Move forgejo-nsc credentials into agenix

Scripts/authentik-sync-namespace-portal-oidc.sh

@@ -1,246 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-authentik_url="${AUTHENTIK_URL:-https://auth.burrow.net}"
-bootstrap_token="${AUTHENTIK_BOOTSTRAP_TOKEN:-}"
-application_slug="${AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_SLUG:-namespace}"
-application_name="${AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_NAME:-Namespace Portal}"
-provider_name="${AUTHENTIK_NAMESPACE_PORTAL_PROVIDER_NAME:-Namespace Portal}"
-template_slug="${AUTHENTIK_NAMESPACE_PORTAL_TEMPLATE_SLUG:-ts}"
-client_id="${AUTHENTIK_NAMESPACE_PORTAL_CLIENT_ID:-nsc.burrow.net}"
-client_secret="${AUTHENTIK_NAMESPACE_PORTAL_CLIENT_SECRET:-}"
-launch_url="${AUTHENTIK_NAMESPACE_PORTAL_LAUNCH_URL:-https://nsc.burrow.net/}"
-redirect_uris_json="${AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON:-[
-  \"https://nsc.burrow.net/oauth/callback\"
-]}"
-
-usage() {
-  cat <<'EOF'
-Usage: Scripts/authentik-sync-namespace-portal-oidc.sh
-
-Required environment:
-  AUTHENTIK_BOOTSTRAP_TOKEN
-
-Optional environment:
-  AUTHENTIK_URL
-  AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_SLUG
-  AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_NAME
-  AUTHENTIK_NAMESPACE_PORTAL_PROVIDER_NAME
-  AUTHENTIK_NAMESPACE_PORTAL_TEMPLATE_SLUG
-  AUTHENTIK_NAMESPACE_PORTAL_CLIENT_ID
-  AUTHENTIK_NAMESPACE_PORTAL_CLIENT_SECRET
-  AUTHENTIK_NAMESPACE_PORTAL_LAUNCH_URL
-  AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON
-EOF
-}
-
-if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
-  usage
-  exit 0
-fi
-
-if [[ -z "$bootstrap_token" ]]; then
-  echo "error: AUTHENTIK_BOOTSTRAP_TOKEN is required" >&2
-  exit 1
-fi
-
-if ! printf '%s' "$redirect_uris_json" | jq -e 'type == "array" and length > 0' >/dev/null; then
-  echo "error: AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON must be a non-empty JSON array" >&2
-  exit 1
-fi
-
-api() {
-  local method="$1"
-  local path="$2"
-  local data="${3:-}"
-
-  if [[ -n "$data" ]]; then
-    curl -fsS \
-      -X "$method" \
-      -H "Authorization: Bearer ${bootstrap_token}" \
-      -H "Content-Type: application/json" \
-      -d "$data" \
-      "${authentik_url}${path}"
-  else
-    curl -fsS \
-      -X "$method" \
-      -H "Authorization: Bearer ${bootstrap_token}" \
-      "${authentik_url}${path}"
-  fi
-}
-
-api_with_status() {
-  local method="$1"
-  local path="$2"
-  local data="${3:-}"
-  local response_file status
-
-  response_file="$(mktemp)"
-  trap 'rm -f "$response_file"' RETURN
-
-  if [[ -n "$data" ]]; then
-    status="$(
-      curl -sS \
-        -o "$response_file" \
-        -w '%{http_code}' \
-        -X "$method" \
-        -H "Authorization: Bearer ${bootstrap_token}" \
-        -H "Content-Type: application/json" \
-        -d "$data" \
-        "${authentik_url}${path}"
-    )"
-  else
-    status="$(
-      curl -sS \
-        -o "$response_file" \
-        -w '%{http_code}' \
-        -X "$method" \
-        -H "Authorization: Bearer ${bootstrap_token}" \
-        "${authentik_url}${path}"
-    )"
-  fi
-
-  printf '%s\n' "$status"
-  cat "$response_file"
-}
-
-wait_for_authentik() {
-  for _ in $(seq 1 90); do
-    if curl -fsS "${authentik_url}/-/health/ready/" >/dev/null 2>&1; then
-      return 0
-    fi
-    sleep 2
-  done
-
-  echo "error: Authentik did not become ready at ${authentik_url}" >&2
-  exit 1
-}
-
-wait_for_authentik
-
-template_provider="$(
-  api GET "/api/v3/providers/oauth2/?page_size=200" \
-    | jq -c --arg template_slug "$template_slug" '.results[]? | select(.assigned_application_slug == $template_slug)' \
-    | head -n1
-)"
-
-if [[ -z "$template_provider" ]]; then
-  echo "error: could not resolve the Authentik OAuth provider template ${template_slug}" >&2
-  exit 1
-fi
-
-authorization_flow="$(printf '%s\n' "$template_provider" | jq -r '.authorization_flow')"
-invalidation_flow="$(printf '%s\n' "$template_provider" | jq -r '.invalidation_flow')"
-property_mappings="$(printf '%s\n' "$template_provider" | jq -c '.property_mappings')"
-signing_key="$(printf '%s\n' "$template_provider" | jq -r '.signing_key')"
