hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Move forgejo-nsc credentials into agenix
Some checks are pending
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details
Lint Governance / BEP Metadata (push) Waiting to run
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-04-05 23:08:23 -07:00
parent e40a947223
commit 70607e874c
15 changed files with 172 additions and 1495 deletions
Download patch file Download diff file Expand all files Collapse all files

75
nixos/modules/burrow-authentik.nix
View file

@ -10,7 +10,6 @@ let
dataVolume = "burrow-authentik-data:/data";
directorySyncScript = ../../Scripts/authentik-sync-burrow-directory.sh;
forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
namespacePortalOidcSyncScript = ../../Scripts/authentik-sync-namespace-portal-oidc.sh;
tailscaleOidcSyncScript = ../../Scripts/authentik-sync-tailscale-oidc.sh;
googleSourceSyncScript = ../../Scripts/authentik-sync-google-source.sh;
tailnetAuthFlowSyncScript = ../../Scripts/authentik-sync-tailnet-auth-flow.sh;
@ -139,30 +138,6 @@ in
description = "Authentik application slug for Tailscale custom OIDC sign-in.";
};
namespacePortalDomain = lib.mkOption {
type = lib.types.str;
default = "nsc.burrow.net";
description = "Public domain for the Burrow Namespace portal.";
};
namespacePortalProviderSlug = lib.mkOption {
type = lib.types.str;
default = "namespace";
description = "Authentik application slug for the Namespace portal.";
};
namespacePortalClientId = lib.mkOption {
type = lib.types.str;
default = "nsc.burrow.net";
description = "Client ID Authentik should present to the Namespace portal.";
};
namespacePortalClientSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Optional host-local file containing the Authentik Namespace portal OIDC client secret.";
};
tailscaleClientId = lib.mkOption {
type = lib.types.str;
default = "tailscale.burrow.net";
@ -733,56 +708,6 @@ EOF
'';
};
systemd.services.burrow-authentik-namespace-portal-oidc = {
description = "Reconcile the Burrow Authentik Namespace portal OIDC application";
after = [
"burrow-authentik-ready.service"
"network-online.target"
];
wants = [
"burrow-authentik-ready.service"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
restartTriggers =
[
namespacePortalOidcSyncScript
cfg.envFile
]
++ lib.optionals (cfg.namespacePortalClientSecretFile != null) [ cfg.namespacePortalClientSecretFile ];
path = [
pkgs.bash
pkgs.coreutils
pkgs.curl
pkgs.jq
];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
set -a
source ${lib.escapeShellArg cfg.envFile}
set +a
export AUTHENTIK_URL=https://${cfg.domain}
export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_SLUG=${lib.escapeShellArg cfg.namespacePortalProviderSlug}
export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_NAME="Namespace Portal"
export AUTHENTIK_NAMESPACE_PORTAL_PROVIDER_NAME="Namespace Portal"
export AUTHENTIK_NAMESPACE_PORTAL_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_ID=${lib.escapeShellArg cfg.namespacePortalClientId}
${lib.optionalString (cfg.namespacePortalClientSecretFile != null) ''
export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.namespacePortalClientSecretFile})"
''}
export AUTHENTIK_NAMESPACE_PORTAL_LAUNCH_URL=https://${cfg.namespacePortalDomain}/
export AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON='["https://${cfg.namespacePortalDomain}/oauth/callback"]'
${pkgs.bash}/bin/bash ${namespacePortalOidcSyncScript}
'';
};
services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
encode gzip zstd
reverse_proxy 127.0.0.1:${toString cfg.port}