Add forge-owned Namespace auth portal

2026-04-05 20:52:52 -07:00 · 2026-04-05 20:52:52 -07:00 · e40a947223
commit e40a947223
parent 64103abbea
10 changed files with 1403 additions and 23 deletions
--- a/nixos/README.md
+++ b/nixos/README.md
@ -12,6 +12,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - upstream `compatible.systems/conrad/nsc-autoscaler`: Namespace-backed ephemeral Forgejo runner module consumed via the Burrow flake input
 - `modules/burrow-authentik.nix`: minimal Authentik IdP for Burrow control planes
 - `modules/burrow-headscale.nix`: Headscale control plane rooted in Authentik OIDC
+- `modules/burrow-namespace-portal.nix`: small admin portal for forge-owned Namespace authentication and NSC token refresh
 - `../secrets.nix`: agenix recipient map for tracked Burrow forge secrets
 - `hetzner-cloud-config.yaml`: desired Hetzner host shape
 - `keys/contact_at_burrow_net.pub`: initial operator SSH public key
@ -24,6 +25,7 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - `../Scripts/forge-deploy.sh`: remote `nixos-rebuild` entrypoint for the forge host
 - `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler runtime inputs and ensure the default Forgejo scope exists
 - `../Scripts/sync-forgejo-nsc-config.sh`: copy intake-backed dispatcher/autoscaler inputs to the host
+- `../Scripts/authentik-sync-namespace-portal-oidc.sh`: reconcile the Authentik OIDC app used by `nsc.burrow.net`

 ## Intended Flow

@ -33,10 +35,11 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
 6. Run `Scripts/provision-forgejo-nsc.sh` locally, then `Scripts/sync-forgejo-nsc-config.sh` to place the raw Namespace dispatcher/autoscaler runtime inputs under `/var/lib/burrow/intake/` for the upstream `services.forgejo-nsc` module.
-7. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, `secrets/infra/forgejo-oidc-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
-8. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
-9. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
-10. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.
+7. Visit `https://nsc.burrow.net/` as a Burrow admin to link the forge-owned Namespace session and rotate `/var/lib/burrow/intake/forgejo_nsc_token.txt` without relying on a personal local `nsc` login.
+8. Ensure `/var/lib/agenix/agenix.key` exists on the host, encrypt `secrets/infra/authentik.env.age`, `secrets/infra/authentik-google-client-id.age`, `secrets/infra/authentik-google-client-secret.age`, `secrets/infra/forgejo-oidc-client-secret.age`, and `secrets/infra/headscale-oidc-client-secret.age`, and let agenix materialize them under `/run/agenix/`.
+9. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, `auth.burrow.net`, `ts.burrow.net`, `nsc.burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
+10. Use `Scripts/forge-deploy.sh --allow-dirty` for subsequent remote `nixos-rebuild` runs from the live workspace.
+11. Configure Forward Email custom S3 backups for `burrow.net` and `burrow.rs` out-of-band with `Tools/forwardemail-custom-s3.sh`.

 ## Current Constraints

--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@ -33,6 +33,7 @@ in
    self.nixosModules.burrow-forgejo-nsc
    self.nixosModules.burrow-authentik
    self.nixosModules.burrow-headscale
+    self.nixosModules.burrow-namespace-portal
  ];

  system.stateVersion = "24.11";
@ -89,8 +90,8 @@ in
  };

  networking.extraHosts = ''
-    127.0.0.1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
-    ::1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net
+    127.0.0.1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net nsc.burrow.net
+    ::1 burrow.net git.burrow.net auth.burrow.net ts.burrow.net nsc-autoscaler.burrow.net nsc.burrow.net
  '';

