Enable Google Authentik login on forge

nixos/README.md

@@ -33,7 +33,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
 6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/`.
-7. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age` and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
+7. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
 8. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
 9. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
 10. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.

nixos/hosts/burrow-forge/default.nix

@@ -33,6 +33,18 @@
     group = "root";
     mode = "0400";
   };
+  age.secrets.burrowAuthentikGoogleClientId = {
+    file = ../../../secrets/infra/authentik-google-client-id.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+  age.secrets.burrowAuthentikGoogleClientSecret = {
+    file = ../../../secrets/infra/authentik-google-client-secret.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
 
   networking.extraHosts = ''
     127.0.0.1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
@@ -69,6 +81,8 @@
     enable = true;
     envFile = config.age.secrets.burrowAuthentikEnv.path;
     headscaleClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
+    googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
+    googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
   };
 
   services.burrow.headscale = {

nixos/modules/burrow-authentik.nix

@@ -8,6 +8,7 @@ let
   blueprintFile = "${blueprintDir}/burrow-authentik.yaml";
   postgresVolume = "burrow-authentik-postgresql:/var/lib/postgresql/data";
   dataVolume = "burrow-authentik-data:/data";
+  googleSourceSyncScript = ../../Scripts/authentik-sync-google-source.sh;
   authentikBlueprint = pkgs.writeText "burrow-authentik-blueprint.yaml" ''
     version: 1
     metadata:
@@ -106,6 +107,33 @@ in
       default = "/var/lib/burrow/intake/authentik_headscale_client_secret.txt";
       description = "Host-local file containing the Authentik Headscale OIDC client secret.";
     };
+
+    googleClientIDFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Host-local file containing the Google OAuth client ID for the Authentik source.";
+    };
+
+    googleClientSecretFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
+    };
+
+    googleSourceSlug = lib.mkOption {
+      type = lib.types.str;
+      default = "google";
+      description = "Authentik OAuth source slug used for Google login.";
+    };
+
+    googleLoginMode = lib.mkOption {
+      type = lib.types.enum [
+        "promoted"
+        "redirect"
+      ];
+      default = "redirect";
+      description = "Identification-stage behavior for the Google Authentik source.";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -263,6 +291,55 @@ EOF
       '';
     };
 
+    systemd.services.burrow-authentik-google-source = lib.mkIf (
+      cfg.googleClientIDFile != null && cfg.googleClientSecretFile != null
+    ) {
+      description = "Reconcile the Burrow Authentik Google OAuth source";
+      after = [
+        "burrow-authentik-ready.service"
+        "network-online.target"
+      ];
+      wants = [
+        "burrow-authentik-ready.service"
+        "network-online.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [
+        googleSourceSyncScript
+        cfg.envFile
+        cfg.googleClientIDFile
+        cfg.googleClientSecretFile
+      ];
+      path = [
+        pkgs.bash
+        pkgs.coreutils
+        pkgs.curl
+        pkgs.jq
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        Restart = "on-failure";
+        RestartSec = 5;
+      };
+      script = ''
+        set -euo pipefail
+        set -a
+        source ${lib.escapeShellArg cfg.envFile}
+        set +a
+
+        export AUTHENTIK_URL=https://${cfg.domain}
+        export AUTHENTIK_GOOGLE_SOURCE_SLUG=${lib.escapeShellArg cfg.googleSourceSlug}
+        export AUTHENTIK_GOOGLE_LOGIN_MODE=${lib.escapeShellArg cfg.googleLoginMode}
+        export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
+        export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
+        export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
+
+        ${pkgs.bash}/bin/bash ${googleSourceSyncScript}
+      '';
+    };
+
     services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
       encode gzip zstd
       reverse_proxy 127.0.0.1:${toString cfg.port}