From 2f22ea63ce524575877f660c1c542a054f87226e Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Thu, 25 Jul 2024 09:53:17 -0500
Subject: [PATCH] Enable cachix runner on hetzner aarch64 machine. Pinned
 nixpkgs to stable 24.05.

---
 agents/fj-hetzner-aarch64.nix | 23 ++++++++++++++++-----
 agents/secrets.sops.yaml      |  6 ++++--
 flake.lock                    | 38 +++++++++++++++++------------------
 flake.nix                     |  2 +-
 4 files changed, 42 insertions(+), 27 deletions(-)

diff --git a/agents/fj-hetzner-aarch64.nix b/agents/fj-hetzner-aarch64.nix
index 59de509..48ff931 100644
--- a/agents/fj-hetzner-aarch64.nix
+++ b/agents/fj-hetzner-aarch64.nix
@@ -1,9 +1,9 @@
 { pkgs, config, lib, ... }:
- {
+{
   imports = [
     ../cachix.nix
   ];
-  environment.systemPackages = with pkgs; [ 
+  environment.systemPackages = with pkgs; [
     # vim -- added by srvos.nixosModules.server
     # git -- srvos.nixosModules.server
     # tmux -- srvos.nixosModules.server
@@ -20,12 +20,19 @@
     restartUnits = [ "gitea-runner-default.service" ];
   };
 
+  sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
+    # configure secret for cachix deploy agent. 
+    sopsFile = ./secrets.sops.yaml;
+    mode = "0444";
+    restartUnits = [ "cachix-agent.service" ];
+  };
+
   nix.settings.trusted-users = [ "gitea-runner" ];
-  
+
   virtualisation.docker.enable = true;
 
   users.users.gitea-runner.group = "gitea-runner";
-  users.groups.gitea-runner = {};
+  users.groups.gitea-runner = { };
   users.users.gitea-runner.extraGroups = [ "docker" ];
   users.users.gitea-runner.isNormalUser = true;
 