  services.burrow.forge = {
@ -140,4 +141,11 @@ in
    enable = true;
    oidcClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
  };
+
+  services.burrow.namespacePortal = {
+    enable = true;
+    domain = "nsc.burrow.net";
+    baseUrl = "https://nsc.burrow.net";
+    adminGroup = contributors.groups.admins;
+  };
 }
--- a/nixos/modules/burrow-authentik.nix
+++ b/nixos/modules/burrow-authentik.nix
@ -10,6 +10,7 @@ let
  dataVolume = "burrow-authentik-data:/data";
  directorySyncScript = ../../Scripts/authentik-sync-burrow-directory.sh;
  forgejoOidcSyncScript = ../../Scripts/authentik-sync-forgejo-oidc.sh;
+  namespacePortalOidcSyncScript = ../../Scripts/authentik-sync-namespace-portal-oidc.sh;
  tailscaleOidcSyncScript = ../../Scripts/authentik-sync-tailscale-oidc.sh;
  googleSourceSyncScript = ../../Scripts/authentik-sync-google-source.sh;
  tailnetAuthFlowSyncScript = ../../Scripts/authentik-sync-tailnet-auth-flow.sh;
@ -138,6 +139,30 @@ in
      description = "Authentik application slug for Tailscale custom OIDC sign-in.";
    };

+    namespacePortalDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "nsc.burrow.net";
+      description = "Public domain for the Burrow Namespace portal.";
+    };
+
+    namespacePortalProviderSlug = lib.mkOption {
+      type = lib.types.str;
+      default = "namespace";
+      description = "Authentik application slug for the Namespace portal.";
+    };
+
+    namespacePortalClientId = lib.mkOption {
+      type = lib.types.str;
+      default = "nsc.burrow.net";
+      description = "Client ID Authentik should present to the Namespace portal.";
+    };
+
+    namespacePortalClientSecretFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Optional host-local file containing the Authentik Namespace portal OIDC client secret.";
+    };
+
    tailscaleClientId = lib.mkOption {
      type = lib.types.str;
      default = "tailscale.burrow.net";
@ -708,6 +733,56 @@ EOF
      '';
    };

