diff --git a/ci.nix b/ci.nix
index 675db6f..f7150b4 100644
--- a/ci.nix
+++ b/ci.nix
@@ -6,5 +6,27 @@ let
self = builtins.getFlake (toString ./.);
nixpkgs = self.inputs.nixpkgs;
effects = self.inputs.hercules-ci-effects.lib.withPkgs nixpkgs.legacyPackages.x86_64-linux;
+
+ deployNixOS = args@{
+ hostname,
+ drv,
+ ...
+ }: effects.mkEffect (args // {
+
+ # This style of variable passing allows overrideAttrs and modification in
+ # hooks like the userSetupScript.
+ inherit hostname drv;
+ effectScript = ''
+ umask 077 # so ssh does not complain about key permissions
+ readSecretString seploy .ssh-key > deploy-key
+ ssh -i deploy-key root@"$hostname" "$(nix-store -r $drv)/bin/switch-to-configuration $action"
+ '';
+ });
in
-nixpkgs.lib.mapAttrs' (name: config: nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.outputs.nixosConfigurations
+(nixpkgs.lib.mapAttrs' (name: config: nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.outputs.nixosConfigurations) // {
+ build01 = deployNixOS {
+ hostname = "build01.nix-community.org";
+ # using the drv path here avoids downloading the closure on the deploying machine
+ drv = self.outputs.nixosConfigurations.nix-community-build01.config.system.build.toplevel.drvPath;
+ };
+}
diff --git a/flake.lock b/flake.lock
index 1db59b7..5665b02 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,6 +16,24 @@
"type": "github"
}
},
+ "hercules-ci-effects": {
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "lastModified": 1655158531,
+ "narHash": "sha256-5LeaONqA6pgSNeA39gzu5XUipw3mXNZ04LUiy2TVImU=",
+ "owner": "hercules-ci",
+ "repo": "hercules-ci-effects",
+ "rev": "bda248e06dc44cbba9f4db350abbb10c3fe3b6fd",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "hercules-ci-effects",
+ "type": "github"
+ }
+ },
"hydra": {
"inputs": {
"newNixpkgs": "newNixpkgs",
@@ -95,7 +113,7 @@
"nix": {
"inputs": {
"lowdown-src": "lowdown-src",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
@@ -115,17 +133,18 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1645296114,
- "narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
+ "lastModified": 1647297614,
+ "narHash": "sha256-ulGq3W5XsrBMU/u5k9d4oPy65pQTkunR4HKKtTq0RwY=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
+ "rev": "73ad5f9e147c0d2a2061f1d4bd91e05078dc0b58",
"type": "github"
},
"original": {
- "id": "nixpkgs",
- "ref": "nixos-21.05-small",
- "type": "indirect"
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
}
},
"nixpkgs-22_05": {
@@ -179,7 +198,7 @@
"inputs": {
"flake-compat": "flake-compat",
"mmdoc": "mmdoc",
- "nixpkgs": "nixpkgs_3"
+ "nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1660354290,
@@ -229,11 +248,26 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1660209832,
- "narHash": "sha256-HhggOS2nZo30g7DqkXhXj+sOkLuuM+ZKMQDExuFncnM=",
+ "lastModified": 1645296114,
+ "narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "439f25de4d6b919d4a05fd552359736b7a2a283d",
+ "rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "ref": "nixos-21.05-small",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs_3": {