-
-provider_payload="$(
-  jq -n \
-    --arg name "$provider_name" \
-    --arg authorization_flow "$authorization_flow" \
-    --arg invalidation_flow "$invalidation_flow" \
-    --arg client_id "$client_id" \
-    --arg client_secret "$client_secret" \
-    --arg signing_key "$signing_key" \
-    --argjson property_mappings "$property_mappings" \
-    --argjson redirect_uris "$redirect_uris_json" \
-    '{
-      name: $name,
-      authorization_flow: $authorization_flow,
-      invalidation_flow: $invalidation_flow,
-      client_type: (if $client_secret == "" then "public" else "confidential" end),
-      client_id: $client_id,
-      include_claims_in_id_token: true,
-      redirect_uris: ($redirect_uris | map({matching_mode: "strict", url: .})),
-      property_mappings: $property_mappings,
-      signing_key: $signing_key,
-      issuer_mode: "per_provider",
-      sub_mode: "hashed_user_id"
-    }
-    + (if $client_secret == "" then {} else {client_secret: $client_secret} end)'
-)"
-
-existing_provider="$(
-  api GET "/api/v3/providers/oauth2/?page_size=200" \
-    | jq -c \
-      --arg application_slug "$application_slug" \
-      --arg provider_name "$provider_name" \
-      '.results[]? | select(.assigned_application_slug == $application_slug or .name == $provider_name)' \
-    | head -n1
-)"
-
-if [[ -n "$existing_provider" ]]; then
-  provider_pk="$(printf '%s\n' "$existing_provider" | jq -r '.pk')"
-  api PATCH "/api/v3/providers/oauth2/${provider_pk}/" "$provider_payload" >/dev/null
-else
-  provider_pk="$(
-    api POST "/api/v3/providers/oauth2/" "$provider_payload" \
-      | jq -r '.pk // empty'
-  )"
-fi
-
-if [[ -z "${provider_pk:-}" ]]; then
-  echo "error: Namespace portal OIDC provider did not return a primary key" >&2
-  exit 1
-fi
-
-application_payload="$(
-  jq -n \
-    --arg name "$application_name" \
-    --arg slug "$application_slug" \
-    --arg provider "$provider_pk" \
-    --arg launch_url "$launch_url" \
-    '{
-      name: $name,
-      slug: $slug,
-      provider: ($provider | tonumber),
-      meta_launch_url: $launch_url,
-      open_in_new_tab: false,
-      policy_engine_mode: "any"
-    }'
-)"
-
-existing_application="$(
-  api GET "/api/v3/core/applications/?page_size=200" \
-    | jq -c --arg slug "$application_slug" '.results[]? | select(.slug == $slug)' \
-    | head -n1
-)"
-
-if [[ -n "$existing_application" ]]; then
-  application_pk="$(printf '%s\n' "$existing_application" | jq -r '.pk')"
-else
-  create_application_result="$(
-    api_with_status POST "/api/v3/core/applications/" "$application_payload"
-  )"
-  create_application_status="$(printf '%s\n' "$create_application_result" | sed -n '1p')"
-  create_application_body="$(printf '%s\n' "$create_application_result" | sed '1d')"
-
-  if [[ "$create_application_status" =~ ^20[01]$ ]]; then
-    application_pk="$(printf '%s\n' "$create_application_body" | jq -r '.pk // empty')"
-  elif [[ "$create_application_status" == "400" ]] && printf '%s\n' "$create_application_body" | jq -e '
-      (.slug // [] | index("Application with this slug already exists.")) != null
-      or (.provider // [] | index("Application with this provider already exists.")) != null
-    ' >/dev/null; then
-    application_pk="existing-duplicate"
-  else
-    printf '%s\n' "$create_application_body" >&2
-    echo "error: could not reconcile Authentik application ${application_slug}" >&2
-    exit 1
-  fi
-fi
-
-if [[ -z "${application_pk:-}" ]]; then
-  echo "error: Namespace portal OIDC application did not return a primary key" >&2
-  exit 1
-fi
-
-for _ in $(seq 1 30); do
-  if curl -fsS "${authentik_url}/application/o/${application_slug}/.well-known/openid-configuration" >/dev/null 2>&1; then
-    echo "Synced Authentik Namespace portal OIDC application ${application_slug} (${application_name})."
-    exit 0
-  fi
-  sleep 2
-done
-
-echo "warning: Namespace portal OIDC issuer document for ${application_slug} was not immediately readable; keeping reconciled config." >&2
-echo "Synced Authentik Namespace portal OIDC application ${application_slug} (${application_name})."