@@ -49,5 +56,11 @@
       ];
     };
   };
+
+  services.cachix-agent = {
+    enable = true;
+    credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
+  };
+
   system.stateVersion = "24.05";
-}
\ No newline at end of file
+}
diff --git a/agents/secrets.sops.yaml b/agents/secrets.sops.yaml
index 367372e..9747261 100644
--- a/agents/secrets.sops.yaml
+++ b/agents/secrets.sops.yaml
@@ -2,6 +2,8 @@ forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZ
 cachix:
     agent_auth_tokens:
         fj-shadowfax-x86_64: ENC[AES256_GCM,data:A3LyWAqmk6VeBtaP9NH6CUNGkhtuu2t993XU2KYX7piJ3ku3/or/vc96phkxekgP6bICJ4A8FijDHhRJKp9rNjYRNxztWg+b2IqH8U5W0/iVO248o4RTdNqi451bPpn+EnaW2g3XWHZ5vQjYm/2vrhZ1CFA1zGFndimIFLtri3J7tJl710WrxAXS9rfPg8Mpw5+6rZSp63ZeDfT9X0xRzngfypsc6CEo,iv:laMt7qH6r9eFJjiHm71vUvGx87HDWGalFwBSu4h30HI=,tag:G3VNbzpoGt3KjHqcWvN+UQ==,type:str]
+        #ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment]
+        fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -44,8 +46,8 @@ sops:
             RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt
             k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-16T01:32:09Z"
-    mac: ENC[AES256_GCM,data:BkZQd6p/vDPLhoR4SbmVF9DTWVmDrUWTgVC+THWp2ASezzTCEAukAV81cO+mr4gedoig4JO4FfmhiedIeJvpKSPsZLlEaZXL2yJsvKQ59M+IxCKODan13RjbIy2ifqtSdlo6nCDvV/TMiutBVHhVnwQF30hRYVEloEBOI/BkzUo=,iv:Dd/5SstdUGEROAqqz0ZiMv4jG7gu2xIWvGKe/gXcBzo=,tag:6ZWXrZ7MefxabzeJGbsanw==,type:str]
+    lastmodified: "2024-07-25T14:49:15Z"
+    mac: ENC[AES256_GCM,data:oG/t32sChs6P4Dqx3HJdcBdhUUAh0RYSDGffmxbEetRvZkTOTAp83KBOUyj+77TQPrC66W5tE4m+eG4BKgDnoHE3RvdBkOAY6BS1NG6hDHJshQxBXLHqtXJ8swgAWQtnTNmgzam7FdBsRmecq/DDcHUk5raf86OY7Wsqe4UR2zg=,iv:M6BpBZKaenS1x59MZUG5mB1oTSA3AI7Wan0SiNyKnX4=,tag:fAgzfETqahPwO0Xh93dfLQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/flake.lock b/flake.lock
index 7e48793..bdc0a72 100644
--- a/flake.lock
+++ b/flake.lock
@@ -65,11 +65,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1719923519,
-        "narHash": "sha256-7Rhljj2fsklFRsu+eq7N683Z9qukmreMEj5C1GqCrSA=",
+        "lastModified": 1721828545,
+        "narHash": "sha256-KscBvzhLlD6Yc4TLjezgL4C6PrtV1kdvx78uCxuOSjA=",
         "owner": "cachix",
         "repo": "cachix",
-        "rev": "4e9e71f78b9500fa6210cf1eaa4d75bdbab777c3",
+        "rev": "40d591e3ca6931042334f884eadb841f1da69623",
         "type": "github"
       },
       "original": {
@@ -189,11 +189,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1721735625,
-        "narHash": "sha256-4T0FK0b3Q7Dd7oj79M7GhA9+YqKxxGT0iN+h8yqdP7s=",
+        "lastModified": 1721871128,
+        "narHash": "sha256-NyWVCnSeePnJHGJxZ0l3zdGQGrVjUcx2IJbV8KIsPf0=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "4698b1ef375e9c904037e0b2049aa73d39ac1b2d",
+        "rev": "55e874b9c14764cb791e5740f0e92202e41393fc",
         "type": "github"
       },
       "original": {
@@ -581,11 +581,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1721559948,
-        "narHash": "sha256-cFgdjyK/VBM3hB1RfFHXcI/VOCBVAv813s1upHKX7bI=",
+        "lastModified": 1721782431,
+        "narHash": "sha256-UNDpwjYxNXQet/g3mgRLsQ9zxrbm9j2JEvP4ijF3AWs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c19d62ad2265b16e2199c5feb4650fe459ca1c46",
+        "rev": "4f02464258baaf54992debfd010a7a3662a25536",
         "type": "github"
       },
       "original": {
@@ -597,27 +597,27 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1721562059,
-        "narHash": "sha256-Tybxt65eyOARf285hMHIJ2uul8SULjFZbT9ZaEeUnP8=",
+        "lastModified": 1721686456,
+        "narHash": "sha256-nw/BnNzATDPfzpJVTnY8mcSKKsz6BJMEFRkJ332QSN0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "68c9ed8bbed9dfce253cc91560bf9043297ef2fe",
+        "rev": "575f3027caa1e291d24f1e9fb0e3a19c2f26d96b",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1721571961,
-        "narHash": "sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y=",
+        "lastModified": 1721838734,
+        "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4cc8b29327bed3d52b40041f810f49734298af46",
+        "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
         "type": "github"
       },
       "original": {
@@ -713,11 +713,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1721612563,
-        "narHash": "sha256-6T6GkLuNVbgDKijcBY/5mUiK8gO2Xi2QFM13hUKa2a0=",
+        "lastModified": 1721888498,
+        "narHash": "sha256-O5/s8e6CL99AQoKEn8k6F99UoJdAzQ8z9LZ7SxFJ3c4=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "936858820dcad0e958f16f0e9652519bef045d5d",
+        "rev": "27b3a9b23847cb2e716334ee6ad58b82ddc3f7a7",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 00bb453..d92fc9b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
   description = "Forgejo CI Runners";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     srvos.url = "github:numtide/srvos";
     disko.url = "github:nix-community/disko";
     cachix-deploy-flake.url = "github:cachix/cachix-deploy-flake";