diff --git a/cluster/services/hercules-ci-multi-agent/common.nix b/cluster/services/hercules-ci-multi-agent/common.nix new file mode 100644 index 0000000..54de8df --- /dev/null +++ b/cluster/services/hercules-ci-multi-agent/common.nix @@ -0,0 +1,56 @@ +{ config, inputs, lib, pkgs, ... }: + +let + mapAgents = lib.flip lib.mapAttrs config.services.hercules-ci-agents; + + #lib.foldl' (a: b: a // b) {} (lib.attrValues (lib.mapAttrs (basename: basevalue: lib.mapAttrs' (n: v: lib.nameValuePair "${n}-${basename}" v) basevalue) x)); + mergeMap = f: let + outputs = mapAgents f; + in lib.pipe outputs [ + (lib.mapAttrs (basename: basevalue: + lib.mapAttrs' (n: v: + lib.nameValuePair "${n}-${basename}" v + ) basevalue + )) + lib.attrValues + (lib.foldl' (a: b: a // b) {}) + ]; +in +{ + imports = [ + inputs.hercules-ci-agent.nixosModules.multi-agent-service + ]; + + age.secrets = mergeMap (name: _: { + hci-token = { + file = ./secrets + "/hci-token-${name}-${config.networking.hostName}.age"; + owner = "hci-${name}"; + group = "hci-${name}"; + }; + hci-cache-credentials = { + file = ./secrets + "/hci-cache-credentials-${config.networking.hostName}.age"; + owner = "hci-${name}"; + group = "hci-${name}"; + }; + hci-cache-config = { + file = ./secrets/hci-cache-config.age; + owner = "hci-${name}"; + group = "hci-${name}"; + }; + }); + services.hercules-ci-agents.private-void = { + settings = { + clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path; + binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path; + }; + }; + systemd.services = mergeMap (name: _: { + hercules-ci-agent = { + # hercules-ci-agent-restarter should take care of this + restartIfChanged = false; + environment = { + AWS_SHARED_CREDENTIALS_FILE = config.age.secrets."hci-cache-credentials-${name}".path; + }; + }; + }); +} diff --git a/cluster/services/hercules-ci-multi-agent/default.nix b/cluster/services/hercules-ci-multi-agent/default.nix new file mode 100644 index 0000000..61f569f --- /dev/null +++ b/cluster/services/hercules-ci-multi-agent/default.nix @@ -0,0 +1,20 @@ +{ config, lib, tools, ... }: + +{ + services.hercules-ci-multi-agent = { + nodes = { + private-void = [ "VEGAS" "prophet" ]; + nixpak = [ "VEGAS" ]; + }; + nixos = { + private-void = [ + ./common.nix + ./orgs/private-void.nix + ]; + nixpak = [ + ./common.nix + ./orgs/nixpak.nix + ]; + }; + }; +} diff --git a/cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix b/cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix new file mode 100644 index 0000000..6a6d6bc --- /dev/null +++ b/cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix @@ -0,0 +1,10 @@ +{ config, inputs, pkgs, ... }: + +{ + services.hercules-ci-agents.nixpak = { + settings = { + clusterJoinTokenPath = config.age.secrets.hci-token-nixpak.path; + binaryCachesPath = config.age.secrets.hci-cache-config-nixpak.path; + }; + }; +} diff --git a/cluster/services/hercules-ci-multi-agent/orgs/private-void.nix b/cluster/services/hercules-ci-multi-agent/orgs/private-void.nix new file mode 100644 index 0000000..1abf677 --- /dev/null +++ b/cluster/services/hercules-ci-multi-agent/orgs/private-void.nix @@ -0,0 +1,10 @@ +{ config, inputs, pkgs, ... }: + +{ + services.hercules-ci-agents.private-void = { + settings = { + clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path; + binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path; + }; + }; +} diff --git a/secrets/hci-cache-config.age b/cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age similarity index 100% rename from secrets/hci-cache-config.age rename to cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age diff --git a/secrets/hci-cache-credentials-VEGAS.age b/cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-VEGAS.age similarity index 100% rename from secrets/hci-cache-credentials-VEGAS.age rename to cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-VEGAS.age diff --git a/secrets/hci-cache-credentials-prophet.age b/cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-prophet.age similarity index 100% rename from secrets/hci-cache-credentials-prophet.age rename to cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-prophet.age diff --git a/cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-VEGAS.age b/cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-VEGAS.age new file mode 100644 index 0000000..02d6ae1 Binary files /dev/null and b/cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-VEGAS.age differ diff --git a/secrets/hci-token-VEGAS.age b/cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age similarity index 100% rename from secrets/hci-token-VEGAS.age rename to cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age diff --git a/secrets/hci-token-prophet.age b/cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age similarity index 100% rename from secrets/hci-token-prophet.age rename to cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index 733d07b..7d0732e 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -37,7 +37,6 @@ ./services/warehouse ./services/websites ./services/wireguard-server - aspect.modules.hercules-ci-agent aspect.modules.hyprspace aspect.modules.nix-builder ] diff --git a/hosts/prophet/system.nix b/hosts/prophet/system.nix index a7ac49f..d0d1398 100644 --- a/hosts/prophet/system.nix +++ b/hosts/prophet/system.nix @@ -11,7 +11,6 @@ ./services/cdn-shield ./services/meet ./services/reflex - aspect.modules.hercules-ci-agent aspect.modules.hyprspace aspect.modules.nix-builder aspect.modules.sss diff --git a/modules/default.nix b/modules/default.nix index 5bfe36a..3c13c56 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,7 +6,6 @@ let deploy-rs-receiver = import ./deploy-rs-receiver; enterprise = import ./enterprise; fail2ban = import ./fail2ban; - hercules-ci-agent = import ./hercules-ci-agent; hydra = import ./hydra; hyprspace = import ./hyprspace; ipfs = import ./ipfs; diff --git a/modules/hercules-ci-agent/default.nix b/modules/hercules-ci-agent/default.nix deleted file mode 100644 index fb9aeee..0000000 --- a/modules/hercules-ci-agent/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, inputs, pkgs, ... }: - -{ - age.secrets = { - hci-token = { - file = ../../secrets + "/hci-token-${config.networking.hostName}.age"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - hci-cache-credentials = { - file = ../../secrets + "/hci-cache-credentials-${config.networking.hostName}.age"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - hci-cache-config = { - file = ../../secrets/hci-cache-config.age; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - }; - services.hercules-ci-agent = { - enable = true; - package = inputs.hercules-ci-agent.packages.${pkgs.system}.hercules-ci-agent; - settings = { - clusterJoinTokenPath = config.age.secrets.hci-token.path; - binaryCachesPath = config.age.secrets.hci-cache-config.path; - }; - }; - systemd.services.hercules-ci-agent = { - # hercules-ci-agent-restarter should take care of this - restartIfChanged = false; - environment = { - AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hci-cache-credentials.path; - }; - }; -} diff --git a/secrets.nix b/secrets.nix index 5c72ce3..7f9de64 100644 --- a/secrets.nix +++ b/secrets.nix @@ -9,6 +9,12 @@ in with hosts; "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; + "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; + "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; + "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; + "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; @@ -27,11 +33,6 @@ in with hosts; "secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; - "secrets/hci-cache-credentials-prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; - "secrets/hci-cache-credentials-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/hci-token-prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; - "secrets/hci-token-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];