add agenix to deploy darwin secrets, darwin03: convert to CI builder

.sops.yaml

@@ -72,14 +72,6 @@ creation_rules:
           - *zimbatm
           - *zowoq
           - *adisbladis
-  - path_regex: modules/darwin/.+\.yaml$
-    key_groups:
-      - age:
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
   - path_regex: modules/nixos/hercules-ci/.+\.yaml$
     key_groups:
       - age:

dev/shell.nix

@@ -1,8 +1,9 @@
-{ pkgs, ... }:
+{ inputs', pkgs, ... }:
 {
   devShells = {
     default = with pkgs; mkShellNoCC {
       packages = [
+        inputs'.agenix.packages.default
         jq
         python3.pkgs.deploykit
         python3.pkgs.invoke

dev/treefmt.nix

@@ -30,6 +30,7 @@
     editorconfig-checker = {
       command = pkgs.editorconfig-checker;
       includes = [ "*" ];
+      excludes = [ "*.age" ];
     };
 
     nix = {

flake.nix

@@ -21,6 +21,12 @@
     # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
+    # rebased patch from https://github.com/ryantm/agenix/pull/241
+    agenix.url = "github:qowoz/agenix/darwin";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.home-manager.follows = "";
+    agenix.inputs.darwin.follows = "nix-darwin";
+
     nixpkgs-update.url = "github:nix-community/nixpkgs-update";
     nixpkgs-update.inputs.mmdoc.follows = "";
     nixpkgs-update.inputs.treefmt-nix.follows = "treefmt-nix";

hosts/build03/builders.nix

@@ -22,5 +22,14 @@
       systems = [ "aarch64-darwin" "x86_64-darwin" ];
       supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features;
     }
+    {
+      hostName = "darwin03.nix-community.org";
+      maxJobs = 8;
+      protocol = "ssh-ng";
+      sshKey = config.sops.secrets.id_buildfarm.path;
+      sshUser = "nix";
+      systems = [ "aarch64-darwin" "x86_64-darwin" ];
+      supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin03.config.nix.settings.system-features;
+    }
   ];
 }

hosts/darwin03/configuration.nix

@@ -4,8 +4,13 @@
   imports = [
     inputs.self.darwinModules.common
     inputs.self.darwinModules.builder
+    inputs.self.darwinModules.hercules-ci
+    inputs.self.darwinModules.remote-builder
   ];
 
+  # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
+  nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
+
   nix.settings.sandbox = "relaxed";
   nix.settings.extra-platforms = [ "x86_64-darwin" ];
 

modules/darwin/common/default.nix

@@ -15,6 +15,7 @@ in
     ./upgrade-diff.nix
     ../../shared/known-hosts.nix
     ../../shared/nix-daemon.nix
+    inputs.agenix.darwinModules.age
   ];
 
   # TODO: refactor this to share /users with nixos

modules/darwin/hercules-ci/default.nix

@@ -5,10 +5,27 @@ let
   '';
 in
 {
-  # hercules secrets are installed manually from ./secrets.yaml
-  # https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin
+  age.secrets.binary-caches = {
+    file = ../../../secrets/binary-caches.age;
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
+  age.secrets.cluster-join-token = {
+    file = ../../../secrets/cluster-join-token.age;
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
   services.hercules-ci-agent.enable = true;
 
+  services.hercules-ci-agent.settings = {
+    binaryCachesPath = config.age.secrets.binary-caches.path;
+    clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
+  };
+
   # hercules-ci-agent: security: createProcess: posix_spawnp: does not exist
   # https://github.com/LnL7/nix-darwin/blob/36524adc31566655f2f4d55ad6b875fb5c1a4083/modules/services/hercules-ci-agent/default.nix#L28
   launchd.daemons.hercules-ci-agent.path = pkgs.lib.mkForce [ config.nix.package securityWrapper ];

