diff --git a/dev/effect-deploy.nix b/dev/effect-deploy.nix
new file mode 100644
index 0000000..d3d89e1
--- /dev/null
+++ b/dev/effect-deploy.nix
@@ -0,0 +1,34 @@
+{ self, withSystem, ... }:
+{
+ herculesCI = herculesCI: {
+ onPush.default.outputs.effects = withSystem "x86_64-linux" (
+ { hci-effects, ... }:
+ let
+ hosts = (import "${self}/modules/shared/known-hosts.nix").programs.ssh.knownHosts;
+ in
+ builtins.listToAttrs (
+ map
+ (x: {
+ name = x;
+ value = hci-effects.runIf (herculesCI.config.repo.branch == "master") (
+ hci-effects.runNixDarwin {
+ ssh.destination = "customer@${x}.nix-community.org";
+ configuration = self.darwinConfigurations.${x};
+ secretsMap.ssh-deployment = "ssh-deployment";
+ userSetupScript = ''
+ writeSSHKey ssh-deployment
+ cat >>~/.ssh/known_hosts <<EOF
+ ${toString hosts.${x}.hostNames} ${hosts.${x}.publicKey}
+ EOF
+ '';
+ }
+ );
+ })
+ [
+ "darwin01"
+ "darwin02"
+ ]
+ )
+ );
+ };
+}
diff --git a/flake.nix b/flake.nix
index a5e6abc..2b7d793 100644
--- a/flake.nix
+++ b/flake.nix
@@ -54,7 +54,9 @@
systems = import inputs.systems;
imports = [
+ ./dev/effect-deploy.nix
./modules
+ inputs.hercules-ci-effects.flakeModule
inputs.lite-config.flakeModule
inputs.treefmt-nix.flakeModule
];
diff --git a/hosts/build03/secrets.yaml b/hosts/build03/secrets.yaml
index aa21080..b873d19 100644
--- a/hosts/build03/secrets.yaml
+++ b/hosts/build03/secrets.yaml
@@ -8,6 +8,7 @@ buildbot-github-oauth-secret: ENC[AES256_GCM,data:C5P54zotOwe3u2cOsJMKEVmZVH6hrL
buildbot-github-webhook-secret: ENC[AES256_GCM,data:AtUFcOjLivJt8np5451Wfol5s48R4vW5gJPisT+hMD7dFAvucKriQEY+mcAMqL1X6w==,iv:oBKj9XXu/4mkeH+3KkMlWSx8GnMoXwBugNuG8Uu3XtU=,tag:8cBZVE7TOJf3QEqxfsuF8g==,type:str]
buildbot-nix-workers: ENC[AES256_GCM,data:IHOEEmZ1RkH3oPHCZMHNmUbt0/J66IDkMn363jPnfV96rwnBrvTVRbyWcLFAvNZ9lPRpPvm6lQhUzljS3bQwrUn6P9phKtqOAhSRh6VhhmsieaMnOFt0ZKP1jVpsymyXrHpuOao=,iv:kTR0yWU7ry3HwAE6OMP7+mK1ZBcuL9gRsCZMgffZG5E=,tag:4+8E2oiVAv5ox9V4Xudcog==,type:str]
buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+wlXva3YJnNkO9KSX9PIhnRHVES72jO63AkhvfBVEg==,iv:rTpaiCYcedcsy115BEDep68Mehb6knes7OxvBrEOrUQ=,tag:dD4Hg4oR3SfpYdP1e8V2jA==,type:str]
