nix-cache02: add homelab-deploy builder service

- Configure builder to build nixos-servers and nixos (gunter) repos
- Add builder NKey to Vault secrets
- Update NATS permissions for builder, test-deployer, and admin-deployer
- Grant nix-cache02 access to shared homelab-deploy secrets

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770648258,
+        "lastModified": 1770758165,
-        "narHash": "sha256-sExxD8N9Q0RrHIoppOV6qp4jcJirLVjpQd20C72V78I=",
+        "narHash": "sha256-jjCcxhZavm2r7gjZ2+FNOMvTYQsRlIa9ijPICK0HVk4=",
         "ref": "master",
-        "rev": "277a49a666347e2e2ae67128cf732956a9c3be56",
+        "rev": "a8aab16d0e7400aaa00500d08c12734da3b638e0",
-        "revCount": 27,
+        "revCount": 32,
         "type": "git",
         "url": "https://git.t-juice.club/torjus/homelab-deploy"
       },

hosts/nix-cache02/builder.nix

@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  # Fetch builder NKey from Vault
+  vault.secrets.builder-nkey = {
+    secretPath = "shared/homelab-deploy/builder-nkey";
+    extractKey = "nkey";
+    outputDir = "/run/secrets/builder-nkey";
+    services = [ "homelab-deploy-builder" ];
+  };
+
+  # Configure the builder service
+  services.homelab-deploy.builder = {
+    enable = true;
+    natsUrl = "nats://nats1.home.2rjus.net:4222";
+    nkeyFile = "/run/secrets/builder-nkey";
+
+    settings.repos = {
+      nixos-servers = {
+        url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+        defaultBranch = "master";
+      };
+      nixos = {
+        url = "git+https://git.t-juice.club/torjus/nixos.git";
+        defaultBranch = "master";
+      };
+    };
+
+    metrics.enable = true;
+  };
+
+  # Expose builder metrics for Prometheus scraping
+  homelab.monitoring.scrapeTargets = [
+    {
+      job_name = "homelab-deploy-builder";
+      port = 9973;
+    }
+  ];
+
+  # Ensure builder starts after vault secret is available
+  systemd.services.homelab-deploy-builder = {
+    after = [ "vault-secret-builder-nkey.service" ];
+    requires = [ "vault-secret-builder-nkey.service" ];
+  };
+}

hosts/nix-cache02/default.nix

@@ -1,5 +1,6 @@
 { ... }: {
   imports = [
     ./configuration.nix
+    ./builder.nix
   ];
 }

services/nats/default.nix

@@ -74,10 +74,12 @@
                 publish = [
                   "deploy.test.>"
                   "deploy.discover"
+                  "build.>"
                 ];
                 subscribe = [
                   "deploy.responses.>"
                   "deploy.discover"
+                  "build.responses.>"
                 ];
               };
             }
@@ -85,8 +87,22 @@
             {
               nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
               permissions = {
-                publish = [ "deploy.>" ];
+                publish = [
-                subscribe = [ "deploy.>" ];
+                  "deploy.>"
+                  "build.>"
+                ];
+                subscribe = [
+                  "deploy.>"
+                  "build.responses.>"
+                ];
+              };
+            }
+            # Builder (subscribes to build requests, publishes responses)
+            {
+              nkey = "UB4PUHGKAWAK6OS62FX7DOQTPFFJTLZZBTKCOCAXDP75H3NSMWAEDJ7E";
+              permissions = {
+                subscribe = [ "build.>" ];
+                publish = [ "build.responses.>" ];
               };
             }
           ];

terraform/vault/hosts-generated.tf

@@ -36,6 +36,7 @@ locals {
     "nix-cache02" = {
       paths = [
         "secret/data/hosts/nix-cache02/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
   

terraform/vault/secrets.tf

@@ -103,6 +103,11 @@ locals {
       data          = { nkey = var.homelab_deploy_admin_deployer_nkey }
     }
 
+    "shared/homelab-deploy/builder-nkey" = {
+      auto_generate = false
+      data          = { nkey = var.homelab_deploy_builder_nkey }
+    }
+
     # Kanidm idm_admin password
     "kanidm/idm-admin-password" = {
       auto_generate   = true

terraform/vault/variables.tf

@@ -73,6 +73,13 @@ variable "homelab_deploy_admin_deployer_nkey" {
   sensitive   = true
 }
 
+variable "homelab_deploy_builder_nkey" {
+  description = "NKey seed for homelab-deploy builder"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+
 variable "nixos_exporter_nkey" {
   description = "NKey seed for nixos-exporter NATS authentication"
   type        = string