hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Add Jett forge access and rekey secrets
Some checks failed
Build Rust / Cargo Test (push) Successful in 3m47s
Details
Build Site / Next.js Build (push) Failing after 2s
Details
Lint Governance / BEP Metadata (push) Successful in 0s
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-04-18 17:47:17 -07:00
parent 4f88f0b1e0
commit 5a4fe58b86
15 changed files with 45 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

30
nixos/hosts/burrow-forge/default.nix
View file

@ -3,6 +3,7 @@
let
contributors = import ../../../contributors.nix;
identities = contributors.identities;
stripNewline = value: lib.replaceStrings [ "\n" ] [ "" ] value;
authentikPasswordSecretPath = identity:
if identity ? authentikPasswordSecret
then config.age.secrets.${identity.authentikPasswordSecret}.path
@ -27,6 +28,23 @@ let
}
)
(lib.filterAttrs (_: identity: identity.bootstrapAuthentik or false) identities);
forgeUnixUsernames =
builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeUnixUser or false) identities);
forgeUnixUsers = lib.genAttrs forgeUnixUsernames (username:
let
identity = identities.${username};
sshKeys = lib.optional (identity ? sshPublicKeyPath) (stripNewline (builtins.readFile identity.sshPublicKeyPath));
in
{
isNormalUser = true;
createHome = true;
home = "/home/${username}";
shell = pkgs.bashInteractive;
extraGroups = lib.optional (identity.isAdmin or false) "wheel";
openssh.authorizedKeys.keys = sshKeys;
});
forgeUnixAdminUsernames =
builtins.attrNames (lib.filterAttrs (_: identity: (identity.forgeUnixUser or false) && (identity.isAdmin or false)) identities);
forgeAuthorizedKeys = map
(username: builtins.readFile identities.${username}.sshPublicKeyPath)
(builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeAuthorized or false) identities));
@ -52,6 +70,18 @@ in
"flakes"
];
users.users = forgeUnixUsers;
security.sudo.extraRules = lib.map (username: {
users = [ username ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}) forgeUnixAdminUsernames;
environment.systemPackages = lib.optionals config.services.forgejo-nsc.enable [
self.packages.${pkgs.stdenv.hostPlatform.system}.nsc
];

1
nixos/keys/jett_at_burrow_net.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMe960j6TC869F6RvElpICxlBauIT3E0uLyy0m7n70ZC