Enable cachix runner on hetzner aarch64 machine. Pinned nixpkgs to stable 24.05.

2024-07-25 09:53:17 -05:00 · 2024-07-25 09:53:17 -05:00 · 2f22ea63ce
commit 2f22ea63ce
parent a47d932d18
4 changed files with 42 additions and 27 deletions
--- a/agents/fj-hetzner-aarch64.nix
+++ b/agents/fj-hetzner-aarch64.nix
@ -1,9 +1,9 @@
 { pkgs, config, lib, ... }:
- {
+{
  imports = [
    ../cachix.nix
  ];
-  environment.systemPackages = with pkgs; [ 
+  environment.systemPackages = with pkgs; [
    # vim -- added by srvos.nixosModules.server
    # git -- srvos.nixosModules.server
    # tmux -- srvos.nixosModules.server
@ -20,12 +20,19 @@
    restartUnits = [ "gitea-runner-default.service" ];
  };

+  sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
+    # configure secret for cachix deploy agent. 
+    sopsFile = ./secrets.sops.yaml;
+    mode = "0444";
+    restartUnits = [ "cachix-agent.service" ];
+  };
+
  nix.settings.trusted-users = [ "gitea-runner" ];
-  
+
  virtualisation.docker.enable = true;

  users.users.gitea-runner.group = "gitea-runner";
-  users.groups.gitea-runner = {};
+  users.groups.gitea-runner = { };
  users.users.gitea-runner.extraGroups = [ "docker" ];
  users.users.gitea-runner.isNormalUser = true;

@ -49,5 +56,11 @@
      ];
    };
  };
+
+  services.cachix-agent = {
+    enable = true;
+    credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
+  };
+
  system.stateVersion = "24.05";
-}
+}
--- a/agents/secrets.sops.yaml
+++ b/agents/secrets.sops.yaml
@ -2,6 +2,8 @@ forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZ
 cachix:
    agent_auth_tokens:
        fj-shadowfax-x86_64: ENC[AES256_GCM,data:A3LyWAqmk6VeBtaP9NH6CUNGkhtuu2t993XU2KYX7piJ3ku3/or/vc96phkxekgP6bICJ4A8FijDHhRJKp9rNjYRNxztWg+b2IqH8U5W0/iVO248o4RTdNqi451bPpn+EnaW2g3XWHZ5vQjYm/2vrhZ1CFA1zGFndimIFLtri3J7tJl710WrxAXS9rfPg8Mpw5+6rZSp63ZeDfT9X0xRzngfypsc6CEo,iv:laMt7qH6r9eFJjiHm71vUvGx87HDWGalFwBSu4h30HI=,tag:G3VNbzpoGt3KjHqcWvN+UQ==,type:str]
+        #ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment]
+        fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -44,8 +46,8 @@ sops:
            RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt
            k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-16T01:32:09Z"
-    mac: ENC[AES256_GCM,data:BkZQd6p/vDPLhoR4SbmVF9DTWVmDrUWTgVC+THWp2ASezzTCEAukAV81cO+mr4gedoig4JO4FfmhiedIeJvpKSPsZLlEaZXL2yJsvKQ59M+IxCKODan13RjbIy2ifqtSdlo6nCDvV/TMiutBVHhVnwQF30hRYVEloEBOI/BkzUo=,iv:Dd/5SstdUGEROAqqz0ZiMv4jG7gu2xIWvGKe/gXcBzo=,tag:6ZWXrZ7MefxabzeJGbsanw==,type:str]
+    lastmodified: "2024-07-25T14:49:15Z"
+    mac: ENC[AES256_GCM,data:oG/t32sChs6P4Dqx3HJdcBdhUUAh0RYSDGffmxbEetRvZkTOTAp83KBOUyj+77TQPrC66W5tE4m+eG4BKgDnoHE3RvdBkOAY6BS1NG6hDHJshQxBXLHqtXJ8swgAWQtnTNmgzam7FdBsRmecq/DDcHUk5raf86OY7Wsqe4UR2zg=,iv:M6BpBZKaenS1x59MZUG5mB1oTSA3AI7Wan0SiNyKnX4=,tag:fAgzfETqahPwO0Xh93dfLQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/flake.lock
+++ b/flake.lock
@ -65,11 +65,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1719923519,
-        "narHash": "sha256-7Rhljj2fsklFRsu+eq7N683Z9qukmreMEj5C1GqCrSA=",
+        "lastModified": 1721828545,
+        "narHash": "sha256-KscBvzhLlD6Yc4TLjezgL4C6PrtV1kdvx78uCxuOSjA=",
        "owner": "cachix",
        "repo": "cachix",
-        "rev": "4e9e71f78b9500fa6210cf1eaa4d75bdbab777c3",
+        "rev": "40d591e3ca6931042334f884eadb841f1da69623",
        "type": "github"
      },
      "original": {
@ -189,11 +189,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1721735625,
-        "narHash": "sha256-4T0FK0b3Q7Dd7oj79M7GhA9+YqKxxGT0iN+h8yqdP7s=",
+        "lastModified": 1721871128,
+        "narHash": "sha256-NyWVCnSeePnJHGJxZ0l3zdGQGrVjUcx2IJbV8KIsPf0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "4698b1ef375e9c904037e0b2049aa73d39ac1b2d",
+        "rev": "55e874b9c14764cb791e5740f0e92202e41393fc",
        "type": "github"
      },
      "original": {
@ -581,11 +581,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1721559948,
-        "narHash": "sha256-cFgdjyK/VBM3hB1RfFHXcI/VOCBVAv813s1upHKX7bI=",
+        "lastModified": 1721782431,
+        "narHash": "sha256-UNDpwjYxNXQet/g3mgRLsQ9zxrbm9j2JEvP4ijF3AWs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c19d62ad2265b16e2199c5feb4650fe459ca1c46",
+        "rev": "4f02464258baaf54992debfd010a7a3662a25536",
        "type": "github"
      },
      "original": {
@ -597,27 +597,27 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1721562059,
-        "narHash": "sha256-Tybxt65eyOARf285hMHIJ2uul8SULjFZbT9ZaEeUnP8=",
+        "lastModified": 1721686456,
+        "narHash": "sha256-nw/BnNzATDPfzpJVTnY8mcSKKsz6BJMEFRkJ332QSN0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "68c9ed8bbed9dfce253cc91560bf9043297ef2fe",
+        "rev": "575f3027caa1e291d24f1e9fb0e3a19c2f26d96b",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1721571961,
-        "narHash": "sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y=",
+        "lastModified": 1721838734,
+        "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4cc8b29327bed3d52b40041f810f49734298af46",
+        "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
        "type": "github"
      },
      "original": {
@ -713,11 +713,11 @@
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
-        "lastModified": 1721612563,
-        "narHash": "sha256-6T6GkLuNVbgDKijcBY/5mUiK8gO2Xi2QFM13hUKa2a0=",
+        "lastModified": 1721888498,
+        "narHash": "sha256-O5/s8e6CL99AQoKEn8k6F99UoJdAzQ8z9LZ7SxFJ3c4=",
        "owner": "numtide",
        "repo": "srvos",
-        "rev": "936858820dcad0e958f16f0e9652519bef045d5d",
+        "rev": "27b3a9b23847cb2e716334ee6ad58b82ddc3f7a7",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "Forgejo CI Runners";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    srvos.url = "github:numtide/srvos";
    disko.url = "github:nix-community/disko";
    cachix-deploy-flake.url = "github:cachix/cachix-deploy-flake";