Make Jett a Burrow admin

Move Burrow Google account aliases into agenix
2026-04-18 02:42:01 -07:00 · 2026-04-18 02:18:22 -07:00
5 changed files with 48 additions and 10 deletions
--- a/contributors.nix
+++ b/contributors.nix
@ -8,7 +8,6 @@
    contact = {
      displayName = "Burrow";
      canonicalEmail = "contact@burrow.net";
-      sourceEmail = "net.burrow@gmail.com";
      isAdmin = true;
      forgeAuthorized = true;
      bootstrapAuthentik = true;
@ -22,7 +21,6 @@
    conrad = {
      displayName = "Conrad Kramer";
      canonicalEmail = "conrad@burrow.net";
-      sourceEmail = "ckrames1234@gmail.com";
      isAdmin = true;
      forgeAuthorized = false;
      bootstrapAuthentik = true;
@ -32,6 +30,29 @@
      ];
    };

+    jett = {
+      displayName = "Jett";
+      canonicalEmail = "jett@burrow.net";
+      isAdmin = true;
+      forgeAuthorized = false;
+      bootstrapAuthentik = true;
+      roles = [
+        "member"
+      ];
+    };
+
+    davnotdev = {
+      displayName = "David";
+      canonicalEmail = "davnotdev@burrow.net";
+      isAdmin = true;
+      forgeAuthorized = false;
+      bootstrapAuthentik = true;
+      roles = [
+        "member"
+        "operator"
+      ];
+    };
+
    agent = {
      displayName = "Burrow Agent";
      canonicalEmail = "agent@burrow.net";
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@ -13,7 +13,6 @@ let
        inherit username;
        name = identity.displayName;
        email = identity.canonicalEmail;
-        sourceEmail = identity.sourceEmail or null;
        isAdmin = identity.isAdmin or false;
        passwordFile = authentikPasswordSecretPath identity;
      }
@ -85,6 +84,12 @@ in
    group = "root";
    mode = "0400";
  };
+  age.secrets.burrowAuthentikGoogleAccountMap = {
+    file = ../../../secrets/infra/authentik-google-account-map.json.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
  age.secrets.burrowAuthentikUiTestPassword = {
    file = ../../../secrets/infra/authentik-ui-test-password.age;
    owner = "root";
@ -158,6 +163,7 @@ in
    tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path;
    googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
    googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
+    googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path;
    googleLoginMode = "redirect";
    userGroupName = contributors.groups.users;
    adminGroupName = contributors.groups.admins;
--- a/nixos/modules/burrow-authentik.nix
+++ b/nixos/modules/burrow-authentik.nix
@ -180,6 +180,12 @@ in
      description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
    };

+    googleAccountMapFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Optional host-local JSON file mapping external Google accounts onto Burrow Authentik users.";
+    };
+
    googleSourceSlug = lib.mkOption {
      type = lib.types.str;
      default = "google";
@ -477,7 +483,7 @@ EOF
        cfg.envFile
        cfg.googleClientIDFile
        cfg.googleClientSecretFile
-      ];
+      ] ++ lib.optional (cfg.googleAccountMapFile != null) cfg.googleAccountMapFile;
      path = [
        pkgs.bash
        pkgs.coreutils
@ -501,12 +507,16 @@ EOF
        export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
        export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
        export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
-        export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
-          source_email = user.sourceEmail;
-          username = user.username;
-          email = user.email;
-          name = user.name;
-        }) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
+        if [ -n ${lib.escapeShellArg (cfg.googleAccountMapFile or "")} ]; then
+          export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON="$(tr -d '\n' < ${lib.escapeShellArg (cfg.googleAccountMapFile or "/dev/null")})"
+        else
+          export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
+            source_email = user.sourceEmail;
+            username = user.username;
+            email = user.email;
+            name = user.name;
+          }) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
+        fi

        ${pkgs.bash}/bin/bash ${googleSourceSyncScript}
      '';
--- a/secrets.nix
+++ b/secrets.nix
@ -14,6 +14,7 @@ in
  "secrets/infra/authentik.env.age".publicKeys = burrowForgeRecipients;
  "secrets/infra/authentik-google-client-id.age".publicKeys = burrowForgeRecipients;
  "secrets/infra/authentik-google-client-secret.age".publicKeys = burrowForgeRecipients;
+  "secrets/infra/authentik-google-account-map.json.age".publicKeys = burrowForgeRecipients;
  "secrets/infra/authentik-ui-test-password.age".publicKeys = uiTestRecipients;
  "secrets/infra/forgejo-oidc-client-secret.age".publicKeys = burrowForgeRecipients;
  "secrets/infra/forgejo-nsc-autoscaler-config.age".publicKeys = burrowForgeRecipients;
--- a/secrets/infra/authentik-google-account-map.json.age
+++ b/secrets/infra/authentik-google-account-map.json.age
Author	SHA1	Message	Date
Conrad Kramer	abd5a35970	Make Jett a Burrow admin Some checks failed Build Rust / Cargo Test (push) Successful in 3m47s Details Build Site / Next.js Build (push) Failing after 2s Details Lint Governance / BEP Metadata (push) Successful in 0s Details	2026-04-18 02:42:01 -07:00
Conrad Kramer	c58d06dfc1	Move Burrow Google account aliases into agenix	2026-04-18 02:18:22 -07:00