Use upstream nsc-autoscaler on burrow forge

2026-04-04 22:20:55 -07:00 · 2026-04-04 22:20:55 -07:00 · 9e3e8fa783
commit 9e3e8fa783
parent 3d80e772c8
6 changed files with 36 additions and 241 deletions
--- a/flake.lock
+++ b/flake.lock
@ -123,13 +123,37 @@
        "url": "https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable"
      }
    },
    "nsc-autoscaler": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1775221037,
        "narHash": "sha256-tv6Y3cqn76PEyZpSMMItVW96KKIboovBWTOv5Lt7PXg=",
        "ref": "refs/heads/main",
        "rev": "2c485752fde28ec3be2f228b571d1906f4bcf917",
        "revCount": 10,
        "type": "git",
        "url": "https://compatible.systems/conrad/nsc-autoscaler.git"
      },
      "original": {
        "type": "git",
        "url": "https://compatible.systems/conrad/nsc-autoscaler.git"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "disko": "disko",
        "flake-utils": "flake-utils",
        "hcloud-upload-image-src": "hcloud-upload-image-src",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
        "nsc-autoscaler": "nsc-autoscaler"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -12,13 +12,18 @@
      url = "tarball+https://codeload.github.com/nix-community/disko/tar.gz/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nsc-autoscaler = {
      url = "git+https://compatible.systems/conrad/nsc-autoscaler.git";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    hcloud-upload-image-src = {
      url = "tarball+https://codeload.github.com/apricote/hcloud-upload-image/tar.gz/v1.3.0";
      flake = false;
    };
  };
-  outputs = { self, nixpkgs, flake-utils, agenix, disko, hcloud-upload-image-src }:
+  outputs = { self, nixpkgs, flake-utils, agenix, disko, nsc-autoscaler, hcloud-upload-image-src }:
    let
      supportedSystems = [
        "x86_64-linux"
@ -175,7 +180,7 @@
    // {
      nixosModules.burrow-forge = import ./nixos/modules/burrow-forge.nix;
      nixosModules.burrow-forge-runner = import ./nixos/modules/burrow-forge-runner.nix;
-      nixosModules.burrow-forgejo-nsc = import ./nixos/modules/burrow-forgejo-nsc.nix;
+      nixosModules.burrow-forgejo-nsc = nsc-autoscaler.nixosModules.default;
      nixosModules.burrow-authentik = import ./nixos/modules/burrow-authentik.nix;
      nixosModules.burrow-headscale = import ./nixos/modules/burrow-headscale.nix;
--- a/nixos/README.md
+++ b/nixos/README.md
@ -9,7 +9,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - `hosts/burrow-forge/default.nix`: host entrypoint
 - `modules/burrow-forge.nix`: Forgejo, Caddy, PostgreSQL, and admin bootstrap module
 - `modules/burrow-forge-runner.nix`: Forgejo Actions runner and agent identity bootstrap
- `modules/burrow-forgejo-nsc.nix`: Namespace-backed ephemeral Forgejo runner services
+- upstream `compatible.systems/conrad/nsc-autoscaler`: Namespace-backed ephemeral Forgejo runner module consumed via the Burrow flake input
 - `modules/burrow-authentik.nix`: minimal Authentik IdP for Burrow control planes
 - `modules/burrow-headscale.nix`: Headscale control plane rooted in Authentik OIDC
 - `../secrets.nix`: agenix recipient map for tracked Burrow forge secrets
@ -32,7 +32,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 3. Run `Scripts/bootstrap-forge-intake.sh` to place the Forgejo bootstrap password file and automation SSH key under `/var/lib/burrow/intake/`.
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
-6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/`.
+6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the raw Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/` for the upstream `services.forgejo-nsc` module.
