From 4f88f0b1e09d31a490d001b5720d5b396adc71de Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Sat, 18 Apr 2026 17:09:20 -0700
Subject: [PATCH] Align Burrow operator access on forge

---
 contributors.nix                     |  3 +++
 nixos/hosts/burrow-forge/default.nix | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/contributors.nix b/contributors.nix
index 95d4e59..9475a27 100644
--- a/contributors.nix
+++ b/contributors.nix
@@ -38,6 +38,8 @@
       bootstrapAuthentik = true;
       roles = [
         "member"
+        "operator"
+        "forge-admin"
       ];
     };
 
@@ -50,6 +52,7 @@
       roles = [
         "member"
         "operator"
+        "forge-admin"
       ];
     };
 
diff --git a/nixos/hosts/burrow-forge/default.nix b/nixos/hosts/burrow-forge/default.nix
index 497d40e..1b46f6c 100644
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@@ -18,6 +18,15 @@ let
       }
     )
     (lib.filterAttrs (_: identity: identity.bootstrapAuthentik or false) identities);
+  headscaleBootstrapUsers = lib.mapAttrsToList
+    (
+      username: identity: {
+        name = username;
+        displayName = identity.displayName;
+        email = identity.canonicalEmail;
+      }
+    )
+    (lib.filterAttrs (_: identity: identity.bootstrapAuthentik or false) identities);
   forgeAuthorizedKeys = map
     (username: builtins.readFile identities.${username}.sshPublicKeyPath)
     (builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeAuthorized or false) identities));
@@ -173,5 +182,6 @@ in
   services.burrow.headscale = {
     enable = true;
     oidcClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
+    bootstrapUsers = headscaleBootstrapUsers;
   };
 }