+    systemd.services.burrow-authentik-namespace-portal-oidc = {
+      description = "Reconcile the Burrow Authentik Namespace portal OIDC application";
+      after = [
+        "burrow-authentik-ready.service"
+        "network-online.target"
+      ];
+      wants = [
+        "burrow-authentik-ready.service"
+        "network-online.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers =
+        [
+          namespacePortalOidcSyncScript
+          cfg.envFile
+        ]
+        ++ lib.optionals (cfg.namespacePortalClientSecretFile != null) [ cfg.namespacePortalClientSecretFile ];
+      path = [
+        pkgs.bash
+        pkgs.coreutils
+        pkgs.curl
+        pkgs.jq
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+      };
+      script = ''
+        set -euo pipefail
+        set -a
+        source ${lib.escapeShellArg cfg.envFile}
+        set +a
+
+        export AUTHENTIK_URL=https://${cfg.domain}
+        export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_SLUG=${lib.escapeShellArg cfg.namespacePortalProviderSlug}
+        export AUTHENTIK_NAMESPACE_PORTAL_APPLICATION_NAME="Namespace Portal"
+        export AUTHENTIK_NAMESPACE_PORTAL_PROVIDER_NAME="Namespace Portal"
+        export AUTHENTIK_NAMESPACE_PORTAL_TEMPLATE_SLUG=${lib.escapeShellArg cfg.headscaleProviderSlug}
+        export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_ID=${lib.escapeShellArg cfg.namespacePortalClientId}
+        ${lib.optionalString (cfg.namespacePortalClientSecretFile != null) ''
+          export AUTHENTIK_NAMESPACE_PORTAL_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.namespacePortalClientSecretFile})"
+        ''}
+        export AUTHENTIK_NAMESPACE_PORTAL_LAUNCH_URL=https://${cfg.namespacePortalDomain}/
+        export AUTHENTIK_NAMESPACE_PORTAL_REDIRECT_URIS_JSON='["https://${cfg.namespacePortalDomain}/oauth/callback"]'
+
+        ${pkgs.bash}/bin/bash ${namespacePortalOidcSyncScript}
+      '';
+    };
+
    services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
      encode gzip zstd
      reverse_proxy 127.0.0.1:${toString cfg.port}
--- a/nixos/modules/burrow-namespace-portal.nix
+++ b/nixos/modules/burrow-namespace-portal.nix
@ -0,0 +1,126 @@
+{ config, lib, pkgs, self, ... }:
+
+let
+  cfg = config.services.burrow.namespacePortal;
+  burrowExe = lib.getExe self.packages.${pkgs.system}.burrow;
+  nscExe = lib.getExe self.packages.${pkgs.system}.nsc;
+in
+{
+  options.services.burrow.namespacePortal = {
+    enable = lib.mkEnableOption "the Burrow Namespace authentication portal";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "nsc.burrow.net";
+      description = "Public domain for the Namespace portal.";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 9080;
+      description = "Local listen port for the Namespace portal.";
+    };
+
+    baseUrl = lib.mkOption {
+      type = lib.types.str;
+      default = "https://nsc.burrow.net";
+      description = "Public base URL for redirects.";
+    };
+
+    oidcProviderSlug = lib.mkOption {
+      type = lib.types.str;
+      default = "namespace";
+      description = "Authentik provider slug used for the portal.";
+    };
+
+    oidcClientId = lib.mkOption {
+      type = lib.types.str;
+      default = "nsc.burrow.net";
+      description = "OIDC client ID used by the portal.";
+    };
+
+    oidcClientSecretFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Optional host-local OIDC client secret for the portal.";
+    };
+
+    adminGroup = lib.mkOption {
+      type = lib.types.str;
+      default = "burrow-admins";
+      description = "Authentik group required to access the portal.";
+    };
+
+    stateDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/burrow/namespace-portal";
+      description = "Persistent state directory for the portal-owned NSC session.";
+    };
+
+    tokenOutputPath = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/burrow/intake/forgejo_nsc_token.txt";
+      description = "Path where refreshed NSC tokens should be written.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.services.forgejo-nsc.enable;
+        message = "services.burrow.namespacePortal requires services.forgejo-nsc.enable";
+      }
+    ];
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.stateDir} 0750 forgejo-nsc forgejo-nsc -"
+      "d ${cfg.stateDir}/nsc 0750 forgejo-nsc forgejo-nsc -"
+    ];
+
+    systemd.services.burrow-namespace-portal = {
+      description = "Burrow Namespace authentication portal";
+      after = [
+        "network-online.target"
+        "burrow-authentik-ready.service"
+      ];
+      wants = [
+        "network-online.target"
+        "burrow-authentik-ready.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      path = [
+        self.packages.${pkgs.system}.burrow
+        self.packages.${pkgs.system}.nsc
+        pkgs.coreutils
+      ];
+      serviceConfig = {
+        Type = "simple";
+        User = "forgejo-nsc";
+        Group = "forgejo-nsc";
+        WorkingDirectory = cfg.stateDir;
+        Restart = "on-failure";
+        RestartSec = "2s";
+      };
+      script = ''
+        set -euo pipefail
+        export BURROW_NAMESPACE_PORTAL_LISTEN=127.0.0.1:${toString cfg.port}
+        export BURROW_NAMESPACE_PORTAL_BASE_URL=${lib.escapeShellArg cfg.baseUrl}
+        export BURROW_NAMESPACE_PORTAL_OIDC_DISCOVERY_URL=${lib.escapeShellArg "https://${config.services.burrow.authentik.domain}/application/o/${cfg.oidcProviderSlug}/.well-known/openid-configuration"}
+        export BURROW_NAMESPACE_PORTAL_OIDC_CLIENT_ID=${lib.escapeShellArg cfg.oidcClientId}
+        export BURROW_NAMESPACE_PORTAL_ALLOWED_GROUP=${lib.escapeShellArg cfg.adminGroup}
+        export BURROW_NAMESPACE_PORTAL_NSC_BIN=${lib.escapeShellArg nscExe}
+        export BURROW_NAMESPACE_PORTAL_NSC_STATE_DIR=${lib.escapeShellArg "${cfg.stateDir}/nsc"}
+        export BURROW_NAMESPACE_PORTAL_TOKEN_OUTPUT_PATH=${lib.escapeShellArg cfg.tokenOutputPath}
+        ${lib.optionalString (cfg.oidcClientSecretFile != null) ''
+          export BURROW_NAMESPACE_PORTAL_OIDC_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.oidcClientSecretFile})"
+        ''}
+        exec ${burrowExe} namespace-portal
+      '';
+    };
+
+    services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
+      encode gzip zstd
+      reverse_proxy 127.0.0.1:${toString cfg.port}
+    '';
+  };
+}