torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

nix-cache02-builder #39

Merged
torjus merged 3 commits from nix-cache02-builder into master 2026-02-10 21:47:59 +00:00
Conversation 0 Commits 3 Files Changed 9 +80 -6
7 changed files with 80 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 47747329c4 - Show all commits

8
flake.lock generated
View File

@@ -28,11 +28,11 @@
]
},
"locked": {
"lastModified": 1770648258,
"narHash": "sha256-sExxD8N9Q0RrHIoppOV6qp4jcJirLVjpQd20C72V78I=",
"lastModified": 1770758165,
"narHash": "sha256-jjCcxhZavm2r7gjZ2+FNOMvTYQsRlIa9ijPICK0HVk4=",
"ref": "master",
"rev": "277a49a666347e2e2ae67128cf732956a9c3be56",
"revCount": 27,
"rev": "a8aab16d0e7400aaa00500d08c12734da3b638e0",
"revCount": 32,
"type": "git",
"url": "https://git.t-juice.club/torjus/homelab-deploy"
},

44
hosts/nix-cache02/builder.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, ... }:
{
# Fetch builder NKey from Vault
vault.secrets.builder-nkey = {
secretPath = "shared/homelab-deploy/builder-nkey";
extractKey = "nkey";
outputDir = "/run/secrets/builder-nkey";
services = [ "homelab-deploy-builder" ];
};
# Configure the builder service
services.homelab-deploy.builder = {
enable = true;
natsUrl = "nats://nats1.home.2rjus.net:4222";
nkeyFile = "/run/secrets/builder-nkey";
settings.repos = {
nixos-servers = {
url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
defaultBranch = "master";
};
nixos = {
url = "git+https://git.t-juice.club/torjus/nixos.git";
defaultBranch = "master";
};
};
metrics.enable = true;
};
# Expose builder metrics for Prometheus scraping
homelab.monitoring.scrapeTargets = [
{
job_name = "homelab-deploy-builder";
port = 9973;
}
];
# Ensure builder starts after vault secret is available
systemd.services.homelab-deploy-builder = {
after = [ "vault-secret-builder-nkey.service" ];
requires = [ "vault-secret-builder-nkey.service" ];
};
}

1
hosts/nix-cache02/default.nix
View File

@@ -1,5 +1,6 @@
{ ... }: {
imports = [
./configuration.nix
./builder.nix
];
}

20
services/nats/default.nix
View File

@@ -74,10 +74,12 @@
publish = [
"deploy.test.>"
"deploy.discover"
"build.>"
];
subscribe = [
"deploy.responses.>"
"deploy.discover"
"build.responses.>"
];
};
}
@@ -85,8 +87,22 @@
{
nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
permissions = {
publish = [ "deploy.>" ];
subscribe = [ "deploy.>" ];
publish = [
"deploy.>"
"build.>"
];
subscribe = [
"deploy.>"
"build.responses.>"
];
};
}
# Builder (subscribes to build requests, publishes responses)
{
nkey = "UB4PUHGKAWAK6OS62FX7DOQTPFFJTLZZBTKCOCAXDP75H3NSMWAEDJ7E";
permissions = {
subscribe = [ "build.>" ];
publish = [ "build.responses.>" ];
};
}
];

1
terraform/vault/hosts-generated.tf
View File

@@ -36,6 +36,7 @@ locals {
"nix-cache02" = {
paths = [
"secret/data/hosts/nix-cache02/*",
"secret/data/shared/homelab-deploy/*",
]
}

5
terraform/vault/secrets.tf
View File

@@ -103,6 +103,11 @@ locals {
data = { nkey = var.homelab_deploy_admin_deployer_nkey }
}
"shared/homelab-deploy/builder-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_builder_nkey }
}
# Kanidm idm_admin password
"kanidm/idm-admin-password" = {
auto_generate = true

7
terraform/vault/variables.tf
View File

@@ -73,6 +73,13 @@ variable "homelab_deploy_admin_deployer_nkey" {
sensitive = true
}
variable "homelab_deploy_builder_nkey" {
description = "NKey seed for homelab-deploy builder"
type = string
default = "PLACEHOLDER"
sensitive = true
}
variable "nixos_exporter_nkey" {
description = "NKey seed for nixos-exporter NATS authentication"
type = string