nix-cache02: add homelab-deploy builder service

- Configure builder to build nixos-servers and nixos (gunter) repos - Add builder NKey to Vault secrets - Update NATS permissions for builder, test-deployer, and admin-deployer - Grant nix-cache02 access to shared homelab-deploy secrets Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-10 22:26:40 +01:00
parent 2d9ca2a73f
commit 47747329c4
7 changed files with 80 additions and 6 deletions
--- a/services/nats/default.nix
+++ b/services/nats/default.nix
@@ -74,10 +74,12 @@
                publish = [
                  "deploy.test.>"
                  "deploy.discover"
+                  "build.>"
                ];
                subscribe = [
                  "deploy.responses.>"
                  "deploy.discover"
+                  "build.responses.>"
                ];
              };
            }
@@ -85,8 +87,22 @@
            {
              nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
              permissions = {
-                publish = [ "deploy.>" ];
-                subscribe = [ "deploy.>" ];
+                publish = [
+                  "deploy.>"
+                  "build.>"
+                ];
+                subscribe = [
+                  "deploy.>"
+                  "build.responses.>"
+                ];
+              };
+            }
+            # Builder (subscribes to build requests, publishes responses)
+            {
+              nkey = "UB4PUHGKAWAK6OS62FX7DOQTPFFJTLZZBTKCOCAXDP75H3NSMWAEDJ7E";
+              permissions = {
+                subscribe = [ "build.>" ];
+                publish = [ "build.responses.>" ];
              };
            }
          ];