cluster/services/hercules-ci-multi-agent/common.nix

@@ -1,7 +1,9 @@
-{ config, depot, lib, pkgs, ... }:
+{ cluster, depot, lib, ... }:
 
 let
-  mapAgents = lib.flip lib.mapAttrs config.services.hercules-ci-agents;
+  inherit (cluster.config.services.hercules-ci-multi-agent) nodes secrets;
+
+  mapAgents = lib.flip lib.mapAttrs nodes;
 
   mergeMap = f: let
     outputs = mapAgents f;
@@ -20,32 +22,26 @@ in
     ./modules/multi-agent-refactored
   ];
 
-  age.secrets = mergeMap (name: _: {
+  systemd.services = mergeMap (_: _: {
-    hci-token = {
-      file = ./secrets + "/hci-token-${name}-${config.networking.hostName}.age";
-      owner = "hci-${name}";
-      group = "hci-${name}";
-    };
-    hci-cache-credentials = {
-      file = ./secrets + "/hci-cache-credentials-${config.networking.hostName}.age";
-      owner = "hci-${name}";
-      group = "hci-${name}";
-    };
-    hci-cache-config = {
-      file = ./secrets/hci-cache-config.age;
-      owner = "hci-${name}";
-      group = "hci-${name}";
-    };
-  });
-  systemd.services = mergeMap (name: _: {
     hercules-ci-agent = {
       # hercules-ci-agent-restarter should take care of this
       restartIfChanged = false;
       environment = {
-        AWS_SHARED_CREDENTIALS_FILE = config.age.secrets."hci-cache-credentials-${name}".path;
+        AWS_SHARED_CREDENTIALS_FILE = secrets.cacheCredentials.path;
         AWS_EC2_METADATA_DISABLED = "true";
       };
       serviceConfig.Slice = "builder.slice";
     };
   });
+
+  services.hercules-ci-agents = lib.genAttrs (lib.attrNames nodes) (org: {
+    enable = true;
+    package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
+    settings = {
+      clusterJoinTokenPath = secrets."clusterJoinToken-${org}".path;
+      binaryCachesPath = secrets.cacheConfig.path;
+    };
+  });
+
+  users.groups.hercules-ci-agent.members = map (org: "hci-${org}") (lib.attrNames nodes);
 }

cluster/services/hercules-ci-multi-agent/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, depot, ... }:
+{ config, lib, ... }:
 
 {
   services.hercules-ci-multi-agent = {
@@ -11,21 +11,49 @@
     nixos = {
       private-void = [
         ./common.nix
-        ./orgs/private-void.nix
+        {
+          services.hercules-ci-agents.private-void.settings = {
+            secretsJsonPath = config.services.hercules-ci-multi-agent.secrets.effectsSecrets.path;
+          };
+        }
       ];
       nixpak = [
         ./common.nix
-        ./orgs/nixpak.nix
       ];
       max = [
         ./common.nix
-        ./orgs/max.nix
       ];
       hyprspace = [
         ./common.nix
-        ./orgs/hyprspace.nix
       ];
     };
+    secrets = let
+      inherit (config.services.hercules-ci-multi-agent) nodes;
+      allNodes = lib.unique (lib.concatLists (lib.attrValues nodes));
+    in {
+      cacheConfig = {
+        nodes = allNodes;
+        mode = "0440";
+        group = "hercules-ci-agent";
+      };
+      cacheCredentials = {
+        nodes = allNodes;
+        shared = false;
+        mode = "0440";
+        group = "hercules-ci-agent";
+      };
+      effectsSecrets = {
+        nodes = nodes.private-void;
+        owner = "hci-private-void";
+      };
+    } // lib.mapAttrs' (org: nodes: {
+      name = "clusterJoinToken-${org}";
+      value = {
+        inherit nodes;
+        shared = false;
+        owner = "hci-${org}";
+      };
+    }) nodes;
   };
   garage = let
     hciAgentKeys = lib.pipe config.services.hercules-ci-multi-agent.nodes [

cluster/services/hercules-ci-multi-agent/orgs/hyprspace.nix

@@ -1,12 +0,0 @@
-{ config, lib, depot, pkgs, ... }:
-
-{
-  services.hercules-ci-agents.hyprspace = {
-    enable = true;
-    package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
-    settings = {
-      clusterJoinTokenPath = config.age.secrets.hci-token-hyprspace.path;
-      binaryCachesPath = config.age.secrets.hci-cache-config-hyprspace.path;
-    };
-  };
-}

cluster/services/hercules-ci-multi-agent/orgs/max.nix

@@ -1,12 +0,0 @@
-{ config, lib, depot, pkgs, ... }:
-
-{
-  services.hercules-ci-agents.max = {
-    enable = true;
-    package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
-    settings = {
-      clusterJoinTokenPath = config.age.secrets.hci-token-max.path;
-      binaryCachesPath = config.age.secrets.hci-cache-config-max.path;
-    };
-  };
-}

cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix

@@ -1,12 +0,0 @@
-{ config, lib, depot, pkgs, ... }:
-
-{
-  services.hercules-ci-agents.nixpak = {
-    enable = true;
-    package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
-    settings = {
-      clusterJoinTokenPath = config.age.secrets.hci-token-nixpak.path;
-      binaryCachesPath = config.age.secrets.hci-cache-config-nixpak.path;
-    };
-  };
-}

cluster/services/hercules-ci-multi-agent/orgs/private-void.nix

@@ -1,18 +0,0 @@
-{ config, lib, depot, pkgs, ... }:
-
-{
-  age.secrets.hci-effects-secrets-private-void = {
-    file = ../secrets/hci-effects-secrets-private-void.age;
-    owner = "hci-private-void";
-    group = "hci-private-void";
-  };
-  services.hercules-ci-agents.private-void = {
-    enable = true;
-    package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
-    settings = {
-      clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path;
-      binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path;
-      secretsJsonPath = config.age.secrets.hci-effects-secrets-private-void.path;
-    };
-  };
-}