nix-cache02: add homelab-deploy builder service

- Configure builder to build nixos-servers and nixos (gunter) repos - Add builder NKey to Vault secrets - Update NATS permissions for builder, test-deployer, and admin-deployer - Grant nix-cache02 access to shared homelab-deploy secrets Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-10 22:26:40 +01:00
parent 2d9ca2a73f
commit 47747329c4
7 changed files with 80 additions and 6 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770648258,
-        "narHash": "sha256-sExxD8N9Q0RrHIoppOV6qp4jcJirLVjpQd20C72V78I=",
+        "lastModified": 1770758165,
+        "narHash": "sha256-jjCcxhZavm2r7gjZ2+FNOMvTYQsRlIa9ijPICK0HVk4=",
        "ref": "master",
-        "rev": "277a49a666347e2e2ae67128cf732956a9c3be56",
-        "revCount": 27,
+        "rev": "a8aab16d0e7400aaa00500d08c12734da3b638e0",
+        "revCount": 32,
        "type": "git",
        "url": "https://git.t-juice.club/torjus/homelab-deploy"
      },
--- a/hosts/nix-cache02/builder.nix
+++ b/hosts/nix-cache02/builder.nix
@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  # Fetch builder NKey from Vault
+  vault.secrets.builder-nkey = {
+    secretPath = "shared/homelab-deploy/builder-nkey";
+    extractKey = "nkey";
+    outputDir = "/run/secrets/builder-nkey";
+    services = [ "homelab-deploy-builder" ];
+  };
+
+  # Configure the builder service
+  services.homelab-deploy.builder = {
+    enable = true;
+    natsUrl = "nats://nats1.home.2rjus.net:4222";
+    nkeyFile = "/run/secrets/builder-nkey";
+
+    settings.repos = {
+      nixos-servers = {
+        url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+        defaultBranch = "master";
+      };
+      nixos = {
+        url = "git+https://git.t-juice.club/torjus/nixos.git";
+        defaultBranch = "master";
+      };
+    };
+
+    metrics.enable = true;
+  };
+
+  # Expose builder metrics for Prometheus scraping
+  homelab.monitoring.scrapeTargets = [
+    {
+      job_name = "homelab-deploy-builder";
+      port = 9973;
+    }
+  ];
+
+  # Ensure builder starts after vault secret is available
+  systemd.services.homelab-deploy-builder = {
+    after = [ "vault-secret-builder-nkey.service" ];
+    requires = [ "vault-secret-builder-nkey.service" ];
+  };
+}
--- a/hosts/nix-cache02/default.nix
+++ b/hosts/nix-cache02/default.nix
@@ -1,5 +1,6 @@
 { ... }: {
  imports = [
    ./configuration.nix
+    ./builder.nix
  ];
 }
--- a/services/nats/default.nix
+++ b/services/nats/default.nix
@@ -74,10 +74,12 @@
                publish = [
                  "deploy.test.>"
                  "deploy.discover"
+                  "build.>"
                ];
                subscribe = [
                  "deploy.responses.>"
                  "deploy.discover"
+                  "build.responses.>"
                ];
              };
            }
@@ -85,8 +87,22 @@
            {
              nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
              permissions = {
-                publish = [ "deploy.>" ];
-                subscribe = [ "deploy.>" ];
+                publish = [
+                  "deploy.>"
+                  "build.>"
+                ];
+                subscribe = [
+                  "deploy.>"
+                  "build.responses.>"
+                ];
+              };
+            }
+            # Builder (subscribes to build requests, publishes responses)
+            {
+              nkey = "UB4PUHGKAWAK6OS62FX7DOQTPFFJTLZZBTKCOCAXDP75H3NSMWAEDJ7E";
+              permissions = {
+                subscribe = [ "build.>" ];
+                publish = [ "build.responses.>" ];
              };
            }
          ];
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -36,6 +36,7 @@ locals {
    "nix-cache02" = {
      paths = [
        "secret/data/hosts/nix-cache02/*",
+        "secret/data/shared/homelab-deploy/*",
      ]
    }
  
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -103,6 +103,11 @@ locals {
      data          = { nkey = var.homelab_deploy_admin_deployer_nkey }
    }

+    "shared/homelab-deploy/builder-nkey" = {
+      auto_generate = false
+      data          = { nkey = var.homelab_deploy_builder_nkey }
+    }
+
    # Kanidm idm_admin password
    "kanidm/idm-admin-password" = {
      auto_generate   = true
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -73,6 +73,13 @@ variable "homelab_deploy_admin_deployer_nkey" {
  sensitive   = true
 }

+variable "homelab_deploy_builder_nkey" {
+  description = "NKey seed for homelab-deploy builder"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+
 variable "nixos_exporter_nkey" {
  description = "NKey seed for nixos-exporter NATS authentication"
  type        = string