Move Forgejo NSC runtime into agenix

Makefile

@@ -1,9 +1,43 @@
+FLAKE ?= .
+AGENIX ?= nix run ${FLAKE}\#agenix --
+
+SECRETS := forgejo/nsc-token \
+	forgejo/nsc-dispatcher-config \
+	forgejo/nsc-autoscaler-config
+
 tun := $(shell ifconfig -l | sed 's/ /\n/g' | grep utun | tail -n 1)
 cargo_console := env RUST_BACKTRACE=1 RUST_LOG=debug RUSTFLAGS='--cfg tokio_unstable' cargo run --all-features --
 cargo_norm := env RUST_BACKTRACE=1 RUST_LOG=debug cargo run --
 sudo_cargo_console := sudo -E env RUST_BACKTRACE=1 RUST_LOG=debug RUSTFLAGS='--cfg tokio_unstable' cargo run --all-features --
 sudo_cargo_norm := sudo -E env RUST_BACKTRACE=1 RUST_LOG=debug cargo run --
 
+.PHONY: secret secret-file secrets-list
+
+secret:
+	@if [ -z "${name}" ]; then \
+		printf 'Usage: make secret name=<secret-path>\nAvailable secrets:\n  %s\n' "${SECRETS}"; \
+		exit 1; \
+	fi
+	${AGENIX} -e secrets/${name}.age
+
+secret-file:
+	@if [ -z "${name}" ]; then \
+		printf 'Usage: make secret-file name=<secret-path> file=<source-file>\nAvailable secrets:\n  %s\n' "${SECRETS}"; \
+		exit 1; \
+	fi
+	@if [ -z "${file}" ]; then \
+		printf 'Usage: make secret-file name=<secret-path> file=<source-file>\n'; \
+		exit 1; \
+	fi
+	@if [ ! -f "${file}" ]; then \
+		printf 'Source file "%s" not found.\n' "${file}"; \
+		exit 1; \
+	fi
+	SECRET_SOURCE_FILE="${file}" EDITOR="${PWD}/Scripts/agenix-load-file.sh" ${AGENIX} -e secrets/${name}.age </dev/tty
+
+secrets-list:
+	@printf '%s\n' ${SECRETS}
+
 check:
 	@cargo check
 

Scripts/agenix-load-file.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: agenix-load-file.sh <destination-file>" >&2
+  exit 1
+fi
+
+dest="${!#}"
+source_path="${SECRET_SOURCE_FILE:-}"
+
+if [[ -z "$source_path" ]]; then
+  echo "SECRET_SOURCE_FILE is not set; point it at the source file to encrypt." >&2
+  exit 1
+fi
+
+if [[ ! -f "$source_path" ]]; then
+  echo "Source file '$source_path' does not exist." >&2
+  exit 1
+fi
+
+cp "$source_path" "$dest"

Scripts/provision-forgejo-nsc.sh

@@ -272,4 +272,5 @@ PY
 chmod 600 "${dispatcher_out}" "${autoscaler_out}"
 
 echo "Rendered intake/forgejo_nsc_token.txt, intake/forgejo_nsc_dispatcher.yaml, and intake/forgejo_nsc_autoscaler.yaml."
+echo "Re-encrypt them into secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age before deploying the forge host."
 echo "Minted Forgejo PAT ${token_name} for ${CONTACT_USER} on ${HOST}."

