hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Move forgejo-nsc credentials into agenix
Some checks are pending
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details
Lint Governance / BEP Metadata (push) Waiting to run
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-04-05 23:08:23 -07:00
parent e40a947223
commit 70607e874c
15 changed files with 172 additions and 1495 deletions
Download patch file Download diff file Expand all files Collapse all files

75
nixos/modules/burrow-authentik.nix
View file

@ -10,7 +10,6 @@ let
dataVolume = "burrow-authentik-data:/data";
directorySyncScript = ../../Scripts/authentik-sync-burrow-directory.sh;
forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
namespacePortalOidcSyncScript = ../../Scripts/authentik-sync-namespace-portal-oidc.sh;
tailscaleOidcSyncScript = ../../Scripts/authentik-sync-tailscale-oidc.sh;
googleSourceSyncScript = ../../Scripts/authentik-sync-google-source.sh;
tailnetAuthFlowSyncScript = ../../Scripts/authentik-sync-tailnet-auth-flow.sh;
@ -139,30 +138,6 @@ in
description = "Authentik application slug for Tailscale custom OIDC sign-in.";
};
namespacePortalDomain = lib.mkOption {
type = lib.types.str;
default = "nsc.burrow.net";
description = "Public domain for the Burrow Namespace portal.";
};
namespacePortalProviderSlug = lib.mkOption {
type = lib.types.str;
default = "namespace";
description = "Authentik application slug for the Namespace portal.";
};
namespacePortalClientId = lib.mkOption {
type = lib.types.str;
default = "nsc.burrow.net";
description = "Client ID Authentik should present to the Namespace portal.";
};
namespacePortalClientSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Optional host-local file containing the Authentik Namespace portal OIDC client secret.";
};
tailscaleClientId = lib.mkOption {
type = lib.types.str;
default = "tailscale.burrow.net";
@ -733,56 +708,6 @@ EOF
'';
};
systemd.services.burrow-authentik-namespace-portal-oidc = {
description = "Reconcile the Burrow Authentik Namespace portal OIDC application";
after = [
"burrow-authentik-ready.service"
"network-online.target"
];
wants = [
"burrow-authentik-ready.service"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
restartTriggers =
[
namespacePortalOidcSyncScript
cfg.envFile
]
++ lib.optionals (cfg.namespacePortalClientSecretFile != null) [ cfg.namespacePortalClientSecretFile ];
path = [
pkgs.bash
pkgs.coreutils
pkgs.curl
pkgs.jq
];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
set -a
source ${lib.escapeShellArg cfg.envFile}
set +a
export AUTHENTIK_URL=https://${cfg.domain}
export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_SLUG=${lib.escapeShellArg cfg.namespacePortalProviderSlug}
export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_NAME="Namespace Portal"
export AUTHENTIK_NAMESPACE_PORTAL_PROVIDER_NAME="Namespace Portal"
export AUTHENTIK_NAMESPACE_PORTAL_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_ID=${lib.escapeShellArg cfg.namespacePortalClientId}
${lib.optionalString (cfg.namespacePortalClientSecretFile != null) ''
export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.namespacePortalClientSecretFile})"
''}
export AUTHENTIK_NAMESPACE_PORTAL_LAUNCH_URL=https://${cfg.namespacePortalDomain}/
export AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON='["https://${cfg.namespacePortalDomain}/oauth/callback"]'
${pkgs.bash}/bin/bash ${namespacePortalOidcSyncScript}
'';
};
services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
encode gzip zstd
reverse_proxy 127.0.0.1:${toString cfg.port}

126
nixos/modules/burrow-namespace-portal.nix
View file

@ -1,126 +0,0 @@
{ config, lib, pkgs, self, ... }:
let
cfg = config.services.burrow.namespacePortal;
burrowExe = lib.getExe self.packages.${pkgs.system}.burrow;
nscExe = lib.getExe self.packages.${pkgs.system}.nsc;
in
{
options.services.burrow.namespacePortal = {
enable = lib.mkEnableOption "the Burrow Namespace authentication portal";
domain = lib.mkOption {
type = lib.types.str;
default = "nsc.burrow.net";
description = "Public domain for the Namespace portal.";
};
port = lib.mkOption {
type = lib.types.port;
default = 9080;
description = "Local listen port for the Namespace portal.";
};
baseUrl = lib.mkOption {
type = lib.types.str;
default = "https://nsc.burrow.net";
description = "Public base URL for redirects.";
};
oidcProviderSlug = lib.mkOption {
type = lib.types.str;
default = "namespace";
description = "Authentik provider slug used for the portal.";
};
oidcClientId = lib.mkOption {
type = lib.types.str;
default = "nsc.burrow.net";
description = "OIDC client ID used by the portal.";
};
oidcClientSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Optional host-local OIDC client secret for the portal.";
};
adminGroup = lib.mkOption {
type = lib.types.str;
default = "burrow-admins";
description = "Authentik group required to access the portal.";
};
stateDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/burrow/namespace-portal";
description = "Persistent state directory for the portal-owned NSC session.";
};
tokenOutputPath = lib.mkOption {
type = lib.types.str;
default = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
description = "Path where refreshed NSC tokens should be written.";
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = config.services.forgejo-nsc.enable;
message = "services.burrow.namespacePortal requires services.forgejo-nsc.enable";
}
];
systemd.tmpfiles.rules = [
"d ${cfg.stateDir} 0750 forgejo-nsc forgejo-nsc -"
"d ${cfg.stateDir}/nsc 0750 forgejo-nsc forgejo-nsc -"
];
systemd.services.burrow-namespace-portal = {
description = "Burrow Namespace authentication portal";
after = [
"network-online.target"
"burrow-authentik-ready.service"
];
wants = [
"network-online.target"
"burrow-authentik-ready.service"
];
wantedBy = [ "multi-user.target" ];
path = [
self.packages.${pkgs.system}.burrow
self.packages.${pkgs.system}.nsc
pkgs.coreutils
];
serviceConfig = {
Type = "simple";
User = "forgejo-nsc";
Group = "forgejo-nsc";
WorkingDirectory = cfg.stateDir;
Restart = "on-failure";
RestartSec = "2s";
};
script = ''
set -euo pipefail
export BURROW_NAMESPACE_PORTAL_LISTEN=127.0.0.1:${toString cfg.port}
export BURROW_NAMESPACE_PORTAL_BASE_URL=${lib.escapeShellArg cfg.baseUrl}
export BURROW_NAMESPACE_PORTAL_OIDC_DISCOVERY_URL=${lib.escapeShellArg "https://${config.services.burrow.authentik.domain}/application/o/${cfg.oidcProviderSlug}/.well-known/openid-configuration"}
export BURROW_NAMESPACE_PORTAL_OIDC_CLIENT_ID=${lib.escapeShellArg cfg.oidcClientId}
export BURROW_NAMESPACE_PORTAL_ALLOWED_GROUP=${lib.escapeShellArg cfg.adminGroup}
export BURROW_NAMESPACE_PORTAL_NSC_BIN=${lib.escapeShellArg nscExe}
export BURROW_NAMESPACE_PORTAL_NSC_STATE_DIR=${lib.escapeShellArg "${cfg.stateDir}/nsc"}
export BURROW_NAMESPACE_PORTAL_TOKEN_OUTPUT_PATH=${lib.escapeShellArg cfg.tokenOutputPath}
${lib.optionalString (cfg.oidcClientSecretFile != null) ''
export BURROW_NAMESPACE_PORTAL_OIDC_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.oidcClientSecretFile})"
''}
exec ${burrowExe} namespace-portal
'';
};
services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
encode gzip zstd
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
}