modules/hercules-ci-agent: init

2022-03-31 19:42:20 +02:00 · 2022-03-31 19:42:20 +02:00 · d534b03b48
commit d534b03b48
parent 95c49cdfe9
4 changed files with 48 additions and 0 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -6,6 +6,7 @@ let
    deploy-rs-receiver = import ./deploy-rs-receiver;
    enterprise = import ./enterprise;
    fail2ban = import ./fail2ban;
+    hercules-ci-agent = import ./hercules-ci-agent;
    hydra = import ./hydra;
    hyprspace = import ./hyprspace;
    ipfs = import ./ipfs;
--- a/modules/hercules-ci-agent/default.nix
+++ b/modules/hercules-ci-agent/default.nix
@ -0,0 +1,32 @@
+{ config, inputs, pkgs, ... }:
+
+{
+  age.secrets = {
+    hci-token = {
+      file = ../../secrets + "/hci-token-${config.networking.hostName}.age";
+      owner = "hercules-ci-agent";
+      group = "hercules-ci-agent";
+    };
+    hci-cache-credentials = {
+      file = ../../secrets + "/hci-cache-credentials-${config.networking.hostName}.age";
+      owner = "hercules-ci-agent";
+      group = "hercules-ci-agent";
+    };
+    hci-cache-config = {
+      file = ../../secrets/hci-cache-config.age;
+      owner = "hercules-ci-agent";
+      group = "hercules-ci-agent";
+    };
+  };
+  services.hercules-ci-agent = {
+    enable = true;
+    package = inputs.hercules-ci-agent.packages.${pkgs.system}.hercules-ci-agent;
+    settings = {
+      clusterJoinTokenPath = config.age.secrets.hci-token.path;
+      binaryCachesPath = config.age.secrets.hci-cache-config.path;
+    };
+  };
+  systemd.services.hercules-ci-agent.environment = {
+    AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hci-cache-credentials.path;
+  };
+}
--- a/secrets/hci-cache-config.age
+++ b/secrets/hci-cache-config.age
@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A WYzF2ZFfOMtanfe2hrHbxdrD79OXzG3aftvL7hXXtgQ
+IdI90ltsRS7dnKWwd2NFGarxWoq2ZyAHAXD/PE+hos0
+-> ssh-ed25519 5/zT0w /oRzWWJ4Ek2PKrUh0X+g19xtKvT/46VzDWVCK3l6V3E
+y8/oLo1/7tns6aTyHCcac+m2uO5wG608OJJnT2osfN0
+-> ssh-ed25519 d3WGuA 11ZtvytvpquN31t8NZqFg+cd/lGeyt+G21wTXfbJpic
+cdDo/FJXqM0xCj7w68/lCWDX8X6/9M2ZHTF2hIH9wsU
+-> ssh-ed25519 6YMlxg 0+kDc0xKGGOgEl5gTRpsI9U/jrnTtPSHO7WbeQtwL2U
+h10PtmTIQOyc9g4t14qpIUKYh1LEwYUltlZ/nCiL5Bc
+-> .KZ[r"d-grease JI`!M Qx1ik
+lZL73EclhxOHMnbkVQyokAaQX/qjbdaBtihyJXK2b3czG/pLXR+G1KEFPDt6OZT0
+7w3AEdYErKh03XSJor8uoJcVVgI2
+--- eSTM+R072k2rB4zBXpV6y5dcB6QPugVrA09OfQDD8WE
+ü.xŒßÑ$ýSÕX×UHãìw@UHN+€ñîD<0F>[jð	L`úi…™“Wƒ,n³6)íMK#ÎáÏMŽ¬„eË•‹˜Å….íëtñÁ@Ž›j¤ž®ˆ0dÊ½44Il’œ:QÝ¥*
$VG•ÎŒv,{¶è8N_’)s)ðc>íBúý&Ÿj-}6áÌÆ8Æ‡
cÞ„æ”wo/¦ÏJÎÃZðW³lvËðmà„ð¨´½Êï¨ãIf×f<<3C>8ò°à¸=÷yðŽBˆ®Þ°Á#¬¡ìRHkeù}‚nž|Š»õkkZÏ†šŽfq½Õ²¿5Xþ¾å²ÜáF‰<46>çcfñ£«’ìÀxŽœD“F<…éžDvG_f!ê¶DªÕ%‰|ÿ-¢³´ù[Ï‚$ÊL|¯À×¿<C397>âôí{ÓãÑlÌþ€Ü·J|ÜY:Ê—ç¼Xeûb`1è×U;`N—×µ<C397>‡vŽI²d¶ ¥IýÈqPvFÜB_”Õä:(Í7R
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,6 +14,7 @@ in with hosts;
  "gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];