Cluster secrets #100

Merged
max merged 17 commits from pr-cluster-secrets into master 2024-07-08 22:23:11 +03:00
18 changed files with 50 additions and 80 deletions
Showing only changes of commit deaa423c86 - Show all commits

View file

@ -1,7 +1,9 @@
{ config, depot, lib, pkgs, ... }:
{ cluster, depot, lib, ... }:
let
mapAgents = lib.flip lib.mapAttrs config.services.hercules-ci-agents;
inherit (cluster.config.services.hercules-ci-multi-agent) nodes secrets;
mapAgents = lib.flip lib.mapAttrs nodes;
mergeMap = f: let
outputs = mapAgents f;
@ -20,32 +22,26 @@ in
./modules/multi-agent-refactored
];
age.secrets = mergeMap (name: _: {
hci-token = {
file = ./secrets + "/hci-token-${name}-${config.networking.hostName}.age";
owner = "hci-${name}";
group = "hci-${name}";
};
hci-cache-credentials = {
file = ./secrets + "/hci-cache-credentials-${config.networking.hostName}.age";
owner = "hci-${name}";
group = "hci-${name}";
};
hci-cache-config = {
file = ./secrets/hci-cache-config.age;
owner = "hci-${name}";
group = "hci-${name}";
};
});
systemd.services = mergeMap (name: _: {
systemd.services = mergeMap (_: _: {
hercules-ci-agent = {
# hercules-ci-agent-restarter should take care of this
restartIfChanged = false;
environment = {
AWS_SHARED_CREDENTIALS_FILE = config.age.secrets."hci-cache-credentials-${name}".path;
AWS_SHARED_CREDENTIALS_FILE = secrets.cacheCredentials.path;
AWS_EC2_METADATA_DISABLED = "true";
};
serviceConfig.Slice = "builder.slice";
};
});
services.hercules-ci-agents = lib.genAttrs (lib.attrNames nodes) (org: {
enable = true;
package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
settings = {
clusterJoinTokenPath = secrets."clusterJoinToken-${org}".path;
binaryCachesPath = secrets.cacheConfig.path;
};
});
users.groups.hercules-ci-agent.members = map (org: "hci-${org}") (lib.attrNames nodes);
}

View file

@ -1,4 +1,4 @@
{ config, lib, depot, ... }:
{ config, lib, ... }:
{
services.hercules-ci-multi-agent = {
@ -11,21 +11,49 @@
nixos = {
private-void = [
./common.nix
./orgs/private-void.nix
{
services.hercules-ci-agents.private-void.settings = {
secretsJsonPath = config.services.hercules-ci-multi-agent.secrets.effectsSecrets.path;
};
}
];
nixpak = [
./common.nix
./orgs/nixpak.nix
];
max = [
./common.nix
./orgs/max.nix
];
hyprspace = [
./common.nix
./orgs/hyprspace.nix
];
};
secrets = let
inherit (config.services.hercules-ci-multi-agent) nodes;
allNodes = lib.unique (lib.concatLists (lib.attrValues nodes));
in {
cacheConfig = {
nodes = allNodes;
mode = "0440";
group = "hercules-ci-agent";
};
cacheCredentials = {
nodes = allNodes;
shared = false;
mode = "0440";
group = "hercules-ci-agent";
};
effectsSecrets = {
nodes = nodes.private-void;
owner = "hci-private-void";
};
} // lib.mapAttrs' (org: nodes: {
name = "clusterJoinToken-${org}";
value = {
inherit nodes;
shared = false;
owner = "hci-${org}";
};
}) nodes;
};
garage = let
hciAgentKeys = lib.pipe config.services.hercules-ci-multi-agent.nodes [

View file

@ -1,12 +0,0 @@
{ config, lib, depot, pkgs, ... }:
{
services.hercules-ci-agents.hyprspace = {
enable = true;
package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
settings = {
clusterJoinTokenPath = config.age.secrets.hci-token-hyprspace.path;
binaryCachesPath = config.age.secrets.hci-cache-config-hyprspace.path;
};
};
}

View file

@ -1,12 +0,0 @@
{ config, lib, depot, pkgs, ... }:
{
services.hercules-ci-agents.max = {
enable = true;
package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
settings = {
clusterJoinTokenPath = config.age.secrets.hci-token-max.path;
binaryCachesPath = config.age.secrets.hci-cache-config-max.path;
};
};
}

View file

@ -1,12 +0,0 @@
{ config, lib, depot, pkgs, ... }:
{
services.hercules-ci-agents.nixpak = {
enable = true;
package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
settings = {
clusterJoinTokenPath = config.age.secrets.hci-token-nixpak.path;
binaryCachesPath = config.age.secrets.hci-cache-config-nixpak.path;
};
};
}

View file

@ -1,18 +0,0 @@
{ config, lib, depot, pkgs, ... }:
{
age.secrets.hci-effects-secrets-private-void = {
file = ../secrets/hci-effects-secrets-private-void.age;
owner = "hci-private-void";
group = "hci-private-void";
};
services.hercules-ci-agents.private-void = {
enable = true;
package = depot.inputs.hercules-ci-agent.packages.hercules-ci-agent;
settings = {
clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path;
binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path;
secretsJsonPath = config.age.secrets.hci-effects-secrets-private-void.path;
};
};
}