feat(grfn/system): Set up a buildkite agent on ogopogo r/7418

Change-Id: Ica7729d4f08b5345dfd50c22cae388d8bc014a3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10662
Autosubmit: aspen <root@gws.fyi>
Reviewed-by: aspen <root@gws.fyi>
Tested-by: BuildkiteCI

7 files changed, 54 insertions, 10 deletions

diff --git a/users/grfn/secrets/bbbg.age b/users/grfn/secrets/bbbg.age
index 6c15dcdf7361..ebc0df233898 100644
--- a/users/grfn/secrets/bbbg.age
+++ b/users/grfn/secrets/bbbg.age
Binary files differdiff --git a/users/grfn/secrets/buildkite-ssh-key.age b/users/grfn/secrets/buildkite-ssh-key.age
index 0ae5aa5502f7..d9587f11df4b 100644
--- a/users/grfn/secrets/buildkite-ssh-key.age
+++ b/users/grfn/secrets/buildkite-ssh-key.age
Binary files differdiff --git a/users/grfn/secrets/buildkite-token.age b/users/grfn/secrets/buildkite-token.age
index 9e9e370f1bec..320ee06c0937 100644
--- a/users/grfn/secrets/buildkite-token.age
+++ b/users/grfn/secrets/buildkite-token.age
Binary files differdiff --git a/users/grfn/secrets/cloudflare.age b/users/grfn/secrets/cloudflare.age
index e2f6e9360385..4f42ee782165 100644
--- a/users/grfn/secrets/cloudflare.age
+++ b/users/grfn/secrets/cloudflare.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 CpJBgQ tWx7wXCFjOOfD0wKRHHvLUdR+SF0i43xvnQG9GKurnk
-NRh7kSn7wqw80Y9EFr9Ccft+zYMadXZhYNPEaQlQXtQ
--> ssh-ed25519 LfBFbQ SPQMLC3Ehw00IG1CcbcLFZI2tHy89fjRgVgH4Iw2iBM
-oo2gT9472/DFRoZ6TYxhnM9ylRUNzoS8mLQYvn+4OSM
--> D[7+*-grease `>j ~Jk Dz%o vaKET3
-TkKVm8IpqfiVzETAi9+zuUtCdkReB+lHtthwNw
---- 3iOmY4TNICMi/Fz7k8pmoZlFym9uQBWNtHNlizoAMaM
-ZPzQ6���5���AT��I���;�;Зy5]��k�^!�`��t��$�R�ւ�t��K)�<��k���_�#XmAS�pU1���@��)��c�ֺ�q��j1z�,H���g��:�
\ No newline at end of file
+-> ssh-ed25519 CpJBgQ AVkUs8tuzVlDq3FH/zRrBr5f4KR05fONM6iCluq6hyM
+feS2cxFowSWfDdUQjtmIiMc5338n805yownSZ/ZWfS8
+-> ssh-ed25519 LfBFbQ F67irB+DYQ8WMhaFcO+3o0O0lJsf+tWFZ9cSGSuHgA8
+EKS4zRGUEgeldjxdx4sIsnorWHoeTlXa9LJtNf9lkAM
+-> QvY:XSvC-grease 04
+pBnXsOF6qugcSBp+pw
+--- +g65NbIxu6bVVerS93kYZpEO5ssUZfCD+sZMzOjDUdU
+R�T�maF[BÊ���0�a_&˕�=3dlzRVi�6-9��:����U.E���	����JΙ�����A�-�qྟ���|���}}a=�H�+]m��t����R���%9\��Jt��|1B�
\ No newline at end of file
diff --git a/users/grfn/secrets/ddclient-password.age b/users/grfn/secrets/ddclient-password.age
index 0de870710571..8d25e3b539bd 100644
--- a/users/grfn/secrets/ddclient-password.age
+++ b/users/grfn/secrets/ddclient-password.age
Binary files differdiff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix
index 986ad181b87c..448dbba1fd1a 100644
--- a/users/grfn/secrets/secrets.nix
+++ b/users/grfn/secrets/secrets.nix
@@ -1,6 +1,7 @@
 let
   grfn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
   mugwump = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB";
+  ogopogo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoS7PqM8d7xc8nn0yfiPGfRaH8U/nq2Jm27nRO3L5P0";
   bbbg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/VzrNEY47KPTce3dgfORkAbweWkr4BI8j54BAIs7bG";
 in
 
@@ -8,6 +9,6 @@ in
   "bbbg.age".publicKeys = [ grfn mugwump bbbg ];
   "cloudflare.age".publicKeys = [ grfn mugwump ];
   "ddclient-password.age".publicKeys = [ grfn mugwump ];
-  "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ];
-  "buildkite-token.age".publicKeys = [ grfn mugwump ];
+  "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ];
+  "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ];
 }
diff --git a/users/grfn/system/system/machines/ogopogo.nix b/users/grfn/system/system/machines/ogopogo.nix
index eeb016921f84..d6b70d834fab 100644
--- a/users/grfn/system/system/machines/ogopogo.nix
+++ b/users/grfn/system/system/machines/ogopogo.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
+    (depot.third_party.agenix.src + "/modules/age.nix")
     ../modules/common.nix
     ../modules/xserver.nix
     ../modules/fonts.nix
@@ -94,4 +95,46 @@
       wal_level = "logical";
     };
   };
+
+  services.buildkite-agents.ogopogo-1 = rec {
+    enable = true;
+    tokenPath = config.age.secretsDir + "/buildkite-token";
+    privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key";
+    runtimePackages = with pkgs; [
+      docker
+      nix
+      gnutar
+      gzip
+      bash
+    ];
+    tags = {
+      queue = "ogopogo";
+    };
+    dataDir = "/home/grfn/buildkite-agent";
+
+    hooks.environment = ''
+      export BUILDKITE_AGENT_HOME=${dataDir}
+    '';
+  };
+  systemd.services.buildkite-agent-ogopogo-1.serviceConfig.User =
+    lib.mkForce "grfn";
+  users.users.grfn.extraGroups = [ "keys" ];
+
+  age.secrets =
+    let
+      secret = name: depot.users.grfn.secrets."${name}.age";
+    in
+    {
+      buildkite-ssh-key = {
+        file = secret "buildkite-ssh-key";
+        group = "keys";
+        mode = "0440";
+      };
+
+      buildkite-token = {
+        file = secret "buildkite-token";
+        group = "keys";
+        mode = "0440";
+      };
+    };
 }