hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Wire runner caches and forge secrets through agenix
Some checks failed
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details
Build Apple / Build App (iOS Simulator) (push) Failing after 14s
Details
Build Apple / Build App (macOS) (push) Failing after 13s
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-03-19 00:04:27 -07:00
parent afc3e79eb0
commit ed247b2f5e
20 changed files with 299 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

7
secrets/README.md
View file

@ -4,6 +4,8 @@ Burrow secrets live in `secrets/<name>.age` and are managed with `agenix`.
For the Forgejo Namespace Cloud runtime:
- `secrets/forgejo/admin-password.age`
- `secrets/forgejo/agent-ssh-key.age`
- `secrets/forgejo/nsc-token.age`
- `secrets/forgejo/nsc-dispatcher-config.age`
- `secrets/forgejo/nsc-autoscaler-config.age`
@ -11,7 +13,8 @@ For the Forgejo Namespace Cloud runtime:
Use:
- `make secret name=forgejo/nsc-token`
- `make secret-file name=forgejo/nsc-token file=/path/to/source`
- `make secret-file name=forgejo/agent-ssh-key file=/path/to/source`
The forge host decrypts these files at activation time and feeds the resulting
paths into `services.burrow.forgejoNsc`.
paths into `services.burrow.forge`, `services.burrow.forgeRunner`, and
`services.burrow.forgejoNsc`.

11
secrets/forgejo/admin-password.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 ux4N8Q nmGFzw38TKiVVuA9CM8wHQDVib0RddB+M/UjQnD45jk
iZNLNBlS32zR+TNfcK27T1V3w27sFKJkWfuOzHwcOL0
-> ssh-ed25519 IrZmAg Y53DC0wGX8mjaXkD3+jZn2DviO5iSXsnZDBNCBTmLgA
XLz+YXzT4fYb7q0xuZMKgv88lAd0gGKaquSMcA6Yu3c
-> ssh-ed25519 JzXUWA EDAXBKEvHccJ4KKtHjUTA+KA+wN9bBu9v+kzRTFt9AI
JNADezBCxx26+QPD2tIpz5O8cncrJwnqaYQEWY56VGY
--- RpjdftRPUGT80IMYKFDFuHkKEr1heJOvqrqYLufhc10
ûÈÂ_
F(
((0ˆ‡Õɉ·',¿€8d]d%T[MÁ¼¬KRQÿxiIf<49>Òæ

BIN
secrets/forgejo/agent-ssh-key.age Normal file
View file

Binary file not shown.

3
secrets/secrets.nix
View file

@ -1,4 +1,3 @@
{ }:
let
contact = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO42guJ5QvNMw3k6YKWlQnjcTsc+X4XI9F2GBtl8aHOa";
agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
@ -6,6 +5,8 @@ let
forgeAutomation = [ contact agent forge ];
in {
"secrets/forgejo/admin-password.age".publicKeys = forgeAutomation;
"secrets/forgejo/agent-ssh-key.age".publicKeys = forgeAutomation;
"secrets/forgejo/nsc-token.age".publicKeys = forgeAutomation;
"secrets/forgejo/nsc-dispatcher-config.age".publicKeys = forgeAutomation;
"secrets/forgejo/nsc-autoscaler-config.age".publicKeys = forgeAutomation;