Move forgejo-nsc credentials into agenix

nixos/README.md

@@ -12,7 +12,6 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - upstream `compatible.systems/conrad/nsc-autoscaler`: Namespace-backed ephemeral Forgejo runner module consumed via the Burrow flake input
 - `modules/burrow-authentik.nix`: minimal Authentik IdP for Burrow control planes
 - `modules/burrow-headscale.nix`: Headscale control plane rooted in Authentik OIDC
-- `modules/burrow-namespace-portal.nix`: small admin portal for forge-owned Namespace authentication and NSC token refresh
 - `../secrets.nix`: agenix recipient map for tracked Burrow forge secrets
 - `hetzner-cloud-config.yaml`: desired Hetzner host shape
 - `keys/contact_at_burrow_net.pub`: initial operator SSH public key
@@ -24,8 +23,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - `../Scripts/cloudflare-upsert-a-record.sh`: upsert DNS-only Cloudflare `A` records for Burrow host cutovers
 - `../Scripts/forge-deploy.sh`: remote `nixos-rebuild` entrypoint for the forge host
 - `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler runtime inputs and ensure the default Forgejo scope exists
-- `../Scripts/sync-forgejo-nsc-config.sh`: copy intake-backed dispatcher/autoscaler inputs to the host
-- `../Scripts/authentik-sync-namespace-portal-oidc.sh`: reconcile the Authentik OIDC app used by `nsc.burrow.net`
+- `../Scripts/seal-forgejo-nsc-secrets.sh`: encrypt forgejo-nsc runtime inputs into the agenix secrets consumed by `burrow-forge`
 
 ## Intended Flow
 
@@ -34,16 +32,17 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 3. Run `Scripts/bootstrap-forge-intake.sh` to place the Forgejo bootstrap password file and automation SSH key under `/var/lib/burrow/intake/`.
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
-6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the raw Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/` for the upstream `services.forgejo-nsc` module.
-7. Visit `https://nsc.burrow.net/` as a Burrow admin to link the forge-owned Namespace session and rotate `/var/lib/burrow/intake/forgejo_nsc_token.txt` without relying on a personal local `nsc` login.
-8. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, `secrets/infra/forgejo-oidc-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
-9. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, `nsc.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
+6. Run `Scripts/provision-forgejo-nsc.sh` locally to refresh `intake/forgejo_nsc_token.txt`, `intake/forgejo_nsc_dispatcher.yaml`, and `intake/forgejo_nsc_autoscaler.yaml`.
+7. Run `Scripts/seal-forgejo-nsc-secrets.sh` to encrypt those runtime inputs into the agenix secrets used by `burrow-forge`.
+8. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, `secrets/infra/forgejo-oidc-client-secret.age`, `secrets/infra/headscale-oidc-client-secret.age`, `secrets/infra/forgejo-nsc-token.age`, `secrets/infra/forgejo-nsc-dispatcher-config.age`, and `secrets/infra/forgejo-nsc-autoscaler-config.age`, and let agenix materialize them under `/run/agenix/`.
+9. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
 10. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
 11. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.
 
 ## Current Constraints
 
-- `burrow-forge` is live on NixOS in `hel1` at `89.167.47.21`, and `Scripts/check-forge-host.sh --expect-nsc` passes locally against that host.
+- `burrow-forge` is live on NixOS in `hel1` at `89.167.47.21`.
+- `services.forgejo-nsc` now expects agenix-backed runtime inputs at `/run/agenix/burrowForgejoNscToken`, `/run/agenix/burrowForgejoNscDispatcherConfig`, and `/run/agenix/burrowForgejoNscAutoscalerConfig`.
 - Authentik and Headscale secrets now live in tracked agenix blobs under `secrets/infra/` and decrypt to `/run/agenix/` on the forge host.
 - Public Burrow forge cutover completed on March 15, 2026:
   - `burrow.net`, `git.burrow.net`, and `nsc-autoscaler.burrow.net` now publish public `A` records to `89.167.47.21`

nixos/hosts/burrow-forge/default.nix

@@ -33,7 +33,6 @@ in
     self.nixosModules.burrow-forgejo-nsc
     self.nixosModules.burrow-authentik
     self.nixosModules.burrow-headscale
-    self.nixosModules.burrow-namespace-portal
   ];
 
   system.stateVersion = "24.11";
@@ -88,10 +87,28 @@ in
     group = "root";
     mode = "0400";
   };
+  age.secrets.burrowForgejoNscToken = {
+    file = ../../../secrets/infra/forgejo-nsc-token.age;
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+    mode = "0400";
+  };
+  age.secrets.burrowForgejoNscDispatcherConfig = {
+    file = ../../../secrets/infra/forgejo-nsc-dispatcher-config.age;
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+    mode = "0400";
+  };
+  age.secrets.burrowForgejoNscAutoscalerConfig = {
+    file = ../../../secrets/infra/forgejo-nsc-autoscaler-config.age;
+    owner = "forgejo-nsc";
+    group = "forgejo-nsc";
+    mode = "0400";
+  };
 
