feat(grfn/system): Set up a buildkite agent on ogopogo r/7418

Change-Id: Ica7729d4f08b5345dfd50c22cae388d8bc014a3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10662
Autosubmit: aspen <root@gws.fyi>
Reviewed-by: aspen <root@gws.fyi>
Tested-by: BuildkiteCI

1 files changed, 43 insertions, 0 deletions

diff --git a/users/grfn/system/system/machines/ogopogo.nix b/users/grfn/system/system/machines/ogopogo.nix
index eeb016921f84..d6b70d834fab 100644
--- a/users/grfn/system/system/machines/ogopogo.nix
+++ b/users/grfn/system/system/machines/ogopogo.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
+    (depot.third_party.agenix.src + "/modules/age.nix")
     ../modules/common.nix
     ../modules/xserver.nix
     ../modules/fonts.nix
@@ -94,4 +95,46 @@
       wal_level = "logical";
     };
   };
+
+  services.buildkite-agents.ogopogo-1 = rec {
+    enable = true;
+    tokenPath = config.age.secretsDir + "/buildkite-token";
+    privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key";
+    runtimePackages = with pkgs; [
+      docker
+      nix
+      gnutar
+      gzip
+      bash
+    ];
+    tags = {
+      queue = "ogopogo";
+    };
+    dataDir = "/home/grfn/buildkite-agent";
+
+    hooks.environment = ''
+      export BUILDKITE_AGENT_HOME=${dataDir}
+    '';
+  };
+  systemd.services.buildkite-agent-ogopogo-1.serviceConfig.User =
+    lib.mkForce "grfn";
+  users.users.grfn.extraGroups = [ "keys" ];
+
+  age.secrets =
+    let
+      secret = name: depot.users.grfn.secrets."${name}.age";
+    in
+    {
+      buildkite-ssh-key = {
+        file = secret "buildkite-ssh-key";
+        group = "keys";
+        mode = "0440";
+      };
+
+      buildkite-token = {
+        file = secret "buildkite-token";
+        group = "keys";
+        mode = "0440";
+      };
+    };
 }