hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Move Forgejo NSC runtime into agenix
Some checks are pending
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-03-18 22:40:44 -07:00
parent 251922da9e
commit 48b8a3c32f
14 changed files with 217 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

17
secrets/README.md Normal file
View file

@ -0,0 +1,17 @@
# Secrets
Burrow secrets live in `secrets/<name>.age` and are managed with `agenix`.
For the Forgejo Namespace Cloud runtime:
- `secrets/forgejo/nsc-token.age`
- `secrets/forgejo/nsc-dispatcher-config.age`
- `secrets/forgejo/nsc-autoscaler-config.age`
Use:
- `make secret name=forgejo/nsc-token`
- `make secret-file name=forgejo/nsc-token file=/path/to/source`
The forge host decrypts these files at activation time and feeds the resulting
paths into `services.burrow.forgejoNsc`.

BIN
secrets/forgejo/nsc-autoscaler-config.age Normal file
View file

Binary file not shown.

BIN
secrets/forgejo/nsc-dispatcher-config.age Normal file
View file

Binary file not shown.

BIN
secrets/forgejo/nsc-token.age Normal file
View file

Binary file not shown.

12
secrets/secrets.nix Normal file
View file

@ -0,0 +1,12 @@
{ }:
let
contact = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO42guJ5QvNMw3k6YKWlQnjcTsc+X4XI9F2GBtl8aHOa";
agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
forge = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlkGo4lwpwIIZ0J01KjTuJuf/U/wGgy4/aKwPIUzutL root@burrow-forge";
forgeAutomation = [ contact agent forge ];
in {
"secrets/forgejo/nsc-token.age".publicKeys = forgeAutomation;
"secrets/forgejo/nsc-dispatcher-config.age".publicKeys = forgeAutomation;
"secrets/forgejo/nsc-autoscaler-config.age".publicKeys = forgeAutomation;
}