+ "locked": {
+ "lastModified": 1660358575,
+ "narHash": "sha256-EMIn5yM/fDorK5C+DLaxz4/ysP0lpj9xEwbN6gKIkWM=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "71d9ee04f44051acbca335b6c5f583902e329987",
"type": "github"
},
"original": {
@@ -243,7 +277,7 @@
"type": "github"
}
},
- "nixpkgs_3": {
+ "nixpkgs_4": {
"locked": {
"lastModified": 1629859457,
"narHash": "sha256-JlAU1EboVCOJeMXNLJusf+0vnx++xK1Y4DW5y80zMfY=",
@@ -258,7 +292,7 @@
"type": "github"
}
},
- "nixpkgs_4": {
+ "nixpkgs_5": {
"locked": {
"lastModified": 1659190188,
"narHash": "sha256-LudYrDFPFaQMW0l68TYkPWRPKmqpxIFU1nWfylIp9AQ=",
@@ -276,8 +310,9 @@
},
"root": {
"inputs": {
+ "hercules-ci-effects": "hercules-ci-effects",
"hydra": "hydra",
- "nixpkgs": "nixpkgs_2",
+ "nixpkgs": "nixpkgs_3",
"nixpkgs-update": "nixpkgs-update",
"nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
"nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
@@ -286,7 +321,7 @@
},
"sops-nix": {
"inputs": {
- "nixpkgs": "nixpkgs_4",
+ "nixpkgs": "nixpkgs_5",
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
diff --git a/flake.nix b/flake.nix
index e4a6130..091d18c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,6 +18,7 @@
nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
nixpkgs-update-pypi-releases.flake = false;
sops-nix.url = "github:Mic92/sops-nix";
+ hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
hydra.url = "github:NixOS/hydra";
hydra.inputs.nixpkgs.follows = "nixpkgs";
};
@@ -28,6 +29,7 @@
, nixpkgs-update-github-releases
, nixpkgs-update-pypi-releases
, sops-nix
+ , hercules-ci-effects
, hydra
}: {
devShell.x86_64-linux = let
diff --git a/roles/hercules-ci/secrets.yaml b/roles/hercules-ci/secrets.yaml
index 0f61c0c..80b021d 100644
--- a/roles/hercules-ci/secrets.yaml
+++ b/roles/hercules-ci/secrets.yaml
@@ -1,6 +1,6 @@
cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
binary-caches.json: ENC[AES256_GCM,data:pshvo/BxcIDXrWpW6jb1Hti8pqIEER+andBFpbOArKdaSb1LoVC45G+QwqLxjnDckiBeJm+refQE/x8i6QI0kYHcHEmX4iByvtcDM7RB6ZQSghTO0oqhi1blZRp+NjVdpgeti9VOkLPOYR+ruCDXeZmjt9fWnpGxC6ok5h5z5XLtq5xICy0DBl4VJXw3NwMnpIfj4vvczTP1TlUmP3GElHImRj6F59Vyw4jbTZRIqrib97x8nrO24t3P6RqooY0WHPR1sQXJebxCCO3TiJjxLHNtjLhJgez/O6Ou8CJx999wGvGmm3k8DzUDh94bnG12tal0PrPSJLdsQItpYqDPbK6f6R0wVmzcAywW22SCqk6kaCLGSDCYQRh3xGNsdmVfDQSJPjnAOJDNjJR5adoe8KPHIrc5eZiXjS9mJO7eYPX2IfkNHlM18NjT/Q716Ez9tnBatVb5+YKLlZMm+SSgWNxwZhBiQUvR3wdX3jOXIAjdfCGy4ocCffP05WC4YzjHo5E1EsOBN/cr5LfAS36XFwChHJ6iE4zjwsQe3X7jN9mlZdksBe8gEKFns2rr5IMmXG/enLdVjigRgDShNglP,iv:IOqba6lLXCEVZ+HNaH3uM4E3lbKzm8XCXlbAp6UPBIE=,tag:RX2d2UEWpZu48pW1UUaQcQ==,type:str]
-hercules-secrets: ENC[AES256_GCM,data:nnVLdDiqh64PcPtdkik/MKI34vLb2EVdzMxQzT4nIZ5B+sSZnXgGQfuls4EsHlQovfv3zA5siEq3l491EQ9OB0S+01QuiEQBid7dEGu/RyItPxIqdhwvRD1JIM3iiLqsKoXu2EhJSgf0ij3SMZs38/Pvw4FTmyt2QnHQYWGkZUlholQUMN2cKc8lVH3Dui6sYMOXCP2a7QBooauVUpmt+ud6/2LT7hh7qy6gvlvwCBD+SIp4h4EKDNW70pvhnost4y+TKhcgGLbIdwg58IUukEAHuIgMuCIhLx4iAwLQhuSaNiMmgGzi84HCDxgT8FTNViU7Vtd62f2I3SoizJSU0WskFOSv/EB0UJnuM45KblFm+t9OcoT4frJguj0+rY3Opuec+xmxDF/agMNud2+d+zhmtsQ6Jjpz3MqZjZRToFGgynFHSICXA70FiW2ONQ+FoywYxmNcULk0EIdkX6+b8GXN9ztAZmPq8OxxkfUue1y7QlAtdwW7ftmxwwV3opqdZs0LZK/SfEoDdP5xiMczh/wBA4MdSdfqD8fSZIQTkSFLbbyAcvjbtNLoAGpGD7xynWO45Px6,iv:5SU8P/zBvDcmREOMh4ictrzvNNDTvZnrRAzHmKueVWs=,tag:4/x7sDC8cucFiWLkAnMJfA==,type:str]