   networking.extraHosts = ''
-    127.0.0.1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net nsc.burrow.net
-    ::1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net nsc.burrow.net
+    127.0.0.1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
+    ::1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
   '';
 
   services.burrow.forge = {
@@ -113,13 +130,13 @@ in
 
   services.forgejo-nsc = {
     enable = true;
-    nscTokenFile = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
+    nscTokenFile = config.age.secrets.burrowForgejoNscToken.path;
     dispatcher = {
-      configFile = "/var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml";
+      configFile = config.age.secrets.burrowForgejoNscDispatcherConfig.path;
     };
     autoscaler = {
       enable = true;
-      configFile = "/var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml";
+      configFile = config.age.secrets.burrowForgejoNscAutoscalerConfig.path;
     };
   };
 
@@ -141,11 +158,4 @@ in
     enable = true;
     oidcClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
   };
-
-  services.burrow.namespacePortal = {
-    enable = true;
-    domain = "nsc.burrow.net";
-    baseUrl = "https://nsc.burrow.net";
-    adminGroup = contributors.groups.admins;
-  };
 }

nixos/modules/burrow-authentik.nix

@@ -10,7 +10,6 @@ let
   dataVolume = "burrow-authentik-data:/data";
   directorySyncScript = ../../Scripts/authentik-sync-burrow-directory.sh;
   forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
-  namespacePortalOidcSyncScript = ../../Scripts/authentik-sync-namespace-portal-oidc.sh;
   tailscaleOidcSyncScript = ../../Scripts/authentik-sync-tailscale-oidc.sh;
   googleSourceSyncScript = ../../Scripts/authentik-sync-google-source.sh;
   tailnetAuthFlowSyncScript = ../../Scripts/authentik-sync-tailnet-auth-flow.sh;
@@ -139,30 +138,6 @@ in
       description = "Authentik application slug for Tailscale custom OIDC sign-in.";
     };
 
-    namespacePortalDomain = lib.mkOption {
-      type = lib.types.str;
-      default = "nsc.burrow.net";
-      description = "Public domain for the Burrow Namespace portal.";
-    };
-
-    namespacePortalProviderSlug = lib.mkOption {
-      type = lib.types.str;
-      default = "namespace";
-      description = "Authentik application slug for the Namespace portal.";
-    };
-
-    namespacePortalClientId = lib.mkOption {
-      type = lib.types.str;
-      default = "nsc.burrow.net";
-      description = "Client ID Authentik should present to the Namespace portal.";
-    };
-
-    namespacePortalClientSecretFile = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = "Optional host-local file containing the Authentik Namespace portal OIDC client secret.";
-    };
-
     tailscaleClientId = lib.mkOption {
       type = lib.types.str;
       default = "tailscale.burrow.net";
@@ -733,56 +708,6 @@ EOF
       '';
     };
 
-    systemd.services.burrow-authentik-namespace-portal-oidc = {
-      description = "Reconcile the Burrow Authentik Namespace portal OIDC application";
-      after = [
-        "burrow-authentik-ready.service"
-        "network-online.target"
-      ];
-      wants = [
-        "burrow-authentik-ready.service"
-        "network-online.target"
-      ];
-      wantedBy = [ "multi-user.target" ];
-      restartTriggers =
-        [
-          namespacePortalOidcSyncScript
-          cfg.envFile
-        ]
-        ++ lib.optionals (cfg.namespacePortalClientSecretFile != null) [ cfg.namespacePortalClientSecretFile ];
-      path = [
-        pkgs.bash
-        pkgs.coreutils
-        pkgs.curl
-        pkgs.jq
-      ];
-      serviceConfig = {
-        Type = "oneshot";
-        User = "root";
-        Group = "root";
-      };
-      script = ''
-        set -euo pipefail
-        set -a
-        source ${lib.escapeShellArg cfg.envFile}
-        set +a
-
-        export AUTHENTIK_URL=https://${cfg.domain}
-        export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_SLUG=${lib.escapeShellArg cfg.namespacePortalProviderSlug}
-        export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_NAME="Namespace Portal"
-        export AUTHENTIK_NAMESPACE_PORTAL_PROVIDER_NAME="Namespace Portal"
-        export AUTHENTIK_NAMESPACE_PORTAL_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
-        export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_ID=${lib.escapeShellArg cfg.namespacePortalClientId}
-        ${lib.optionalString (cfg.namespacePortalClientSecretFile != null) ''
-          export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.namespacePortalClientSecretFile})"
-        ''}
-        export AUTHENTIK_NAMESPACE_PORTAL_LAUNCH_URL=https://${cfg.namespacePortalDomain}/
-        export AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON='["https://${cfg.namespacePortalDomain}/oauth/callback"]'
-
-        ${pkgs.bash}/bin/bash ${namespacePortalOidcSyncScript}
-      '';
-    };
-
     services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
       encode gzip zstd
       reverse_proxy 127.0.0.1:${toString cfg.port}

