From c58d06dfc1079d567d643cfca852dc451f93c936 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sat, 18 Apr 2026 02:18:22 -0700 Subject: [PATCH 1/2] Move Burrow Google account aliases into agenix --- contributors.nix | 25 ++++++++++++++++-- nixos/hosts/burrow-forge/default.nix | 8 +++++- nixos/modules/burrow-authentik.nix | 24 ++++++++++++----- secrets.nix | 1 + .../authentik-google-account-map.json.age | Bin 0 -> 968 bytes 5 files changed, 48 insertions(+), 10 deletions(-) create mode 100644 secrets/infra/authentik-google-account-map.json.age diff --git a/contributors.nix b/contributors.nix index 22c28b6..36bc1c9 100644 --- a/contributors.nix +++ b/contributors.nix @@ -8,7 +8,6 @@ contact = { displayName = "Burrow"; canonicalEmail = "contact@burrow.net"; - sourceEmail = "net.burrow@gmail.com"; isAdmin = true; forgeAuthorized = true; bootstrapAuthentik = true; @@ -22,7 +21,6 @@ conrad = { displayName = "Conrad Kramer"; canonicalEmail = "conrad@burrow.net"; - sourceEmail = "ckrames1234@gmail.com"; isAdmin = true; forgeAuthorized = false; bootstrapAuthentik = true; @@ -32,6 +30,29 @@ ]; }; + jett = { + displayName = "Jett"; + canonicalEmail = "jett@burrow.net"; + isAdmin = false; + forgeAuthorized = false; + bootstrapAuthentik = true; + roles = [ + "member" + ]; + }; + + davnotdev = { + displayName = "David"; + canonicalEmail = "davnotdev@burrow.net"; + isAdmin = true; + forgeAuthorized = false; + bootstrapAuthentik = true; + roles = [ + "member" + "operator" + ]; + }; + agent = { displayName = "Burrow Agent"; canonicalEmail = "agent@burrow.net"; diff --git a/nixos/hosts/burrow-forge/default.nix b/nixos/hosts/burrow-forge/default.nix index bf6330f..497d40e 100644 --- a/nixos/hosts/burrow-forge/default.nix +++ b/nixos/hosts/burrow-forge/default.nix @@ -13,7 +13,6 @@ let inherit username; name = identity.displayName; email = identity.canonicalEmail; - sourceEmail = identity.sourceEmail or null; isAdmin = identity.isAdmin or false; passwordFile = authentikPasswordSecretPath identity; } @@ -85,6 +84,12 @@ in group = "root"; mode = "0400"; }; + age.secrets.burrowAuthentikGoogleAccountMap = { + file = ../../../secrets/infra/authentik-google-account-map.json.age; + owner = "root"; + group = "root"; + mode = "0400"; + }; age.secrets.burrowAuthentikUiTestPassword = { file = ../../../secrets/infra/authentik-ui-test-password.age; owner = "root"; @@ -158,6 +163,7 @@ in tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path; googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path; googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path; + googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path; googleLoginMode = "redirect"; userGroupName = contributors.groups.users; adminGroupName = contributors.groups.admins; diff --git a/nixos/modules/burrow-authentik.nix b/nixos/modules/burrow-authentik.nix index 1616b36..2fa83da 100644 --- a/nixos/modules/burrow-authentik.nix +++ b/nixos/modules/burrow-authentik.nix @@ -180,6 +180,12 @@ in description = "Host-local file containing the Google OAuth client secret for the Authentik source."; }; + googleAccountMapFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Optional host-local JSON file mapping external Google accounts onto Burrow Authentik users."; + }; + googleSourceSlug = lib.mkOption { type = lib.types.str; default = "google"; @@ -477,7 +483,7 @@ EOF cfg.envFile cfg.googleClientIDFile cfg.googleClientSecretFile - ]; + ] ++ lib.optional (cfg.googleAccountMapFile != null) cfg.googleAccountMapFile; path = [ pkgs.bash pkgs.coreutils @@ -501,12 +507,16 @@ EOF export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})" export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})" - export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: { - source_email = user.sourceEmail; - username = user.username; - email = user.email; - name = user.name; - }) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}' + if [ -n ${lib.escapeShellArg (cfg.googleAccountMapFile or "")} ]; then + export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON="$(tr -d '\n' < ${lib.escapeShellArg (cfg.googleAccountMapFile or "/dev/null")})" + else + export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: { + source_email = user.sourceEmail; + username = user.username; + email = user.email; + name = user.name; + }) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}' + fi ${pkgs.bash}/bin/bash ${googleSourceSyncScript} ''; diff --git a/secrets.nix b/secrets.nix index a8fb923..e3fd9a2 100644 --- a/secrets.nix +++ b/secrets.nix @@ -14,6 +14,7 @@ in "secrets/infra/authentik.env.age".publicKeys = burrowForgeRecipients; "secrets/infra/authentik-google-client-id.age".publicKeys = burrowForgeRecipients; "secrets/infra/authentik-google-client-secret.age".publicKeys = burrowForgeRecipients; + "secrets/infra/authentik-google-account-map.json.age".publicKeys = burrowForgeRecipients; "secrets/infra/authentik-ui-test-password.age".publicKeys = uiTestRecipients; "secrets/infra/forgejo-oidc-client-secret.age".publicKeys = burrowForgeRecipients; "secrets/infra/forgejo-nsc-autoscaler-config.age".publicKeys = burrowForgeRecipients; diff --git a/secrets/infra/authentik-google-account-map.json.age b/secrets/infra/authentik-google-account-map.json.age new file mode 100644 index 0000000000000000000000000000000000000000..b3cb6f84c8d7f174f404cabbccb26a8525167538 GIT binary patch literal 968 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHtuXPk2vl%Sa`OsJ zc6Tu_%QNvaO7o5M3vzccO7`$E3@SE=a4j}ZaxXW}$PMz&N#@E)jW8>%C@C*=EeZ@u z^frrfOZ5uOtZ?_tOwrG*O!oH+cdLrbuqX{n2}HNevnVRpFSPD#l$by$SkM8$u-f$)vP$rIoT{M%a6U@Uh2>6$ zZWaY*e%WTm=3&L29!8di5e8fquAY{8+M!-mj+VJeKE)dxz1m8H%g}n3&iJs-83sPPtV`x-$h$#JFb~)O7l0)>{z0%d*xHu{Z1<( zNhU{!T#1+Ni7g+d<}Tc5nX_iI>{YANg?hfm^Y(vD4oeI)?cAO6_p9xJ_$n9G4_tl9 zhgn~6AK&z7iGnT5hTK&h%NPG<%g^R!Dh*%w_u7Q_i@#j>d}n3N;azzdX?#nKGg{?T zKVJ0=w%&GV`;-?AA71WWc=lzF^`>l-*izw!E5P!YY2g@46CVY_z+8DhsaZ9L0 z*yOTVMn#i$FR@?{_*>y4r(baUv{BbAnaL71kIcSroUau5=+FYQq)hkcS+iHwe+uKT z>bBWG+qK^Ed~UePi?cKPIUU=-)h&o$SZvoMbK}_br^a{Gn5K9-?YQ`y`|{1N5^Rhe1>fY{#=Ui7)vZP;JSikI4T+CyJptZABv};^v>uHdZ?csW`ee1r)O$BqR z{q($}=T|#<_B%=M5?IGC61-dX(D8rsf9oVT#LTGN)v0`U%bllx7!4Mjy{pBpX20U{ zOWm_wyRW=ot|)M9?%Zc7)y*jn|I3OSCELe&TnY{QxW`8O?3PI8yxX=LrMC11ettRg zl8S-uG93f|#6NGFlm1(>t>67hw%1wt=h1a*LKId!TD^DW{Mf4-`?#NY{(Qxn%`CF} z;qHo}OQz4ZPZK`y^{J2RmaG=V!;%dF|7FB1u0KDz_V0{jv$PHg_Ptk9UoeOR0CcFC Ar2qf` literal 0 HcmV?d00001 From abd5a3597031820ad46f11ad4457f090fe017c76 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sat, 18 Apr 2026 02:42:01 -0700 Subject: [PATCH 2/2] Make Jett a Burrow admin --- contributors.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contributors.nix b/contributors.nix index 36bc1c9..95d4e59 100644 --- a/contributors.nix +++ b/contributors.nix @@ -33,7 +33,7 @@ jett = { displayName = "Jett"; canonicalEmail = "jett@burrow.net"; - isAdmin = false; + isAdmin = true; forgeAuthorized = false; bootstrapAuthentik = true; roles = [