+buildbot-effects-nix-community-infra: ENC[AES256_GCM,data:wAYSvEza+1xjT/rIp5MtR3HEQe3OscRBtrWF/f6G/z+ftaiWXMfWhW9X8z53I20lzx9a6BqmO4jcWAGmXRSV4TX6wxKsUP9BnzxTImDS41zWfOtHV9sDifk6jmVJyAAsrY8CrebGTmPvWUXEUMmAZkUorQkv8gfxoL66GCtPfqa7d1OSKX8rAXd1YAJL58aXFeD6X6iZqo2tVd1OhlmUuFj5oum+9uLPjCY54IfilLlERw5DdTPDhMBdKt5owR0dpJDmp9t8i0AV2j4Hm36ZsY8L9ket1iB04MlapsUI24RiXHk+aFJqSy+0onvmqeniiBeaa106YomSQAS1cyOp0U+Rcqwhtnh9MNUZzciVXi2F5nkPzA3OcbQh8MDcJ/66z/VUkSac0iMXvr/47d5V0XCm9JSKXuijOUGTu9LRbdEAAQ+gsZ/Z8i6+9d75CeSoVH5Mtm7eU4CbhloNmpAcz5qyFf+sRgWz5qK8z1MwT795P/P/Oi2YQswtwnyLO7UkQ5tCrE+qcFxM9cAAcJzkzGctB5QdHDaPkkpMGic8vpAoYgx3t7Qmasuef96Fhhj4lk10sTTUrWZlnFbmduO/fDOULvisnW/BTpYsnsIPSKREg8wQAu7Fiu9EO0TZOagAQf03EiFDcxosetxPJIXoNWsZK/1LsX+7SnBBklVDtwxu6urOUCW8vYXD4aGZvkTGc6O6vwiOs+oEHd6J7Mes/+23hTzldnFobodwnzbRNVt/WT2FQjX5qFehyxbARL+EtT4MQC4sWGpXSybUs10=,iv:rdLHfK4NbCaMIIhhQd2MfVf1DdKKF9Sqe4Kxuy57yok=,tag:DPxsDTLIhA0d4KPXwseL9g==,type:str]
sops:
kms: []
gcp_kms: []
@@ -68,8 +69,8 @@ sops:
WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-07-28T03:43:07Z"
- mac: ENC[AES256_GCM,data:LLNwJc5i/el9NuYOYX7msK+muuhAiefhrVpIbk6lM5frcaVJ3xwr84L02CkVVrw009eJKEaQw+Si7y0nC3ioWs5DQBgexj3AbROfdgtgkfEEke4tUDyAG4w4LvRZRM/7n4P1GOo9oTknBx2++bxWG3GhUu8pNQ9WNL3qmiEqcDo=,iv:ADZBT5HfyOJDDv1ck9WWDNnbeYQKs91/DI/t75E35lE=,tag:oDINiP5dbKVdp4TsZJBAig==,type:str]
+ lastmodified: "2024-12-20T08:13:13Z"
+ mac: ENC[AES256_GCM,data:XotUml1j9Ko1fJBkLRqvGjo0/5T6DviQBhYLywJ8fbrWUW9YGY70p5aO/BBR/RX1q83wBsLu0lFT4aVQD7ttuYQmBMX7MSxu/qxzAe3ouFivaILHHZBixV99S67pNTXVVvdPxCumRaBB4fceIe/hT5FoSYXE3pxecXF723y20r0=,iv:K4pmLm9b6qQF1xpeCrbHgaBvXU79puMXK6ageeCc8Yo=,tag:292V1YStDDste0E+o95gwQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
- version: 3.9.0
+ version: 3.9.2
diff --git a/modules/darwin/common/users.nix b/modules/darwin/common/users.nix
index 15c1eec..71456fe 100644
--- a/modules/darwin/common/users.nix
+++ b/modules/darwin/common/users.nix
@@ -3,6 +3,7 @@ let
authorizedKeys = {
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPVjRBomWFJNNkZb0g5ymLmc3pdRddIScitmJ9yC+ap" # deployment
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoUUwDIYFzuUk8pxzekyVhqdYhShAtRAG+K3AJMMdjz" # effects-deployment
];
keyFiles = pkgs.lib.filesystem.listFilesRecursive "${inputs.self}/users/keys";
};
diff --git a/modules/nixos/buildbot.nix b/modules/nixos/buildbot.nix
index 6368825..7ff5c91 100644
--- a/modules/nixos/buildbot.nix
+++ b/modules/nixos/buildbot.nix
@@ -67,6 +67,12 @@ in
};
};
+ sops.secrets.buildbot-effects-nix-community-infra = { };
+
+ services.buildbot-nix.master.effects.perRepoSecretFiles = {
+ "github:nix-community/infra" = config.sops.secrets.buildbot-effects-nix-community-infra.path;
+ };
+
services.buildbot-master = {
title = "Nix Community";
titleUrl = "https://nix-community.org/";