nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

pin packages in cachix

Browse source
This commit is contained in:
Nikodem Rabuliński 2024-01-20 12:01:31 +01:00
parent ccc0994dfd
commit 49a02e0ec7
4 changed files with 79 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

55
effects.nix
View file

@ -1,4 +1,9 @@
{lib, ...}: {
{
config,
lib,
withSystem,
...
}: {
defaultEffectSystem = "aarch64-linux";
hercules-ci = {
@ -7,4 +12,52 @@
when.dayOfWeek = "Mon";
};
};
herculesCI = herculesCI: {
onPush.default = {
outputs.effects = {
pin-cache = withSystem config.defaultEffectSystem ({
pkgs,
hci-effects,
...
}: let
collectDrvs = prefix: attrs: let
drvs = lib.pipe attrs [
(lib.filterAttrs (_: lib.isDerivation))
(lib.mapAttrsToList (name: drv: {
name = "${prefix}.${name}";
inherit drv;
}))
];
recursed = lib.pipe attrs [
(lib.filterAttrs (_: val:
(!lib.isDerivation val) && (lib.isAttrs val) && (val.recurseForDerivations or true)))
(lib.mapAttrsToList (name: collectDrvs "${prefix}.${name}"))
];
in
drvs ++ (lib.flatten recursed);
collected = collectDrvs "packages" herculesCI.config.onPush.default.outputs.packages;
cachixCommands =
lib.concatMapStringsSep
"\n"
({
name,
drv,
}: "cachix pin nrabulinski ${lib.escapeShellArg name} ${lib.escapeShellArg drv}")
collected;
in
hci-effects.runIf (herculesCI?branch && herculesCI.branch == "main") (hci-effects.mkEffect {
secretsMap."cachix-token" = "cachix-token";
inputs = [pkgs.cachix];
userSetupScript = ''
cachix authtoken $(readSecretString cachix-token .token)
'';
# Discarding the context is fine here because we don't actually want to build those derivations.
# They have already been built as part of this job,
# we only want to pin them to make sure cachix doesn't GC them.
effectScript = builtins.unsafeDiscardStringContext cachixCommands;
}));
};
};
};
}

6
modules/system/common/hercules.nix
View file

@ -26,6 +26,10 @@ in {
file = ../../../secrets/hercules-cache.age;
owner = herculesUser;
};
age.secrets.hercules-secrets = {
file = ../../../secrets/hercules-secrets.age;
owner = herculesUser;
};
services.hercules-ci-agent = {
enable = true;
@ -33,7 +37,7 @@ in {
clusterJoinTokenPath = config.age.secrets.hercules-token.path;
concurrentTasks = lib.mkDefault 4;
binaryCachesPath = config.age.secrets.hercules-cache.path;
secretsJsonPath = pkgs.writeText "secrets.json" "{}";
secretsJsonPath = config.age.secrets.hercules-secrets.path;
};
};
};

13
secrets/hercules-secrets.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw 3YzvMZtsqexRkTz8wRJ9x7+2bwzx5HL4cmXGAad1Nhg
B/zf+fjwa/oQwgh2/ru2NnRkBKSEG+cVQIP1KZ0aFaw
-> ssh-ed25519 ioPMHA sheE+ZHU2hwes2t7Hl8MdeJH1t7s6i1XyG5Sr66LIBQ
mf58NBLmlk1xo5yk5WgRESMCTVsKzkWxvBdRyiHJbNo
-> ssh-ed25519 IFuY+w ksu2x6l6BkbF0wNnKN94QLFv6F8WD11ua1oWK4LWRE8
TRIh098hdF+mMZJexrJrnPqraJ7VQV3FwCcOUWxPoUg
-> ssh-ed25519 5A7peQ FAlZ0M+V6PpuM8BKD5I/4TKi9sMm/AYK3M1mE/GGIgw
UZ2MlIkAknG7G2C1NHBN4aRv7XoszWCaHuC2g6dyTQc
-> ssh-ed25519 GKhvwg XRkkDxgDu+w8aRflbDAnLWXw8VQwlQDIVLD+eJA8zBs
Toj+7JYoIvzmvWcPSMXXegWfSagZx80VxFKoq2igdOQ
--- IqUd2a5oD6B8HDc0Wa6uz86409OHRUG8LtDu+oE0u7M
òÄcL«&½¡í{ìp(aË*Ý5ðd>ÛMì4W ç ü<>èPɳ-KW£ÿkoò¾áJ27äÄl:%I½Šæóá×<>(EX¯i½a¤;öÎRDÈT3s€k¿ŠÑœ5¢ÏÖþ,s»9Ä붽‡E³Ø—ZNª‰-IÛ¥Žúçf'ë.¾¯óäݸàÖŸËn±Å⃩Ûežè²eBFDM|<7C> Í”8@¦ø*y$ÌðœSø0F`d+ïn¨ìœÚp¾-â÷EÉ߸Š»0!§ƒ0H°LÑ)èûç5·8wzJWí£äDŸJªIû¶c+Ö» ‹ý„ƒé+ç9£RAC°ôE.ÜüŠçÁ7B©aÈHb€ZSÃÜ©î

7
secrets/secrets.nix
View file

@ -28,6 +28,13 @@ in {
keys.system.kogata
keys.other.bootstrap
];
"hercules-secrets.age".publicKeys = [
keys.system.kazuki
keys.system.legion
keys.system.ude
keys.system.kogata
keys.other.bootstrap
];
"alert-plain-pass.age".publicKeys = [
keys.system.legion
keys.other.bootstrap