feat: add Hercules ci

2025-07-29 11:07:44 +00:00 · 2025-02-26 00:35:06 +03:00 · 2025-02-26 00:35:06 +03:00 · 3d91319498
commit 3d91319498
parent b2cb5fd7ff
7 changed files with 48 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,6 +9,7 @@
 !hosts/best/
 !hosts/best/garage/
 !hosts/best/nix-serve/
+!hosts/best/hercules/

 !hosts/cube/
 !hosts/cube/matrix/
--- a/hosts/best/hercules/caches.age
+++ b/hosts/best/hercules/caches.age
--- a/hosts/best/hercules/credentials.age
+++ b/hosts/best/hercules/credentials.age
--- a/hosts/best/hercules/default.nix
+++ b/hosts/best/hercules/default.nix
@ -0,0 +1,35 @@
+{ config, lib, ... }: let
+  inherit (lib) enabled genAttrs;
+in {
+  secrets.awsCredentials = {
+    file  = ./credentials.age;
+    owner = "hercules-ci-agent";
+  };
+
+  secrets.herculesCaches = {
+    file  = ./caches.age;
+    owner = "hercules-ci-agent";
+  };
+  secrets.herculesToken = {
+    file  = ./token.age;
+    owner = "hercules-ci-agent";
+  };
+  secrets.herculesSecrets = {
+    file  = ./secrets.age;
+    owner = "hercules-ci-agent";
+  };
+
+  home-manager.users = genAttrs [ "hercules-ci-agent" "root" ] (_: homeArgs: let
+    homeLib    = homeArgs.config.lib;
+  in {
+    home.file.".aws/credentials".source = homeLib.file.mkOutOfStoreSymlink config.secrets.awsCredentials.path;
+  });
+
+  services.hercules-ci-agent = enabled {
+    settings = {
+      binaryCachesPath     = config.secrets.herculesCaches.path;
+      clusterJoinTokenPath = config.secrets.herculesToken.path;
+      secretsJsonPath      = config.secrets.herculesSecrets.path;
+    };
+  };
+}
--- a/hosts/best/hercules/secrets.age
+++ b/hosts/best/hercules/secrets.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w QFNMQ0/Nz/Hgr+AnATo5+06Xp7wwTrGSlwbE4EJ8M0o
+yr6mqPKPUsuPvtGH+N/4oZHVzYt5p2GiXCiOZKHK2IA
+-> ssh-ed25519 CzqbPQ gHGzzoNOS72IIZChwmPZ2empbMX80/set+Y3YN9nohQ
+7rScYa4ntZTJe/IpWyY5Col4+123Temz9I+6A0ILCSE
+--- IBo4lMDiPHrfQmv+PByQtft/FFNTzNyIjf0Hx9zoDuc
+7<£æë4‡.î…/É)Q³È+Q"ëñ<C3AB>	8¶¨¿-\$
--- a/hosts/best/hercules/token.age
+++ b/hosts/best/hercules/token.age
--- a/secrets.nix
+++ b/secrets.nix
@ -7,6 +7,11 @@ in {

  "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;

+  "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;
+  "hosts/best/hercules/credentials.age".publicKeys  = [ best ] ++ admins;
+  "hosts/best/hercules/secrets.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/hercules/token.age".publicKeys        = [ best ] ++ admins;
+
  "hosts/best/nix-serve/key.age".publicKeys     = [ best ] ++ admins;

  # cube