Wire runner caches and forge secrets through agenix

2026-03-19 00:04:27 -07:00 · 2026-03-19 00:04:27 -07:00 · ed247b2f5e
commit ed247b2f5e
parent afc3e79eb0
20 changed files with 299 additions and 64 deletions
--- a/nixos/README.md
+++ b/nixos/README.md
@ -15,19 +15,19 @@ Mail hosting is intentionally not part of this NixOS host in the current plan. B
 - `keys/agent_at_burrow_net.pub`: automation SSH public key
 - `../Scripts/hetzner-forge.sh`: Hetzner inventory and replace workflow
 - `../Scripts/nsc-build-and-upload-image.sh`: temporary Namespace builder -> raw image -> Hetzner snapshot
- `../Scripts/bootstrap-forge-intake.sh`: copy the Forgejo bootstrap password and agent SSH key into `/var/lib/burrow/intake/`
+- `../Scripts/bootstrap-forge-intake.sh`: legacy intake bootstrap helper; current forge runtime secrets should live in `../secrets/forgejo/*.age`
 - `../Scripts/check-forge-host.sh`: verify Forgejo, Caddy, the local runner, and optional NSC services after boot
 - `../Scripts/cloudflare-upsert-a-record.sh`: upsert DNS-only Cloudflare `A` records for Burrow host cutovers
 - `../Scripts/forge-deploy.sh`: remote `nixos-rebuild` entrypoint for the forge host
 - `../Scripts/provision-forgejo-nsc.sh`: render Burrow Namespace dispatcher/autoscaler bootstrap inputs and ensure the default Forgejo scope exists
- `../secrets/forgejo/*.age`: authoritative encrypted Namespace token + dispatcher/autoscaler configs for the forge host
+- `../secrets/forgejo/*.age`: authoritative encrypted forge admin password, agent SSH key, and Namespace runtime configs for the forge host

 ## Intended Flow

 1. Build and upload the raw NixOS image with `Scripts/hetzner-forge.sh build-image` or `Scripts/nsc-build-and-upload-image.sh`.
 2. Recreate `burrow-forge` from the latest labeled snapshot with `Scripts/hetzner-forge.sh recreate-from-image --yes`.
-3. Run `Scripts/bootstrap-forge-intake.sh` to place the Forgejo bootstrap password file and automation SSH key under `/var/lib/burrow/intake/`.
-4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account.
+3. Encrypt the Forgejo admin password and agent SSH key into `secrets/forgejo/{admin-password,agent-ssh-key}.age`.
+4. Let `burrow-forgejo-bootstrap.service` create or rotate the initial Forgejo admin account from the agenix secret path.
 5. Let `burrow-forgejo-runner-bootstrap.service` register the self-hosted Forgejo runner and seed Git identity as `agent <agent@burrow.net>`.
 6. Run `Scripts/provision-forgejo-nsc.sh` locally, re-encrypt the resulting NSC token + configs into `secrets/forgejo/*.age`, then deploy with `Scripts/forge-deploy.sh` so agenix updates the live forgejo-nsc runtime paths.
 7. Use `Scripts/cloudflare-upsert-a-record.sh` to point `git.burrow.net`, `burrow.net`, and `nsc-autoscaler.burrow.net` at the host with Cloudflare proxying disabled for ACME.
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@ -20,7 +20,7 @@

  services.burrow.forge = {
    enable = true;
-    adminPasswordFile = "/var/lib/burrow/intake/forgejo_pass_contact_at_burrow_net.txt";
+    adminPasswordFile = config.age.secrets.forgejoAdminPassword.path;
    authorizedKeys = [
      (builtins.readFile ../../keys/contact_at_burrow_net.pub)
      (builtins.readFile ../../keys/agent_at_burrow_net.pub)
@ -29,7 +29,21 @@

  services.burrow.forgeRunner = {
    enable = true;
-    sshPrivateKeyFile = "/var/lib/burrow/intake/agent_at_burrow_net_ed25519";
+    sshPrivateKeyFile = config.age.secrets.forgejoAgentSshKey.path;
+  };
+
+  age.secrets.forgejoAdminPassword = {
+    file = ../../../secrets/forgejo/admin-password.age;
+    mode = "0400";
+    owner = "forgejo";
+    group = "forgejo";
+  };
+
+  age.secrets.forgejoAgentSshKey = {
+    file = ../../../secrets/forgejo/agent-ssh-key.age;
+    mode = "0400";
+    owner = "root";
+    group = "root";
  };

  age.secrets.forgejoNscToken = {