Scripts/check-forge-host.sh

@@ -84,7 +84,6 @@ base_services=(
 nsc_services=(
   forgejo-nsc-dispatcher.service
   forgejo-nsc-autoscaler.service
-  burrow-namespace-portal.service
 )
 
 tailnet_services=(
@@ -165,6 +164,14 @@ if [[ "${EXPECT_TAILNET}" == "1" ]]; then
   test -s /run/agenix/burrowHeadscaleOidcClientSecret
 fi
 
+if [[ "${EXPECT_NSC}" == "1" ]]; then
+  echo "== agenix-nsc =="
+  ls -l /run/agenix || true
+  test -s /run/agenix/burrowForgejoNscToken
+  test -s /run/agenix/burrowForgejoNscDispatcherConfig
+  test -s /run/agenix/burrowForgejoNscAutoscalerConfig
+fi
+
 if command -v curl >/dev/null 2>&1; then
   echo "== http-local =="
   curl -fsS -o /dev/null -w 'forgejo_login %{http_code}\n' http://127.0.0.1:3000/user/login
@@ -174,8 +181,5 @@ if command -v curl >/dev/null 2>&1; then
     curl -fsS -o /dev/null -H 'Host: auth.burrow.net' -w 'authentik_ready %{http_code}\n' http://127.0.0.1/-/health/ready/
     curl -sS -o /dev/null -H 'Host: ts.burrow.net' -w 'headscale_root %{http_code}\n' http://127.0.0.1/ || true
   fi
-  if [[ "${EXPECT_NSC}" == "1" ]]; then
-    curl -fsS -o /dev/null -H 'Host: nsc.burrow.net' -w 'namespace_portal %{http_code}\n' http://127.0.0.1/
-  fi
 fi
 EOF

