switch to effect for darwin ssh deploy

2023-12-27 10:43:18 +10:00 · 2023-12-27 10:43:18 +10:00 · 3464ec27e2
commit 3464ec27e2
parent 8471d2a8d6
5 changed files with 47 additions and 3 deletions
--- a/dev/effect-deploy.nix
+++ b/dev/effect-deploy.nix
@ -0,0 +1,34 @@
+{ self, withSystem, ... }:
+{
+  herculesCI = herculesCI: {
+    onPush.default.outputs.effects = withSystem "x86_64-linux" (
+      { hci-effects, ... }:
+      let
+        hosts = (import "${self}/modules/shared/known-hosts.nix").programs.ssh.knownHosts;
+      in
+      builtins.listToAttrs (
+        map
+          (x: {
+            name = x;
+            value = hci-effects.runIf (herculesCI.config.repo.branch == "master") (
+              hci-effects.runNixDarwin {
+                ssh.destination = "customer@${x}.nix-community.org";
+                configuration = self.darwinConfigurations.${x};
+                secretsMap.ssh-deployment = "ssh-deployment";
+                userSetupScript = ''
+                  writeSSHKey ssh-deployment
+                  cat >>~/.ssh/known_hosts <<EOF
+                  ${toString hosts.${x}.hostNames} ${hosts.${x}.publicKey}
+                  EOF
+                '';
+              }
+            );
+          })
+          [
+            "darwin01"
+            "darwin02"
+          ]
+      )
+    );
+  };
+}
--- a/flake.nix
+++ b/flake.nix
@ -54,7 +54,9 @@
      systems = import inputs.systems;