flake.lock

@@ -1,5 +1,47 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
+        "type": "tarball",
+        "url": "https://codeload.github.com/ryantm/agenix/tar.gz/main"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://codeload.github.com/ryantm/agenix/tar.gz/main"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -19,7 +61,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -45,6 +87,27 @@
         "url": "https://codeload.github.com/apricote/hcloud-upload-image/tar.gz/v1.3.0"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1773389992,
@@ -59,6 +122,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "disko": "disko",
         "flake-utils": "flake-utils",
         "hcloud-upload-image-src": "hcloud-upload-image-src",
@@ -79,6 +143,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -4,6 +4,10 @@
   inputs = {
     nixpkgs.url = "tarball+https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable";
     flake-utils.url = "tarball+https://codeload.github.com/numtide/flake-utils/tar.gz/main";
+    agenix = {
+      url = "tarball+https://codeload.github.com/ryantm/agenix/tar.gz/main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     disko = {
       url = "tarball+https://codeload.github.com/nix-community/disko/tar.gz/master";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -14,7 +18,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, flake-utils, disko, hcloud-upload-image-src }:
+  outputs = { self, nixpkgs, flake-utils, agenix, disko, hcloud-upload-image-src }:
     let
       supportedSystems = [
         "x86_64-linux"
@@ -29,6 +33,7 @@
           inherit system;
         };
         lib = pkgs.lib;
+        agenixPkg = agenix.packages.${system}.agenix;
         commonPackages = with pkgs; [
           cargo
           rustc
@@ -141,6 +146,7 @@
           packages =
             commonPackages
             ++ [
+              agenixPkg
               hcloudUploadImagePkg
               forgejoNscDispatcher
               forgejoNscAutoscaler
@@ -152,6 +158,7 @@
           packages =
             commonPackages
             ++ [
+              agenixPkg
               hcloudUploadImagePkg
             ]
             ++ lib.optionals (nscPkg != null) [ nscPkg ];
@@ -161,6 +168,7 @@
 
         packages =
           {
+            agenix = agenixPkg;
             hcloud-upload-image = hcloudUploadImagePkg;
             forgejo-nsc-dispatcher = forgejoNscDispatcher;
             forgejo-nsc-autoscaler = forgejoNscAutoscaler;
@@ -176,8 +184,10 @@
         system = "x86_64-linux";
         specialArgs = {
           inherit self;
+          agenixPackage = agenix.packages.x86_64-linux.agenix;
         };
         modules = [
+          agenix.nixosModules.default
           disko.nixosModules.disko
           ./nixos/hosts/burrow-forge/default.nix
         ];

nixos/README.md

@@ -19,8 +19,8 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - `../Scripts/check-forge-host.sh`: verify Forgejo, Caddy, the local runner, and optional NSC services after boot
 - `../Scripts/cloudflare-upsert-a-record.sh`: upsert DNS-only Cloudflare `A` records for Burrow host cutovers
 - `../Scripts/forge-deploy.sh`: remote `nixos-rebuild` entrypoint for the forge host
-- `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler runtime inputs and ensure the default Forgejo scope exists
+- `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler bootstrap inputs and ensure the default Forgejo scope exists
-- `../Scripts/sync-forgejo-nsc-config.sh`: copy intake-backed dispatcher/autoscaler inputs to the host
+- `../secrets/forgejo/*.age`: authoritative encrypted Namespace token + dispatcher/autoscaler configs for the forge host
 
 ## Intended Flow
 
@@ -29,7 +29,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 3. Run `Scripts/bootstrap-forge-intake.sh` to place the Forgejo bootstrap password file and automation SSH key under `/var/lib/burrow/intake/`.
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
-6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/`.
+6. Run `Scripts/provision-forgejo-nsc.sh` locally, re-encrypt the resulting NSC token + configs into `secrets/forgejo/*.age`, then deploy with `Scripts/forge-deploy.sh` so agenix updates the live forgejo-nsc runtime paths.
 7. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
 8. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
 9. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.

nixos/hosts/burrow-forge/default.nix

@@ -1,4 +1,4 @@
-{ self, ... }:
+{ config, self, ... }:
 
 {
   imports = [
@@ -32,15 +32,36 @@
     sshPrivateKeyFile = "/var/lib/burrow/intake/agent_at_burrow_net_ed25519";
   };
 