+hercules-secrets: ENC[AES256_GCM,data:0E2eLlNpJj6RupixKGLHsb9dz4ohYBoEr8hIclBAc4R6VZRWiChAaTF4MKW6CIhOvO0wWYRxKYXsWAA53ySFyK5XAgG1nWrejaUF+dACQSTjghdcYOEDJXppQGpT7kULFjKhMmUBJqSu33swZnPq01nP9HEk0hMMPs1kEc9PgL9F9WvzSDzekQ8mKa/+mE1G/Bq8m+vtXQ0ALOkq6hPYTl76o9fQcFQDO6FnI0Sdh44yLBxbOskIVG2Ao9zNQOvxjm1NgyOenX/9K1JO56Nvc6p3sqRwGrnZ7tp7a06czPQtRpwA94heSgsrlkCw4s1wp1NjwjFAPqdfLZVV4i6rzU8AQprfI7ao+kYwxggsL51aBVREmnTzN/0moNqLINLhqtBu6XPu6knrjW84g62crmnuZv02WJUt5XsY+klz5Wvt66U3yLqQBa1Qmk7mAiIhVfVVNpFsKkEPhmf1/PeL/q0ag4brHNXEq7eevXPND3oMkD9W/acm4RU7CfOaS1dbk9R80cc/i1omUy2VpfkKsnY9hCg+1HGghlYnZi7ygBzMynypReGLft6gbnFHpDItRvEKcg8E3gQl1/gEYn67yt98TX3J59UM8Np9iWiPkUmqOWOpx3wRMaYm/muVEfQinnKCB43XWeOJyVRYNnx/toM0JwpHEX/0LTo9n7XCtRReX1KvK9ZhfRjCmnCuztyHyKK50HTe3UJRVpsh4S35dD6u/L+62sVqnCvheF79DnSTgpUYGksWVakkux+kiDJ2EslZ27g4fSecHh7BSxguffteBY4CtS08PASj4PYz1iwoXg6/77tlkj90B2+pXEQAdaIC6ILfvUVCeY5jpvYJgWiQ5RFJJ/y0SM+OzGsg+PiW1LDad/ne0qaY8zsF+R9Ji1A=,iv:WHs2aOtablCfy3NvTjayEippA+ODAKio3sKVWD5JGaA=,tag:H/y4AFVngrfPovZFy8wH4A==,type:str]
sops:
kms: []
gcp_kms: []
@@ -52,8 +52,8 @@ sops:
b3IybVIrUGdwV2FOaElhL1oyemVhbDgKFi2eAycdA8Zrwr02AtQdTXVNhkEWFWx1
NKmyO1r7PGeKkvBewpneNUN43/bmz4V3fSZstpVvO1v7jtuD7e70CQ==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2021-12-24T06:34:20Z"
- mac: ENC[AES256_GCM,data:2RX/yMV/oEQJt4HGvLfLgwJ8LP2TydQDPCb+OkL/CxjMwKKvI7Azw5r1CE1FPvMUr25bWbQgZm3xsYvh4JHqmLXw5AVPfE+Xl1NiGBMsilFmdQkUy5N7u4KGNort2LnlRtLPL/WNRlZUfaVzjZxLpK3CoujKeanUgzZx2nXFDgc=,iv:jYMTXzwR9myo7V1w1JOUczXW4wmILHmy08+x3g2YbtU=,tag:nKVn2ovWeSktEpl5r1mHSg==,type:str]
+ lastmodified: "2022-08-13T07:46:14Z"
+ mac: ENC[AES256_GCM,data:xjmHX1ERMBJeo0Q9llquFVOAmCQYcYYek6bBkZzRBVw7ulFwRY2Qxlgi1lYD4OnkdtEffZT6GRVqL+6ADJrDSQKSx9KlK0l0gvXYbxvyFPd6KCRZon7DCkf3rGCW5wQ8NWxykc7PigO85L8TtYjPTm4uMQNSEHDZ4bFxBMviVc4=,iv:kWc6WA00g+90+rum9jZWqRFaVPqoeeR056PuZGuBjSY=,tag:qgXVyiJ5Bw/7tk6Q1DFtTg==,type:str]
pgp:
- created_at: "2021-12-26T07:57:50Z"
enc: |
@@ -71,4 +71,4 @@ sops:
-----END PGP MESSAGE-----
fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
unencrypted_suffix: _unencrypted
- version: 3.7.1
+ version: 3.7.3
diff --git a/roles/users.nix b/roles/users.nix
index 01e005e..a366fe9 100644
--- a/roles/users.nix
+++ b/roles/users.nix
@@ -21,7 +21,7 @@ in
# Assign keys from all users in wheel group
# This is only done because nixops cant be deployed from any other account
- users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (
+ users.extraUsers.root.openssh.authorizedKeys.keys = (lib.unique (
lib.flatten (
builtins.map (u: u.openssh.authorizedKeys.keys)
(
@@ -31,5 +31,8 @@ in
)
)
)
- );
+ )) ++ [
+ # used by hercules
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjsihPp4fAXUknBtDCBt5tpP7nIjWLdmNiDT34NJYzq deploy-key"
+ ];
}