 7. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, `secrets/infra/forgejo-oidc-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
 8. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
 9. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@ -104,7 +104,7 @@ in
    sshPrivateKeyFile = "/var/lib/burrow/intake/agent_at_burrow_net_ed25519";
  };
-  services.burrow.forgejoNsc = {
+  services.forgejo-nsc = {
    enable = true;
    nscTokenFile = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
    dispatcher = {
--- a/nixos/modules/burrow-forge.nix
+++ b/nixos/modules/burrow-forge.nix
@ -271,7 +271,7 @@ in
          '';
        }
        // lib.optionalAttrs (
-          config.services.burrow.forgejoNsc.enable && config.services.burrow.forgejoNsc.autoscaler.enable
+          config.services.forgejo-nsc.enable && config.services.forgejo-nsc.autoscaler.enable
        ) {
          "${cfg.nscAutoscalerDomain}".extraConfig = ''
            encode gzip zstd
--- a/nixos/modules/burrow-forgejo-nsc.nix
+++ b/nixos/modules/burrow-forgejo-nsc.nix
@ -1,234 +0,0 @@
 { config, lib, pkgs, self, ... }:
 let
  inherit (lib)
    mkEnableOption
    mkIf
    mkOption
    types
    mkAfter
    mkDefault
    optional
    optionalAttrs
    optionalString
    ;
  cfg = config.services.burrow.forgejoNsc;
  dispatcherRuntimeConfig = "${cfg.stateDir}/dispatcher.yaml";
  autoscalerRuntimeConfig = "${cfg.stateDir}/autoscaler.yaml";
  pendingCheck = configPath: pkgs.writeShellScript "forgejo-nsc-check-pending" ''
    set -euo pipefail
    if ${pkgs.gnugrep}/bin/grep -q 'PENDING-' '${configPath}'; then
      echo "forgejo-nsc config still contains placeholder values (PENDING-); update ${configPath} before starting." >&2
      exit 1
    fi
  '';
  nscTokenPath = "${cfg.stateDir}/nsc.token";
  tokenSync = optionalString (cfg.nscTokenFile != null) ''
    install -m 600 ${lib.escapeShellArg cfg.nscTokenFile} ${lib.escapeShellArg nscTokenPath}
    chown ${cfg.user}:${cfg.group} ${nscTokenPath}
    chmod 600 ${nscTokenPath}
  '';
  dispatcherConfigSync = optionalString (cfg.dispatcher.configFile != null) ''
    install -m 400 ${lib.escapeShellArg cfg.dispatcher.configFile} ${lib.escapeShellArg dispatcherRuntimeConfig}
    chown ${cfg.user}:${cfg.group} ${lib.escapeShellArg dispatcherRuntimeConfig}
    chmod 400 ${lib.escapeShellArg dispatcherRuntimeConfig}
  '';
  autoscalerConfigSync = optionalString (cfg.autoscaler.configFile != null) ''
    install -m 400 ${lib.escapeShellArg cfg.autoscaler.configFile} ${lib.escapeShellArg autoscalerRuntimeConfig}
    chown ${cfg.user}:${cfg.group} ${lib.escapeShellArg autoscalerRuntimeConfig}
    chmod 400 ${lib.escapeShellArg autoscalerRuntimeConfig}
  '';
  dispatcherEnv =
    cfg.extraEnv
    // optionalAttrs (cfg.nscTokenFile != null) { NSC_TOKEN_FILE = nscTokenPath; }
    // optionalAttrs (cfg.nscTokenSpecFile != null) { NSC_TOKEN_SPEC_FILE = cfg.nscTokenSpecFile; }
    // optionalAttrs (cfg.nscEndpoint != null) { NSC_ENDPOINT = cfg.nscEndpoint; };
 in {
  options.services.burrow.forgejoNsc = {
    enable = mkEnableOption "Forgejo Namespace Cloud runner dispatcher";
    user = mkOption {
      type = types.str;
      default = "forgejo-nsc";
      description = "System user that runs the forgejo-nsc services.";
    };
    group = mkOption {
      type = types.str;
      default = "forgejo-nsc";
      description = "System group for the forgejo-nsc services.";
    };
    stateDir = mkOption {
      type = types.str;
      default = "/var/lib/forgejo-nsc";
      description = "State directory for the dispatcher/autoscaler.";
    };
    nscTokenFile = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "Optional NSC token file (exported as NSC_TOKEN_FILE).";
    };
    nscTokenSpecFile = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "Optional NSC token spec file (exported as NSC_TOKEN_SPEC_FILE).";
    };
    nscEndpoint = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "Optional NSC endpoint override (exported as NSC_ENDPOINT).";
    };
    extraEnv = mkOption {
      type = types.attrsOf types.str;
      default = { };
      description = "Extra environment variables injected into the services.";
    };
    nscPackage = mkOption {
      type = types.nullOr types.package;
      default = self.packages.${pkgs.stdenv.hostPlatform.system}.nsc or null;