Scripts/seal-forgejo-nsc-secrets.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+usage() {
+  cat <<'EOF'
+Usage: Scripts/seal-forgejo-nsc-secrets.sh [options]
+
+Encrypt Burrow forgejo-nsc runtime inputs from intake/ into the agenix secrets
+consumed by burrow-forge.
+
+Options:
+  --provision            Re-render the local intake files before sealing.
+  --host <user@host>     SSH target forwarded to provision-forgejo-nsc.sh.
+  --ssh-key <path>       SSH private key forwarded to provision-forgejo-nsc.sh.
+  --nsc-bin <path>       Override the nsc binary for provisioning.
+  -h, --help             Show this help text.
+EOF
+}
+
+PROVISION=0
+HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
+SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
+NSC_BIN="${NSC_BIN:-}"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --provision)
+      PROVISION=1
+      shift
+      ;;
+    --host)
+      HOST="${2:?missing value for --host}"
+      shift 2
+      ;;
+    --ssh-key)
+      SSH_KEY="${2:?missing value for --ssh-key}"
+      shift 2
+      ;;
+    --nsc-bin)
+      NSC_BIN="${2:?missing value for --nsc-bin}"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "unknown option: $1" >&2
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+require_cmd() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "missing required command: $1" >&2
+    exit 1
+  fi
+}
+
+require_cmd age
+require_cmd nix
+require_cmd python3
+
+if [[ "${PROVISION}" -eq 1 ]]; then
+  provision_args=(--host "${HOST}" --ssh-key "${SSH_KEY}")
+  if [[ -n "${NSC_BIN}" ]]; then
+    provision_args+=(--nsc-bin "${NSC_BIN}")
+  fi
+  "${SCRIPT_DIR}/provision-forgejo-nsc.sh" "${provision_args[@]}"
+fi
+
+tmpdir="$(mktemp -d)"
+cleanup() {
+  rm -rf "${tmpdir}"
+}
+trap cleanup EXIT
+
+seal_secret() {
+  local target="$1"
+  local source_path="$2"
+  recipients_file="${tmpdir}/$(basename "${target}").recipients"
+  if [[ ! -s "${source_path}" ]]; then
+    echo "required runtime input missing or empty: ${source_path}" >&2
+    exit 1
+  fi
+  nix eval --impure --json --expr "let s = import ${REPO_ROOT}/secrets.nix; in s.\"${target}\".publicKeys" \
+    | python3 -c 'import json, sys; [print(item) for item in json.load(sys.stdin)]' \
+    > "${recipients_file}"
+
+  age -R "${recipients_file}" -o "${REPO_ROOT}/${target}" "${source_path}"
+}
+
+seal_secret "secrets/infra/forgejo-nsc-token.age" "${REPO_ROOT}/intake/forgejo_nsc_token.txt"
+seal_secret "secrets/infra/forgejo-nsc-dispatcher-config.age" "${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
+seal_secret "secrets/infra/forgejo-nsc-autoscaler-config.age" "${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
+
+chmod 600 \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-token.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-dispatcher-config.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-autoscaler-config.age"
+
+echo "Sealed forgejo-nsc runtime inputs into:"
+printf '  %s\n' \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-token.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-dispatcher-config.age" \
+  "${REPO_ROOT}/secrets/infra/forgejo-nsc-autoscaler-config.age"
+echo "Deploy burrow-forge to apply the new CI credentials."

