cluster/services/hercules-ci-multi-agent: init

obsoletes modules/hercules-ci-agent

Hercules CI orgs:
- private-void
- nixpak

cluster/services/hercules-ci-multi-agent/common.nix

@@ -0,0 +1,56 @@
+{ config, inputs, lib, pkgs, ... }:
+
+let
+  mapAgents = lib.flip lib.mapAttrs config.services.hercules-ci-agents;
+
+  #lib.foldl' (a: b: a // b) {} (lib.attrValues (lib.mapAttrs (basename: basevalue: lib.mapAttrs' (n: v: lib.nameValuePair "${n}-${basename}" v) basevalue) x));
+  mergeMap = f: let
+    outputs = mapAgents f;
+  in  lib.pipe outputs [
+    (lib.mapAttrs (basename: basevalue:
+      lib.mapAttrs' (n: v:
+        lib.nameValuePair "${n}-${basename}" v
+      ) basevalue
+    ))
+    lib.attrValues
+    (lib.foldl' (a: b: a // b) {})
+  ];
+in
+{
+  imports = [
+    inputs.hercules-ci-agent.nixosModules.multi-agent-service
+  ];
+
+  age.secrets = mergeMap (name: _: {
+    hci-token = {
+      file = ./secrets + "/hci-token-${name}-${config.networking.hostName}.age";
+      owner = "hci-${name}";
+      group = "hci-${name}";
+    };
+    hci-cache-credentials = {
+      file = ./secrets + "/hci-cache-credentials-${config.networking.hostName}.age";
+      owner = "hci-${name}";
+      group = "hci-${name}";
+    };
+    hci-cache-config = {
+      file = ./secrets/hci-cache-config.age;
+      owner = "hci-${name}";
+      group = "hci-${name}";
+    };
+  });
+  services.hercules-ci-agents.private-void = {
+    settings = {
+      clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path;
+      binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path;
+    };
+  };
+  systemd.services = mergeMap (name: _: {
+    hercules-ci-agent = {
+      # hercules-ci-agent-restarter should take care of this
+      restartIfChanged = false;
+      environment = {
+        AWS_SHARED_CREDENTIALS_FILE = config.age.secrets."hci-cache-credentials-${name}".path;
+      };
+    };
+  });
+}

cluster/services/hercules-ci-multi-agent/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, tools, ... }:
+
+{
+  services.hercules-ci-multi-agent = {
+    nodes = {
+      private-void = [ "VEGAS" "prophet" ];
+      nixpak = [ "VEGAS" ];
+    };
+    nixos = {
+      private-void = [
+        ./common.nix
+        ./orgs/private-void.nix
+      ];
+      nixpak = [
+        ./common.nix
+        ./orgs/nixpak.nix
+      ];
+    };
+  };
+}

cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix

@@ -0,0 +1,10 @@
+{ config, inputs, pkgs, ... }:
+
+{
+  services.hercules-ci-agents.nixpak = {
+    settings = {
+      clusterJoinTokenPath = config.age.secrets.hci-token-nixpak.path;
+      binaryCachesPath = config.age.secrets.hci-cache-config-nixpak.path;
+    };
+  };
+}

cluster/services/hercules-ci-multi-agent/orgs/private-void.nix

@@ -0,0 +1,10 @@
+{ config, inputs, pkgs, ... }:
+
+{
+  services.hercules-ci-agents.private-void = {
+    settings = {
+      clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path;
+      binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path;
+    };
+  };
+}

hosts/VEGAS/system.nix

@@ -37,7 +37,6 @@
       ./services/warehouse
       ./services/websites
       ./services/wireguard-server
-      aspect.modules.hercules-ci-agent
       aspect.modules.hyprspace
       aspect.modules.nix-builder
     ]

hosts/prophet/system.nix

@@ -11,7 +11,6 @@
       ./services/cdn-shield
       ./services/meet
       ./services/reflex
-      aspect.modules.hercules-ci-agent
       aspect.modules.hyprspace
       aspect.modules.nix-builder
       aspect.modules.sss

modules/default.nix

@@ -6,7 +6,6 @@ let
     deploy-rs-receiver = import ./deploy-rs-receiver;
     enterprise = import ./enterprise;
     fail2ban = import ./fail2ban;
-    hercules-ci-agent = import ./hercules-ci-agent;
     hydra = import ./hydra;
     hyprspace = import ./hyprspace;
     ipfs = import ./ipfs;

modules/hercules-ci-agent/default.nix

@@ -1,36 +0,0 @@
-{ config, inputs, pkgs, ... }:
-
-{
-  age.secrets = {
-    hci-token = {
-      file = ../../secrets + "/hci-token-${config.networking.hostName}.age";
-      owner = "hercules-ci-agent";
-      group = "hercules-ci-agent";
-    };
-    hci-cache-credentials = {
-      file = ../../secrets + "/hci-cache-credentials-${config.networking.hostName}.age";
-      owner = "hercules-ci-agent";
-      group = "hercules-ci-agent";
-    };
-    hci-cache-config = {
-      file = ../../secrets/hci-cache-config.age;
-      owner = "hercules-ci-agent";
-      group = "hercules-ci-agent";
-    };
-  };
-  services.hercules-ci-agent = {
-    enable = true;
-    package = inputs.hercules-ci-agent.packages.${pkgs.system}.hercules-ci-agent;
-    settings = {
-      clusterJoinTokenPath = config.age.secrets.hci-token.path;
-      binaryCachesPath = config.age.secrets.hci-cache-config.path;
-    };
-  };
-  systemd.services.hercules-ci-agent = {
-    # hercules-ci-agent-restarter should take care of this
-    restartIfChanged = false;
-    environment = {
-      AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hci-cache-credentials.path;
-    };
-  };
-}

secrets.nix

@@ -9,6 +9,12 @@ in with hosts;
   "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
+  "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
+  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
@@ -27,11 +33,6 @@ in with hosts;
   "secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
-  "secrets/hci-cache-credentials-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
-  "secrets/hci-cache-credentials-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/hci-token-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
-  "secrets/hci-token-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];