      description = "Optional nsc CLI package added to the service PATH.";
    };
    dispatcher = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "Enable the forgejo-nsc dispatcher service.";
      };
      package = mkOption {
        type = types.package;
        default = self.packages.${pkgs.stdenv.hostPlatform.system}.forgejo-nsc-dispatcher;
        description = "Package providing the forgejo-nsc dispatcher binary.";
      };
      configFile = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "Host-local YAML config file for the dispatcher.";
      };
      allowPending = mkOption {
        type = types.bool;
        default = false;
        description = "Allow placeholder values (PENDING-) in the dispatcher config.";
      };
    };
    autoscaler = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Enable the forgejo-nsc autoscaler service.";
      };
      package = mkOption {
        type = types.package;
        default = self.packages.${pkgs.stdenv.hostPlatform.system}.forgejo-nsc-autoscaler;
        description = "Package providing the forgejo-nsc autoscaler binary.";
      };
      configFile = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "Host-local YAML config file for the autoscaler.";
      };
      allowPending = mkOption {
        type = types.bool;
        default = false;
        description = "Allow placeholder values (PENDING-) in the autoscaler config.";
      };
    };
  };
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = (!cfg.dispatcher.enable) || cfg.dispatcher.configFile != null;
        message = "services.burrow.forgejoNsc.dispatcher.configFile must be set when the dispatcher is enabled.";
      }
      {
        assertion = (!cfg.autoscaler.enable) || cfg.autoscaler.configFile != null;
        message = "services.burrow.forgejoNsc.autoscaler.configFile must be set when the autoscaler is enabled.";
      }
    ];
    users.groups.${cfg.group} = { };
    users.users.${cfg.user} = {
      uid = mkDefault 2011;
      isSystemUser = true;
      group = cfg.group;
      description = "Forgejo Namespace Cloud runner services";
      home = cfg.stateDir;
      createHome = true;
      shell = pkgs.bashInteractive;
    };
    systemd.tmpfiles.rules = mkAfter [
      "d ${cfg.stateDir} 0750 ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.forgejo-nsc-dispatcher = mkIf cfg.dispatcher.enable {
      description = "Forgejo Namespace Cloud dispatcher";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      unitConfig.ConditionPathExists =
        optional (cfg.dispatcher.configFile != null) cfg.dispatcher.configFile
        ++ optional (cfg.nscTokenFile != null) cfg.nscTokenFile;
      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;
        WorkingDirectory = cfg.stateDir;
        ExecStart = "${cfg.dispatcher.package}/bin/forgejo-nsc-dispatcher --config ${dispatcherRuntimeConfig}";
        Restart = "on-failure";
        RestartSec = 5;
      };
      path = lib.optional (cfg.nscPackage != null) cfg.nscPackage;
      environment = dispatcherEnv;
      preStart = lib.concatStringsSep "\n" (lib.filter (s: s != "") [
        (optionalString (!cfg.dispatcher.allowPending) (pendingCheck cfg.dispatcher.configFile))
        dispatcherConfigSync
        tokenSync
      ]);
    };
    systemd.services.forgejo-nsc-autoscaler = mkIf cfg.autoscaler.enable {
      description = "Forgejo Namespace Cloud autoscaler";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" "forgejo-nsc-dispatcher.service" ];
      wants = [ "network-online.target" ];
      unitConfig.ConditionPathExists =
        optional (cfg.autoscaler.configFile != null) cfg.autoscaler.configFile
        ++ optional (cfg.nscTokenFile != null) cfg.nscTokenFile;
      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;
        WorkingDirectory = cfg.stateDir;
        ExecStart = "${cfg.autoscaler.package}/bin/forgejo-nsc-autoscaler --config ${autoscalerRuntimeConfig}";
        Restart = "on-failure";
        RestartSec = 5;
      };
      path = lib.optional (cfg.nscPackage != null) cfg.nscPackage;
      environment = dispatcherEnv;
      preStart = lib.concatStringsSep "\n" (lib.filter (s: s != "") [
        (optionalString (!cfg.autoscaler.allowPending) (pendingCheck cfg.autoscaler.configFile))
        autoscalerConfigSync
        tokenSync
      ]);
    };
  };
 }