Scripts/sync-forgejo-nsc-config.sh

@@ -1,132 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-usage() {
-  cat <<'EOF'
-Usage: Scripts/sync-forgejo-nsc-config.sh [options]
-
-Copy Burrow forgejo-nsc runtime inputs from intake/ onto the forge host and
-restart the dispatcher/autoscaler units.
-
-Options:
-  --host <user@host>       SSH target (default: root@git.burrow.net)
-  --ssh-key <path>         SSH private key (default: intake/agent_at_burrow_net_ed25519)
-  --rotate-pat             Re-render the intake files before syncing.
-  --no-restart             Copy files only.
-  -h, --help               Show this help text.
-EOF
-}
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
-
-HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
-SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
-KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
-ROTATE_PAT=0
-NO_RESTART=0
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --host)
-      HOST="${2:?missing value for --host}"
-      shift 2
-      ;;
-    --ssh-key)
-      SSH_KEY="${2:?missing value for --ssh-key}"
-      shift 2
-      ;;
-    --rotate-pat)
-      ROTATE_PAT=1
-      shift
-      ;;
-    --no-restart)
-      NO_RESTART=1
-      shift
-      ;;
-    -h|--help)
-      usage
-      exit 0
-      ;;
-    *)
-      echo "unknown option: $1" >&2
-      usage >&2
-      exit 64
-      ;;
-  esac
-done
-
-mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")"
-
-burrow_require_cmd() {
-  if ! command -v "$1" >/dev/null 2>&1; then
-    echo "missing required command: $1" >&2
-    exit 1
-  fi
-}
-
-burrow_require_cmd ssh
-burrow_require_cmd scp
-
-if [[ ! -f "${SSH_KEY}" ]]; then
-  echo "forge SSH key not found: ${SSH_KEY}" >&2
-  exit 1
-fi
-
-if [[ "${ROTATE_PAT}" -eq 1 ]]; then
-  "${SCRIPT_DIR}/provision-forgejo-nsc.sh" --host "${HOST}" --ssh-key "${SSH_KEY}"
-fi
-
-token_file="${REPO_ROOT}/intake/forgejo_nsc_token.txt"
-dispatcher_file="${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
-autoscaler_file="${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
-
-for path in "${token_file}" "${dispatcher_file}" "${autoscaler_file}"; do
-  if [[ ! -s "${path}" ]]; then
-    echo "required runtime input missing or empty: ${path}" >&2
-    exit 1
-  fi
-done
-
-ssh_opts=(
-  -i "${SSH_KEY}"
-  -o IdentitiesOnly=yes
-  -o UserKnownHostsFile="${KNOWN_HOSTS_FILE}"
-  -o StrictHostKeyChecking=accept-new
-)
-
-remote_tmp="$(ssh "${ssh_opts[@]}" "${HOST}" "mktemp -d")"
-cleanup() {
-  if [[ -n "${remote_tmp:-}" ]]; then
-    ssh "${ssh_opts[@]}" "${HOST}" "rm -rf '${remote_tmp}'" >/dev/null 2>&1 || true
-  fi
-}
-trap cleanup EXIT
-
-scp "${ssh_opts[@]}" \
-  "${token_file}" \
-  "${dispatcher_file}" \
-  "${autoscaler_file}" \
-  "${HOST}:${remote_tmp}/"
-
-ssh "${ssh_opts[@]}" "${HOST}" "
-  set -euo pipefail
-  install -d -m 0755 /var/lib/burrow/intake
-  install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${token_file}")' /var/lib/burrow/intake/forgejo_nsc_token.txt
-  install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${dispatcher_file}")' /var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml
-  install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${autoscaler_file}")' /var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml
-"
-
-if [[ "${NO_RESTART}" -eq 0 ]]; then
-  ssh "${ssh_opts[@]}" "${HOST}" "
-    set -euo pipefail
-    systemctl restart forgejo-nsc-dispatcher.service forgejo-nsc-autoscaler.service
-    systemctl is-active forgejo-nsc-dispatcher.service forgejo-nsc-autoscaler.service
-    ls -l \
-      /var/lib/burrow/intake/forgejo_nsc_token.txt \
-      /var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml \
-      /var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml
-  "
-fi
-
-echo "forgejo-nsc runtime sync complete (host=${HOST}, restarted=$((1 - NO_RESTART)))."
+echo "Scripts/sync-forgejo-nsc-config.sh is obsolete." >&2
+echo "Burrow forgejo-nsc now consumes agenix-backed secrets instead of host-local intake files." >&2
+echo "Use Scripts/seal-forgejo-nsc-secrets.sh and deploy burrow-forge." >&2
+exit 1