Move Forgejo NSC runtime into agenix

nixos/README.md

@@ -19,8 +19,8 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - `../Scripts/check-forge-host.sh`: verify Forgejo, Caddy, the local runner, and optional NSC services after boot
 - `../Scripts/cloudflare-upsert-a-record.sh`: upsert DNS-only Cloudflare `A` records for Burrow host cutovers
 - `../Scripts/forge-deploy.sh`: remote `nixos-rebuild` entrypoint for the forge host
-- `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler runtime inputs and ensure the default Forgejo scope exists
-- `../Scripts/sync-forgejo-nsc-config.sh`: copy intake-backed dispatcher/autoscaler inputs to the host
+- `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler bootstrap inputs and ensure the default Forgejo scope exists
+- `../secrets/forgejo/*.age`: authoritative encrypted Namespace token + dispatcher/autoscaler configs for the forge host
 
 ## Intended Flow
 
@@ -29,7 +29,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 3. Run `Scripts/bootstrap-forge-intake.sh` to place the Forgejo bootstrap password file and automation SSH key under `/var/lib/burrow/intake/`.
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
-6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/`.
+6. Run `Scripts/provision-forgejo-nsc.sh` locally, re-encrypt the resulting NSC token + configs into `secrets/forgejo/*.age`, then deploy with `Scripts/forge-deploy.sh` so agenix updates the live forgejo-nsc runtime paths.
 7. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
 8. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
 9. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.

nixos/hosts/burrow-forge/default.nix

@@ -1,4 +1,4 @@
-{ self, ... }:
+{ config, self, ... }:
 
 {
   imports = [
@@ -32,15 +32,36 @@
     sshPrivateKeyFile = "/var/lib/burrow/intake/agent_at_burrow_net_ed25519";
   };
 
+  age.secrets.forgejoNscToken = {
+    file = ../../../secrets/forgejo/nsc-token.age;
+    mode = "0400";
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+  };
+
+  age.secrets.forgejoNscDispatcherConfig = {
+    file = ../../../secrets/forgejo/nsc-dispatcher-config.age;
+    mode = "0400";
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+  };
+
+  age.secrets.forgejoNscAutoscalerConfig = {
+    file = ../../../secrets/forgejo/nsc-autoscaler-config.age;
+    mode = "0400";
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+  };
+
   services.burrow.forgejoNsc = {
     enable = true;
-    nscTokenFile = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
+    nscTokenFile = config.age.secrets.forgejoNscToken.path;
     dispatcher = {
-      configFile = "/var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml";
+      configFile = config.age.secrets.forgejoNscDispatcherConfig.path;
     };
     autoscaler = {
       enable = true;
-      configFile = "/var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml";
+      configFile = config.age.secrets.forgejoNscAutoscalerConfig.path;
     };
   };
 }