hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Move forge tailnet secrets to agenix

Browse source
This commit is contained in:
Conrad Kramer 2026-03-31 16:38:02 -07:00
parent 8aebf56d6d
commit 20964e8ed7
9 changed files with 135 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

21
nixos/hosts/burrow-forge/default.nix
View file

@ -1,4 +1,4 @@
{ self, ... }:
{ config, self, ... }:
{
imports = [
@ -20,6 +20,20 @@
"flakes"
];
age.identityPaths = [ "/var/lib/agenix/agenix.key" ];
age.secrets.burrowAuthentikEnv = {
file = ../../../secrets/infra/authentik.env.age;
owner = "root";
group = "root";
mode = "0400";
};
age.secrets.burrowHeadscaleOidcClientSecret = {
file = ../../../secrets/infra/headscale-oidc-client-secret.age;
owner = "root";
group = "root";
mode = "0400";
};
networking.extraHosts = ''
127.0.0.1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
::1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
@ -53,11 +67,12 @@
services.burrow.authentik = {
enable = true;
envFile = "/var/lib/burrow/intake/authentik.env";
headscaleClientSecretFile = "/var/lib/burrow/intake/authentik_headscale_client_secret.txt";
envFile = config.age.secrets.burrowAuthentikEnv.path;
headscaleClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
};
services.burrow.headscale = {
enable = true;
oidcClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
};
}