nixos/modules/burrow-namespace-portal.nix

@@ -1,126 +0,0 @@
-{ config, lib, pkgs, self, ... }:
-
-let
-  cfg = config.services.burrow.namespacePortal;
-  burrowExe = lib.getExe self.packages.${pkgs.system}.burrow;
-  nscExe = lib.getExe self.packages.${pkgs.system}.nsc;
-in
-{
-  options.services.burrow.namespacePortal = {
-    enable = lib.mkEnableOption "the Burrow Namespace authentication portal";
-
-    domain = lib.mkOption {
-      type = lib.types.str;
-      default = "nsc.burrow.net";
-      description = "Public domain for the Namespace portal.";
-    };
-
-    port = lib.mkOption {
-      type = lib.types.port;
-      default = 9080;
-      description = "Local listen port for the Namespace portal.";
-    };
-
-    baseUrl = lib.mkOption {
-      type = lib.types.str;
-      default = "https://nsc.burrow.net";
-      description = "Public base URL for redirects.";
-    };
-
-    oidcProviderSlug = lib.mkOption {
-      type = lib.types.str;
-      default = "namespace";
-      description = "Authentik provider slug used for the portal.";
-    };
-
-    oidcClientId = lib.mkOption {
-      type = lib.types.str;
-      default = "nsc.burrow.net";
-      description = "OIDC client ID used by the portal.";
-    };
-
-    oidcClientSecretFile = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = "Optional host-local OIDC client secret for the portal.";
-    };
-
-    adminGroup = lib.mkOption {
-      type = lib.types.str;
-      default = "burrow-admins";
-      description = "Authentik group required to access the portal.";
-    };
-
-    stateDir = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/burrow/namespace-portal";
-      description = "Persistent state directory for the portal-owned NSC session.";
-    };
-
-    tokenOutputPath = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
-      description = "Path where refreshed NSC tokens should be written.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = config.services.forgejo-nsc.enable;
-        message = "services.burrow.namespacePortal requires services.forgejo-nsc.enable";
-      }
-    ];
-
-    systemd.tmpfiles.rules = [
-      "d ${cfg.stateDir} 0750 forgejo-nsc forgejo-nsc -"
-      "d ${cfg.stateDir}/nsc 0750 forgejo-nsc forgejo-nsc -"
-    ];
-
-    systemd.services.burrow-namespace-portal = {
-      description = "Burrow Namespace authentication portal";
-      after = [
-        "network-online.target"
-        "burrow-authentik-ready.service"
-      ];
-      wants = [
-        "network-online.target"
-        "burrow-authentik-ready.service"
-      ];
-      wantedBy = [ "multi-user.target" ];
-      path = [
-        self.packages.${pkgs.system}.burrow
-        self.packages.${pkgs.system}.nsc
-        pkgs.coreutils
-      ];
-      serviceConfig = {
-        Type = "simple";
-        User = "forgejo-nsc";
-        Group = "forgejo-nsc";
-        WorkingDirectory = cfg.stateDir;
-        Restart = "on-failure";
-        RestartSec = "2s";
-      };
-      script = ''
-        set -euo pipefail
-        export BURROW_NAMESPACE_PORTAL_LISTEN=127.0.0.1:${toString cfg.port}
-        export BURROW_NAMESPACE_PORTAL_BASE_URL=${lib.escapeShellArg cfg.baseUrl}
-        export BURROW_NAMESPACE_PORTAL_OIDC_DISCOVERY_URL=${lib.escapeShellArg "https://${config.services.burrow.authentik.domain}/application/o/${cfg.oidcProviderSlug}/.well-known/openid-configuration"}
-        export BURROW_NAMESPACE_PORTAL_OIDC_CLIENT_ID=${lib.escapeShellArg cfg.oidcClientId}
-        export BURROW_NAMESPACE_PORTAL_ALLOWED_GROUP=${lib.escapeShellArg cfg.adminGroup}
-        export BURROW_NAMESPACE_PORTAL_NSC_BIN=${lib.escapeShellArg nscExe}
-        export BURROW_NAMESPACE_PORTAL_NSC_STATE_DIR=${lib.escapeShellArg "${cfg.stateDir}/nsc"}
-        export BURROW_NAMESPACE_PORTAL_TOKEN_OUTPUT_PATH=${lib.escapeShellArg cfg.tokenOutputPath}
-        ${lib.optionalString (cfg.oidcClientSecretFile != null) ''
-          export BURROW_NAMESPACE_PORTAL_OIDC_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.oidcClientSecretFile})"
-        ''}
-        exec ${burrowExe} namespace-portal
-      '';
-    };
-
-    services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
-      encode gzip zstd
-      reverse_proxy 127.0.0.1:${toString cfg.port}
-    '';
-  };
-}