switch to effect for darwin ssh deploy

nix-community · Dec 20, 2024 · d4e3e55 · d4e3e55
1 parent 3b7fb88
commit d4e3e55
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 63 deletions.
diff --git a/.github/workflows/darwin.yml b/.github/workflows/darwin.yml
diff --git a/dev/effect-deploy.nix b/dev/effect-deploy.nix
@@ -0,0 +1,34 @@
+{ self, withSystem, ... }:
+{
+  herculesCI = herculesCI: {
+    onPush.default.outputs.effects = withSystem "x86_64-linux" (
+      { hci-effects, ... }:
+      let
+        hosts = (import "${self}/modules/shared/known-hosts.nix").programs.ssh.knownHosts;
+      in
+      builtins.listToAttrs (
+        map
+          (x: {
+            name = x;
+            value = hci-effects.runIf (herculesCI.config.repo.branch == "refs/pull/1059/merge") (
+              hci-effects.runNixDarwin {
+                ssh.destination = "customer@${x}.nix-community.org";
+                configuration = self.darwinConfigurations.${x};
+                secretsMap.ssh-deployment = "ssh-deployment";
+                userSetupScript = ''
+                  writeSSHKey ssh-deployment
+                  cat >>~/.ssh/known_hosts <<EOF
+                  ${toString hosts.${x}.hostNames} ${hosts.${x}.publicKey}
+                  EOF
+                '';
+              }
+            );
+          })
+          [
+            "darwin01"
+            "darwin02"
+          ]
+      )
+    );
+  };
+}
diff --git a/flake.nix b/flake.nix
@@ -60,7 +60,9 @@
       systems = import inputs.systems;
 
       imports = [
+        ./dev/effect-deploy.nix
         ./modules
+        inputs.hercules-ci-effects.flakeModule
         inputs.lite-config.flakeModule
         inputs.treefmt-nix.flakeModule
       ];

