darwin02: init

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &build02 age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
   - &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
   - &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+  - &darwin02 age12w8we2htlf3sxd9xjlt65353tgl58034l93w8vwphhm98zv69dzsvzt8fh
   - &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
   - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
   - &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
@@ -57,6 +58,14 @@ creation_rules:
           - *ryantm
           - *zimbatm
           - *zowoq
+  - path_regex: hosts/darwin02/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *darwin02
+          - *mic92
+          - *ryantm
+          - *zimbatm
+          - *zowoq
   - path_regex: modules/nixos/hercules-ci/.+\.yaml$
     key_groups:
       - age:

devdoc/hosts.md

@@ -37,6 +37,16 @@ This machine is meant as an aarch64 builder for our hydra instance running on bu
 - RAM: 24GB
 - Drives: 200 GB Block
 
+### `darwin02`
+
+This machine is meant as an aarch64 and x86_64 builder for our CI.
+
+- Provider: Scaleway
+- Instance type: [Apple Mac mini M1](https://www.scaleway.com/en/hello-m1/)
+- CPU: Apple M1
+- RAM: 8GB
+- Drives: 256GB SSD
+
 ## SSH config:
 
 You will need to set your admin username if it doesn't match your local username.

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1685559570,
+        "narHash": "sha256-MNIQvLRoq92isMLR/ordKNCl+aXNiuwBM4QyqmS8d00=",
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "rev": "4338bc869e9874d54a4c89539af72f16666b2abe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -151,6 +171,7 @@
     },
     "root": {
       "inputs": {
+        "darwin": "darwin",
         "disko": "disko",
         "flake-parts": "flake-parts",
         "hercules-ci-effects": "hercules-ci-effects",

flake.nix

@@ -14,6 +14,8 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+    darwin.url = "github:LnL7/nix-darwin";
+    darwin.inputs.nixpkgs.follows = "nixpkgs";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     sops-nix.inputs.nixpkgs-stable.follows = "";
@@ -89,6 +91,17 @@
           hercules-ci.github-pages.settings.contents = config.packages.pages;
         };
 
+        flake.darwinConfigurations =
+          let
+            inherit (inputs.darwin.lib) darwinSystem;
+          in
+          {
+            darwin02 = darwinSystem {
+              system = "aarch64-darwin";
+              modules = [ ./hosts/darwin02/configuration.nix ];
+            };
+          };
+
         flake.nixosConfigurations =
           let
             inherit (self.lib) nixosSystem;

hosts/darwin02/builder.nix

@@ -0,0 +1,25 @@
+{
+  users.knownGroups = [ "nix" ];
+  users.knownUsers = [ "nix" ];
+
+  users.groups.nix = {
+    name = "nix";
+    gid = 8765;
+    description = "Group for remote build clients";
+  };
+
+  users.users.nix = {
+    name = "nix";
+    uid = 8765;
+    home = "/Users/nix";
+    createHome = true;
+    shell = "/bin/zsh";
+    description = "User for remote build clients";
+    # keys are copied, not symlinked
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"
+    ];
+  };
+
+  nix.settings.trusted-users = [ "nix" ];
+}

hosts/darwin02/configuration.nix

@@ -0,0 +1,56 @@
+{ pkgs, ... }:
+let
+  asGB = size: toString (size * 1024 * 1024);
+in
+{
+  imports = [ ./builder.nix ];
+
+  services.nix-daemon.enable = true;
+
+  nix.settings.sandbox = "relaxed";
+  nix.settings.extra-platforms = [ "x86_64-darwin" ];
+
+  programs.zsh.enable = true;
+
+  networking.hostName = "darwin02";
+
+  system.stateVersion = 4;
+
+  documentation.enable = false;
+
+  programs.info.enable = false;
+
+  # TODO: refactor this to share /users with nixos
+  # keys are copied, not symlinked
+  users.users.m1.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE" # mic92
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz" # zimbatm
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbCYwWByGE46XHH4Q0vZgQ5sOUgbH50M8KO2xhBC4m/" # zowoq
+  ];
+
+  nix.settings.trusted-users = [
+    "@admin"
+  ];
+
+  nix.settings.builders-use-substitutes = true;
+
+  nix.settings.substituters = [ "https://nix-community.cachix.org/" ];
+  nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  nix.settings.auto-optimise-store = true;
+
+  nix.settings.min-free = asGB 10;
+  nix.settings.max-free = asGB 200;
+
+  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 14d";
+}