From 49a02e0ec7c7a52cf7eb93ffde8999a34a070b02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= <nikodem@rabulinski.com>
Date: Sat, 20 Jan 2024 12:01:31 +0100
Subject: [PATCH] pin packages in cachix

---
 effects.nix                        | 55 +++++++++++++++++++++++++++++-
 modules/system/common/hercules.nix |  6 +++-
 secrets/hercules-secrets.age       | 13 +++++++
 secrets/secrets.nix                |  7 ++++
 4 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 secrets/hercules-secrets.age

diff --git a/effects.nix b/effects.nix
index d622061..a358ab0 100644
--- a/effects.nix
+++ b/effects.nix
@@ -1,4 +1,9 @@
-{lib, ...}: {
+{
+  config,
+  lib,
+  withSystem,
+  ...
+}: {
   defaultEffectSystem = "aarch64-linux";
 
   hercules-ci = {
@@ -7,4 +12,52 @@
       when.dayOfWeek = "Mon";
     };
   };
+
+  herculesCI = herculesCI: {
+    onPush.default = {
+      outputs.effects = {
+        pin-cache = withSystem config.defaultEffectSystem ({
+          pkgs,
+          hci-effects,
+          ...
+        }: let
+          collectDrvs = prefix: attrs: let
+            drvs = lib.pipe attrs [
+              (lib.filterAttrs (_: lib.isDerivation))
+              (lib.mapAttrsToList (name: drv: {
+                name = "${prefix}.${name}";
+                inherit drv;
+              }))
+            ];
+            recursed = lib.pipe attrs [
+              (lib.filterAttrs (_: val:
+                  (!lib.isDerivation val) && (lib.isAttrs val) && (val.recurseForDerivations or true)))
+              (lib.mapAttrsToList (name: collectDrvs "${prefix}.${name}"))
+            ];
+          in
+            drvs ++ (lib.flatten recursed);
+          collected = collectDrvs "packages" herculesCI.config.onPush.default.outputs.packages;
+          cachixCommands =
+            lib.concatMapStringsSep
+            "\n"
+            ({
+              name,
+              drv,
+            }: "cachix pin nrabulinski ${lib.escapeShellArg name} ${lib.escapeShellArg drv}")
+            collected;
+        in
+          hci-effects.runIf (herculesCI?branch && herculesCI.branch == "main") (hci-effects.mkEffect {
+            secretsMap."cachix-token" = "cachix-token";
+            inputs = [pkgs.cachix];
+            userSetupScript = ''
+              cachix authtoken $(readSecretString cachix-token .token)
+            '';
+            # Discarding the context is fine here because we don't actually want to build those derivations.
+            # They have already been built as part of this job,
+            # we only want to pin them to make sure cachix doesn't GC them.
+            effectScript = builtins.unsafeDiscardStringContext cachixCommands;
+          }));
+      };
+    };
+  };
 }
diff --git a/modules/system/common/hercules.nix b/modules/system/common/hercules.nix
index e743f69..0b266d6 100644
--- a/modules/system/common/hercules.nix
+++ b/modules/system/common/hercules.nix
@@ -26,6 +26,10 @@ in {
       file = ../../../secrets/hercules-cache.age;
       owner = herculesUser;
     };
+    age.secrets.hercules-secrets = {
+      file = ../../../secrets/hercules-secrets.age;
+      owner = herculesUser;
+    };
 
     services.hercules-ci-agent = {
       enable = true;
@@ -33,7 +37,7 @@ in {
         clusterJoinTokenPath = config.age.secrets.hercules-token.path;
         concurrentTasks = lib.mkDefault 4;
         binaryCachesPath = config.age.secrets.hercules-cache.path;
-        secretsJsonPath = pkgs.writeText "secrets.json" "{}";
+        secretsJsonPath = config.age.secrets.hercules-secrets.path;
       };
     };
   };
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
new file mode 100644
index 0000000..eef4c8f
--- /dev/null
+++ b/secrets/hercules-secrets.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 3YzvMZtsqexRkTz8wRJ9x7+2bwzx5HL4cmXGAad1Nhg
+B/zf+fjwa/oQwgh2/ru2NnRkBKSEG+cVQIP1KZ0aFaw
+-> ssh-ed25519 ioPMHA sheE+ZHU2hwes2t7Hl8MdeJH1t7s6i1XyG5Sr66LIBQ
+mf58NBLmlk1xo5yk5WgRESMCTVsKzkWxvBdRyiHJbNo
+-> ssh-ed25519 IFuY+w ksu2x6l6BkbF0wNnKN94QLFv6F8WD11ua1oWK4LWRE8
+TRIh098hdF+mMZJexrJrnPqraJ7VQV3FwCcOUWxPoUg
+-> ssh-ed25519 5A7peQ FAlZ0M+V6PpuM8BKD5I/4TKi9sMm/AYK3M1mE/GGIgw
+UZ2MlIkAknG7G2C1NHBN4aRv7XoszWCaHuC2g6dyTQc
+-> ssh-ed25519 GKhvwg XRkkDxgDu+w8aRflbDAnLWXw8VQwlQDIVLD+eJA8zBs
+Toj+7JYoIvzmvWcPSMXXegWfSagZx80VxFKoq2igdOQ
+--- IqUd2a5oD6B8HDc0Wa6uz86409OHRUG8LtDu+oE0u7M
+
��cL�&��
�{�pl�(a�*�5�d>�M�4W
����Pɳ-KW��ko��J21�7��l:%I�����׏(EX�i�a�;��RD�T3s�k����5�����,s�9�붽�E�ؗZN��-Iۥ���f'�.����ݸ�֟�n��⃩�e��eBFDM�|���͔8@��*y$��S�0F`d+�n���p�-��E�߸��0!��0H�L�)���5�8wzJW���D�J�I��c+ֻ �����+�9�RAC��H�E.�����7�B�a�Hb�ZS�ܩ�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 27b859a..1cc5bef 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -28,6 +28,13 @@ in {
     keys.system.kogata
     keys.other.bootstrap
   ];
+  "hercules-secrets.age".publicKeys = [
+    keys.system.kazuki
+    keys.system.legion
+    keys.system.ude
+    keys.system.kogata
+    keys.other.bootstrap
+  ];
   "alert-plain-pass.age".publicKeys = [
     keys.system.legion
     keys.other.bootstrap