diff --git a/hosts/build03/secrets.yaml b/hosts/build03/secrets.yaml
@@ -8,6 +8,7 @@ buildbot-github-oauth-secret: ENC[AES256_GCM,data:C5P54zotOwe3u2cOsJMKEVmZVH6hrL
 buildbot-github-webhook-secret: ENC[AES256_GCM,data:AtUFcOjLivJt8np5451Wfol5s48R4vW5gJPisT+hMD7dFAvucKriQEY+mcAMqL1X6w==,iv:oBKj9XXu/4mkeH+3KkMlWSx8GnMoXwBugNuG8Uu3XtU=,tag:8cBZVE7TOJf3QEqxfsuF8g==,type:str]
 buildbot-nix-workers: ENC[AES256_GCM,data:IHOEEmZ1RkH3oPHCZMHNmUbt0/J66IDkMn363jPnfV96rwnBrvTVRbyWcLFAvNZ9lPRpPvm6lQhUzljS3bQwrUn6P9phKtqOAhSRh6VhhmsieaMnOFt0ZKP1jVpsymyXrHpuOao=,iv:kTR0yWU7ry3HwAE6OMP7+mK1ZBcuL9gRsCZMgffZG5E=,tag:4+8E2oiVAv5ox9V4Xudcog==,type:str]
 buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+wlXva3YJnNkO9KSX9PIhnRHVES72jO63AkhvfBVEg==,iv:rTpaiCYcedcsy115BEDep68Mehb6knes7OxvBrEOrUQ=,tag:dD4Hg4oR3SfpYdP1e8V2jA==,type:str]
+buildbot-effects-nix-community-infra: ENC[AES256_GCM,data:wAYSvEza+1xjT/rIp5MtR3HEQe3OscRBtrWF/f6G/z+ftaiWXMfWhW9X8z53I20lzx9a6BqmO4jcWAGmXRSV4TX6wxKsUP9BnzxTImDS41zWfOtHV9sDifk6jmVJyAAsrY8CrebGTmPvWUXEUMmAZkUorQkv8gfxoL66GCtPfqa7d1OSKX8rAXd1YAJL58aXFeD6X6iZqo2tVd1OhlmUuFj5oum+9uLPjCY54IfilLlERw5DdTPDhMBdKt5owR0dpJDmp9t8i0AV2j4Hm36ZsY8L9ket1iB04MlapsUI24RiXHk+aFJqSy+0onvmqeniiBeaa106YomSQAS1cyOp0U+Rcqwhtnh9MNUZzciVXi2F5nkPzA3OcbQh8MDcJ/66z/VUkSac0iMXvr/47d5V0XCm9JSKXuijOUGTu9LRbdEAAQ+gsZ/Z8i6+9d75CeSoVH5Mtm7eU4CbhloNmpAcz5qyFf+sRgWz5qK8z1MwT795P/P/Oi2YQswtwnyLO7UkQ5tCrE+qcFxM9cAAcJzkzGctB5QdHDaPkkpMGic8vpAoYgx3t7Qmasuef96Fhhj4lk10sTTUrWZlnFbmduO/fDOULvisnW/BTpYsnsIPSKREg8wQAu7Fiu9EO0TZOagAQf03EiFDcxosetxPJIXoNWsZK/1LsX+7SnBBklVDtwxu6urOUCW8vYXD4aGZvkTGc6O6vwiOs+oEHd6J7Mes/+23hTzldnFobodwnzbRNVt/WT2FQjX5qFehyxbARL+EtT4MQC4sWGpXSybUs10=,iv:rdLHfK4NbCaMIIhhQd2MfVf1DdKKF9Sqe4Kxuy57yok=,tag:DPxsDTLIhA0d4KPXwseL9g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -68,8 +69,8 @@ sops:
             WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
             FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-28T03:43:07Z"
-    mac: ENC[AES256_GCM,data:LLNwJc5i/el9NuYOYX7msK+muuhAiefhrVpIbk6lM5frcaVJ3xwr84L02CkVVrw009eJKEaQw+Si7y0nC3ioWs5DQBgexj3AbROfdgtgkfEEke4tUDyAG4w4LvRZRM/7n4P1GOo9oTknBx2++bxWG3GhUu8pNQ9WNL3qmiEqcDo=,iv:ADZBT5HfyOJDDv1ck9WWDNnbeYQKs91/DI/t75E35lE=,tag:oDINiP5dbKVdp4TsZJBAig==,type:str]
+    lastmodified: "2024-12-20T08:13:13Z"
+    mac: ENC[AES256_GCM,data:XotUml1j9Ko1fJBkLRqvGjo0/5T6DviQBhYLywJ8fbrWUW9YGY70p5aO/BBR/RX1q83wBsLu0lFT4aVQD7ttuYQmBMX7MSxu/qxzAe3ouFivaILHHZBixV99S67pNTXVVvdPxCumRaBB4fceIe/hT5FoSYXE3pxecXF723y20r0=,iv:K4pmLm9b6qQF1xpeCrbHgaBvXU79puMXK6ageeCc8Yo=,tag:292V1YStDDste0E+o95gwQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2
diff --git a/modules/darwin/common/users.nix b/modules/darwin/common/users.nix
@@ -3,6 +3,7 @@ let
   authorizedKeys = {
     keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPVjRBomWFJNNkZb0g5ymLmc3pdRddIScitmJ9yC+ap" # deployment
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoUUwDIYFzuUk8pxzekyVhqdYhShAtRAG+K3AJMMdjz" # effects-deployment
     ];
     keyFiles = pkgs.lib.filesystem.listFilesRecursive "${inputs.self}/users/keys";
   };

diff --git a/modules/nixos/buildbot.nix b/modules/nixos/buildbot.nix
@@ -57,6 +57,14 @@ in
     };
   };
 
+  services.buildbot-nix.master.effects.perRepoSecretFiles = {
+    "github:nix-community/infra" = config.age.secrets.buildbot-effects-nix-community-infra.path;
+  };
+
+  age.secrets.buildbot-effects-nix-community-infra = {
+    file = "${inputs.self}/secrets/buildbot-effects-nix-community-infra.age";
+  };
+
   services.buildbot-master = {
     title = "Nix Community";
     titleUrl = "https://nix-community.org/";