      imports = [
+        ./dev/effect-deploy.nix
        ./modules
+        inputs.hercules-ci-effects.flakeModule
        inputs.lite-config.flakeModule
        inputs.treefmt-nix.flakeModule
      ];
--- a/hosts/build03/secrets.yaml
+++ b/hosts/build03/secrets.yaml
@ -8,6 +8,7 @@ buildbot-github-oauth-secret: ENC[AES256_GCM,data:C5P54zotOwe3u2cOsJMKEVmZVH6hrL
 buildbot-github-webhook-secret: ENC[AES256_GCM,data:AtUFcOjLivJt8np5451Wfol5s48R4vW5gJPisT+hMD7dFAvucKriQEY+mcAMqL1X6w==,iv:oBKj9XXu/4mkeH+3KkMlWSx8GnMoXwBugNuG8Uu3XtU=,tag:8cBZVE7TOJf3QEqxfsuF8g==,type:str]
 buildbot-nix-workers: ENC[AES256_GCM,data:IHOEEmZ1RkH3oPHCZMHNmUbt0/J66IDkMn363jPnfV96rwnBrvTVRbyWcLFAvNZ9lPRpPvm6lQhUzljS3bQwrUn6P9phKtqOAhSRh6VhhmsieaMnOFt0ZKP1jVpsymyXrHpuOao=,iv:kTR0yWU7ry3HwAE6OMP7+mK1ZBcuL9gRsCZMgffZG5E=,tag:4+8E2oiVAv5ox9V4Xudcog==,type:str]
 buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+wlXva3YJnNkO9KSX9PIhnRHVES72jO63AkhvfBVEg==,iv:rTpaiCYcedcsy115BEDep68Mehb6knes7OxvBrEOrUQ=,tag:dD4Hg4oR3SfpYdP1e8V2jA==,type:str]
+buildbot-effects-nix-community-infra: ENC[AES256_GCM,data:wAYSvEza+1xjT/rIp5MtR3HEQe3OscRBtrWF/f6G/z+ftaiWXMfWhW9X8z53I20lzx9a6BqmO4jcWAGmXRSV4TX6wxKsUP9BnzxTImDS41zWfOtHV9sDifk6jmVJyAAsrY8CrebGTmPvWUXEUMmAZkUorQkv8gfxoL66GCtPfqa7d1OSKX8rAXd1YAJL58aXFeD6X6iZqo2tVd1OhlmUuFj5oum+9uLPjCY54IfilLlERw5DdTPDhMBdKt5owR0dpJDmp9t8i0AV2j4Hm36ZsY8L9ket1iB04MlapsUI24RiXHk+aFJqSy+0onvmqeniiBeaa106YomSQAS1cyOp0U+Rcqwhtnh9MNUZzciVXi2F5nkPzA3OcbQh8MDcJ/66z/VUkSac0iMXvr/47d5V0XCm9JSKXuijOUGTu9LRbdEAAQ+gsZ/Z8i6+9d75CeSoVH5Mtm7eU4CbhloNmpAcz5qyFf+sRgWz5qK8z1MwT795P/P/Oi2YQswtwnyLO7UkQ5tCrE+qcFxM9cAAcJzkzGctB5QdHDaPkkpMGic8vpAoYgx3t7Qmasuef96Fhhj4lk10sTTUrWZlnFbmduO/fDOULvisnW/BTpYsnsIPSKREg8wQAu7Fiu9EO0TZOagAQf03EiFDcxosetxPJIXoNWsZK/1LsX+7SnBBklVDtwxu6urOUCW8vYXD4aGZvkTGc6O6vwiOs+oEHd6J7Mes/+23hTzldnFobodwnzbRNVt/WT2FQjX5qFehyxbARL+EtT4MQC4sWGpXSybUs10=,iv:rdLHfK4NbCaMIIhhQd2MfVf1DdKKF9Sqe4Kxuy57yok=,tag:DPxsDTLIhA0d4KPXwseL9g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -68,8 +69,8 @@ sops:
            WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
            FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-28T03:43:07Z"
-    mac: ENC[AES256_GCM,data:LLNwJc5i/el9NuYOYX7msK+muuhAiefhrVpIbk6lM5frcaVJ3xwr84L02CkVVrw009eJKEaQw+Si7y0nC3ioWs5DQBgexj3AbROfdgtgkfEEke4tUDyAG4w4LvRZRM/7n4P1GOo9oTknBx2++bxWG3GhUu8pNQ9WNL3qmiEqcDo=,iv:ADZBT5HfyOJDDv1ck9WWDNnbeYQKs91/DI/t75E35lE=,tag:oDINiP5dbKVdp4TsZJBAig==,type:str]
+    lastmodified: "2024-12-20T08:13:13Z"
+    mac: ENC[AES256_GCM,data:XotUml1j9Ko1fJBkLRqvGjo0/5T6DviQBhYLywJ8fbrWUW9YGY70p5aO/BBR/RX1q83wBsLu0lFT4aVQD7ttuYQmBMX7MSxu/qxzAe3ouFivaILHHZBixV99S67pNTXVVvdPxCumRaBB4fceIe/hT5FoSYXE3pxecXF723y20r0=,iv:K4pmLm9b6qQF1xpeCrbHgaBvXU79puMXK6ageeCc8Yo=,tag:292V1YStDDste0E+o95gwQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2
--- a/modules/darwin/common/users.nix
+++ b/modules/darwin/common/users.nix
@ -3,6 +3,7 @@ let
  authorizedKeys = {
    keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPVjRBomWFJNNkZb0g5ymLmc3pdRddIScitmJ9yC+ap" # deployment
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoUUwDIYFzuUk8pxzekyVhqdYhShAtRAG+K3AJMMdjz" # effects-deployment
    ];
    keyFiles = pkgs.lib.filesystem.listFilesRecursive "${inputs.self}/users/keys";
  };
--- a/modules/nixos/buildbot.nix
+++ b/modules/nixos/buildbot.nix
@ -67,6 +67,12 @@ in
    };
  };

+  sops.secrets.buildbot-effects-nix-community-infra = { };
+
+  services.buildbot-nix.master.effects.perRepoSecretFiles = {
+    "github:nix-community/infra" = config.sops.secrets.buildbot-effects-nix-community-infra.path;
+  };
+
  services.buildbot-master = {
    title = "Nix Community";
    titleUrl = "https://nix-community.org/";