secrets/cluster-join-token.age

@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-rsa ALNSWw
+k14GuxixIuiA4WhYtWW5PaevHx5QZc2HF9HM7Ia2ji4mNg2Pc1+cXFZG/QLROTVo
+EL0c3/MzZBGAdFYkkm8hlA+S9JLdgiP8ROIT8hjhOE55uWWaH8uDQGODQX42nBe0
+w1wN9iBDKJJ0s4kSak9K8GqS0afVvppLPZTcqoaHbh2YapXSYu7LK8BBgz4+nBUP
+0axc3TIVgUzEDls7VGU1c+aavDvBb8c/fg5w5pJZy379bzU5TWpppmi7U7hEboCA
+IMeAH5iffaksmyPIHlK/iwpHdkchLKX+2YHAu8DxywHeowm4rbxKv3oHfH+/3uM3
+28VUeqYY/SCqwLSe84ZnSg
+-> ssh-ed25519 Qi7vNw W23Q9s5rainiPnp67oLEcLKpEfmvqxUUWL5u+yvN+0o
+/Tiyf6QaTM1NIKPPdrK9e8K43Ee0cNAV5uS5fiab3p8
+-> ssh-ed25519 MW0fCg 2AXjCOaTHC6kJ+m5OnVwyuy6DEI2+6E//fZ7PkZsfFo
+gEvzFrYhSCCvBaOjPb1aI49kCJBK5mpDGShJuVpbSn4
+-> ssh-ed25519 92bXiA xv18v2ncQRE9MWJbpNsGUkwhho/NNZ465zcOl1qi3HQ
+OKP7B3ecWEeBF7GA0Vx72BMRbM6iE6/fQ4mkCaGx4R0
+-> ssh-ed25519 h1lenA tBhqzlU6IKkHKkTb9p8p2R/OOyLtOhLyAIujO+1oyEg
+8ORTR81GImpbXu4rJ0HTSOwbFb3Zw+JmfYSGFoQXLHg
+-> ssh-ed25519 7tFeRw BpJpUC2tTiDfGnO5JvYwW/JiTU2RSfeKzDOCMfLBUxY
+u0mDqrcX/vKNJvqu9Bjl6qUrf1CAkGm5cBRhg984lXk
+-> ssh-ed25519 /B167A t3O6wWHJ1GAxe/e7XwiUzl+uWVBG5F7vc088zFYoFm0
+T954lFCHmJTuOnMy5N1OizGzySbd5/ow1eBbcpJl/F4
+--- BHVcjNVuUaft0wyxOjncdhbpiC9UtUgWSk8sUr6lBCw
+��'���y�"�N��Tm;�)w�V�Ĭ���ќwtֽ,����}-�1�|�ʅ�����b��	t%���+l0�`��W�� �vw�6�>"7�i3�&L��Y*�P(S��	<򠎜������m��ˠTqdK$(��y7�PG(y�*��7p��E�/gT�?3Aq���16�#�ȋ�T'y��G�e%.�ۀʭ�Op��:�
+��Ҩ3Hv��E%(�����s�����l��%������������
+`�w��
FLX

secrets/secrets.nix

@@ -0,0 +1,18 @@
+let
+  adisbladis = builtins.readFile ../users/keys/adisbladis;
+  mic92 = builtins.readFile ../users/keys/mic92;
+  ryantm = builtins.readFile ../users/keys/ryantm;
+  zimbatm = builtins.readFile ../users/keys/zimbatm;
+  zowoq = builtins.readFile ../users/keys/zowoq;
+
+  users = [ adisbladis mic92 ryantm zimbatm zowoq ];
+
+  inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
+
+  darwin02 = knownHosts.darwin02.publicKey;
+  darwin03 = knownHosts.darwin03.publicKey;
+in
+{
+  "binary-caches.age".publicKeys = users ++ [ darwin02 darwin03 ];
+  "cluster-join-token.age".publicKeys = users ++ [ darwin02 darwin03 ];
+}