkgs.jq
+        pkgs.postgresql
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = forgejoCfg.user;
+        Group = forgejoCfg.group;
+        WorkingDirectory = forgejoCfg.stateDir;
+      };
+      script = ''
+        set -euo pipefail
+
+        if [ ! -s ${lib.escapeShellArg cfg.oidcClientSecretFile} ]; then
+          echo "Forgejo OIDC client secret missing: ${cfg.oidcClientSecretFile}" >&2
+          exit 1
+        fi
+
+        ready=0
+        for attempt in $(seq 1 60); do
+          if ${pkgs.postgresql}/bin/psql -h /run/postgresql -U forgejo forgejo -tAc \
+            "SELECT 1 FROM pg_tables WHERE schemaname='public' AND tablename='login_source';" \
+            | grep -q 1; then
+            ready=1
+            break
+          fi
+          sleep 1
+        done
+
+        if [ "$ready" -ne 1 ]; then
+          echo "Forgejo login_source table did not become ready" >&2
+          exit 1
+        fi
+
+        oidc_secret="$(${pkgs.coreutils}/bin/tr -d '\r\n' < ${lib.escapeShellArg cfg.oidcClientSecretFile})"
+        if [ -z "$oidc_secret" ]; then
+          echo "Forgejo OIDC client secret is empty" >&2
+          exit 1
+        fi
+
+        cfg_json="$(${pkgs.jq}/bin/jq -nc \
+          --arg client_id ${lib.escapeShellArg cfg.oidcClientId} \
+          --arg client_secret "$oidc_secret" \
+          --arg discovery_url ${lib.escapeShellArg cfg.oidcDiscoveryUrl} \
+          '{
+            Provider: "openidConnect",
+            ClientID: $client_id,
+            ClientSecret: $client_secret,
+            OpenIDConnectAutoDiscoveryURL: $discovery_url,
+            CustomURLMapping: null,
+            IconURL: "",
+            Scopes: ["openid", "profile", "email"],
+            AttributeSSHPublicKey: "",
+            RequiredClaimName: "",
+            RequiredClaimValue: "",
+            GroupClaimName: "",
+            AdminGroup: "",
+            GroupTeamMap: "",
+            GroupTeamMapRemoval: false,
+            RestrictedGroup: ""
+          }')"
+
+        ${pkgs.postgresql}/bin/psql -v ON_ERROR_STOP=1 \
+          -h /run/postgresql -U forgejo forgejo \
+          -v oidc_name=${lib.escapeShellArg cfg.oidcDisplayName} \
+          -v cfg_json="$cfg_json" <<'SQL'
+        INSERT INTO login_source (
+          type, name, is_active, is_sync_enabled, cfg, created_unix, updated_unix
+        ) VALUES (
+          6,
+          :'oidc_name',
+          TRUE,
+          FALSE,
+          :'cfg_json',
+          EXTRACT(EPOCH FROM NOW())::BIGINT,
+          EXTRACT(EPOCH FROM NOW())::BIGINT
+        )
+        ON CONFLICT (name) DO UPDATE SET
+          type = EXCLUDED.type,
+          is_active = TRUE,
+          is_sync_enabled = FALSE,
+          cfg = EXCLUDED.cfg,
+          updated_unix = EXCLUDED.updated_unix;
+        SQL
+      '';
+    };
  };
 }