+  age.secrets.forgejoNscToken = {
+    file = ../../../secrets/forgejo/nsc-token.age;
+    mode = "0400";
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+  };
+
+  age.secrets.forgejoNscDispatcherConfig = {
+    file = ../../../secrets/forgejo/nsc-dispatcher-config.age;
+    mode = "0400";
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+  };
+
+  age.secrets.forgejoNscAutoscalerConfig = {
+    file = ../../../secrets/forgejo/nsc-autoscaler-config.age;
+    mode = "0400";
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+  };
+
   services.burrow.forgejoNsc = {
     enable = true;
-    nscTokenFile = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
+    nscTokenFile = config.age.secrets.forgejoNscToken.path;
     dispatcher = {
-      configFile = "/var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml";
+      configFile = config.age.secrets.forgejoNscDispatcherConfig.path;
     };
     autoscaler = {
       enable = true;
-      configFile = "/var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml";
+      configFile = config.age.secrets.forgejoNscAutoscalerConfig.path;
     };
   };
 }

secrets.nix

@@ -0,0 +1 @@
+import ./secrets/secrets.nix

secrets/README.md

@@ -0,0 +1,17 @@
+# Secrets
+
+Burrow secrets live in `secrets/<name>.age` and are managed with `agenix`.
+
+For the Forgejo Namespace Cloud runtime:
+
+- `secrets/forgejo/nsc-token.age`
+- `secrets/forgejo/nsc-dispatcher-config.age`
+- `secrets/forgejo/nsc-autoscaler-config.age`
+
+Use:
+
+- `make secret name=forgejo/nsc-token`
+- `make secret-file name=forgejo/nsc-token file=/path/to/source`
+
+The forge host decrypts these files at activation time and feeds the resulting
+paths into `services.burrow.forgejoNsc`.

secrets/secrets.nix

@@ -0,0 +1,12 @@
+{ }:
+let
+  contact = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO42guJ5QvNMw3k6YKWlQnjcTsc+X4XI9F2GBtl8aHOa";
+  agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
+  forge = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlkGo4lwpwIIZ0J01KjTuJuf/U/wGgy4/aKwPIUzutL root@burrow-forge";
+
+  forgeAutomation = [ contact agent forge ];
+in {
+  "secrets/forgejo/nsc-token.age".publicKeys = forgeAutomation;
+  "secrets/forgejo/nsc-dispatcher-config.age".publicKeys = forgeAutomation;
+  "secrets/forgejo/nsc-autoscaler-config.age".publicKeys = forgeAutomation;
+}

services/forgejo-nsc/README.md

@@ -152,19 +152,21 @@ instances:
 ```
 
 For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT,
-generate a Namespace token from the logged-in namespace account, and render the
+generate a Namespace token from the logged-in namespace account, and render
-dispatcher/autoscaler configs into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml`
+bootstrap artifacts into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml` plus
-plus `intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a
+`intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a
 `bearer_token` field so both the Compute API path and the `nsc` CLI fallback can
 consume the same secret material.
 
-For ongoing operations, use `Scripts/sync-forgejo-nsc-config.sh`:
+Long-lived runtime state is now sourced from age-encrypted files:
 
-- `Scripts/sync-forgejo-nsc-config.sh` copies the intake-backed configs and
+- `secrets/forgejo/nsc-token.age`
-  Namespace token onto `/var/lib/burrow/intake/` on the forge host, reapplies
+- `secrets/forgejo/nsc-dispatcher-config.age`
-  file ownership for `forgejo-nsc`, and restarts the dispatcher/autoscaler.
+- `secrets/forgejo/nsc-autoscaler-config.age`
-- `Scripts/sync-forgejo-nsc-config.sh --rotate-pat` additionally mints a new
+
-  Forgejo PAT on the Burrow forge host and refreshes the local intake files.
+After refreshing the intake files, re-encrypt them into `secrets/forgejo/*.age`
+and deploy the forge host so `config.age.secrets.*` updates the live paths for
+`services.burrow.forgejoNsc`.
 
 Run it next to the dispatcher: