From ff144d8c62fc2bbbafc1cbfa94b08da525493345 Mon Sep 17 00:00:00 2001
From: Aspen Smith <root@gws.fyi>
Date: Thu, 18 Jan 2024 10:30:10 -0500
Subject: feat(grfn/system): Set up a buildkite agent on ogopogo

Change-Id: Ica7729d4f08b5345dfd50c22cae388d8bc014a3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10662
Autosubmit: aspen <root@gws.fyi>
Reviewed-by: aspen <root@gws.fyi>
Tested-by: BuildkiteCI
---
 users/grfn/secrets/bbbg.age                   | Bin 658 -> 733 bytes
 users/grfn/secrets/buildkite-ssh-key.age      | Bin 3853 -> 3883 bytes
 users/grfn/secrets/buildkite-token.age        | Bin 488 -> 623 bytes
 users/grfn/secrets/cloudflare.age             |  16 +++++-----
 users/grfn/secrets/ddclient-password.age      | Bin 398 -> 429 bytes
 users/grfn/secrets/secrets.nix                |   5 +--
 users/grfn/system/system/machines/ogopogo.nix |  43 ++++++++++++++++++++++++++
 7 files changed, 54 insertions(+), 10 deletions(-)

(limited to 'users/grfn')

diff --git a/users/grfn/secrets/bbbg.age b/users/grfn/secrets/bbbg.age
index 6c15dcdf7361..ebc0df233898 100644
Binary files a/users/grfn/secrets/bbbg.age and b/users/grfn/secrets/bbbg.age differ
diff --git a/users/grfn/secrets/buildkite-ssh-key.age b/users/grfn/secrets/buildkite-ssh-key.age
index 0ae5aa5502f7..d9587f11df4b 100644
Binary files a/users/grfn/secrets/buildkite-ssh-key.age and b/users/grfn/secrets/buildkite-ssh-key.age differ
diff --git a/users/grfn/secrets/buildkite-token.age b/users/grfn/secrets/buildkite-token.age
index 9e9e370f1bec..320ee06c0937 100644
Binary files a/users/grfn/secrets/buildkite-token.age and b/users/grfn/secrets/buildkite-token.age differ
diff --git a/users/grfn/secrets/cloudflare.age b/users/grfn/secrets/cloudflare.age
index e2f6e9360385..4f42ee782165 100644
--- a/users/grfn/secrets/cloudflare.age
+++ b/users/grfn/secrets/cloudflare.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 CpJBgQ tWx7wXCFjOOfD0wKRHHvLUdR+SF0i43xvnQG9GKurnk
-NRh7kSn7wqw80Y9EFr9Ccft+zYMadXZhYNPEaQlQXtQ
--> ssh-ed25519 LfBFbQ SPQMLC3Ehw00IG1CcbcLFZI2tHy89fjRgVgH4Iw2iBM
-oo2gT9472/DFRoZ6TYxhnM9ylRUNzoS8mLQYvn+4OSM
--> D[7+*-grease `>j ~Jk Dz%o vaKET3
-TkKVm8IpqfiVzETAi9+zuUtCdkReB+lHtthwNw
---- 3iOmY4TNICMi/Fz7k8pmoZlFym9uQBWNtHNlizoAMaM
-ZPzQ6ÊäžÂ5¾½¼ATÀ¸I¯·©;¾;Ð—y5]­œkÿ^!¶`¬ƒt™—$ÿR’Ö‚tÞëK)ò<Ýã§k¾ûû_°#XmASŠpU1©üŽ@šÂ)ûâc©ÖºÝqœÿj1zÑ,HÄÂÞgÈß:è‘
\ No newline at end of file
+-> ssh-ed25519 CpJBgQ AVkUs8tuzVlDq3FH/zRrBr5f4KR05fONM6iCluq6hyM
+feS2cxFowSWfDdUQjtmIiMc5338n805yownSZ/ZWfS8
+-> ssh-ed25519 LfBFbQ F67irB+DYQ8WMhaFcO+3o0O0lJsf+tWFZ9cSGSuHgA8
+EKS4zRGUEgeldjxdx4sIsnorWHoeTlXa9LJtNf9lkAM
+-> QvY:XSvC-grease 04
+pBnXsOF6qugcSBp+pw
+--- +g65NbIxu6bVVerS93kYZpEO5ssUZfCD+sZMzOjDUdU
+RîTÀmaF[BÃŠºøÕ0ƒa_&Ë•=3dlzRVi´6-9á:þü³¿U.EÈà…	üª —JÎ™Œß÷ÆÛA·-€qà¾Ÿ÷·Ð|¡™Ð}}a=žHº+]m™tÀ¯Rø–à%9\˜õJt€š|1B¿
\ No newline at end of file
diff --git a/users/grfn/secrets/ddclient-password.age b/users/grfn/secrets/ddclient-password.age
index 0de870710571..8d25e3b539bd 100644
Binary files a/users/grfn/secrets/ddclient-password.age and b/users/grfn/secrets/ddclient-password.age differ
diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix
index 986ad181b87c..448dbba1fd1a 100644
--- a/users/grfn/secrets/secrets.nix
+++ b/users/grfn/secrets/secrets.nix
@@ -1,6 +1,7 @@
 let
   grfn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
   mugwump = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB";
+  ogopogo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoS7PqM8d7xc8nn0yfiPGfRaH8U/nq2Jm27nRO3L5P0";
   bbbg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/VzrNEY47KPTce3dgfORkAbweWkr4BI8j54BAIs7bG";
 in
 
@@ -8,6 +9,6 @@ in
   "bbbg.age".publicKeys = [ grfn mugwump bbbg ];
   "cloudflare.age".publicKeys = [ grfn mugwump ];
   "ddclient-password.age".publicKeys = [ grfn mugwump ];
-  "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ];
-  "buildkite-token.age".publicKeys = [ grfn mugwump ];
+  "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ];
+  "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ];
 }
diff --git a/users/grfn/system/system/machines/ogopogo.nix b/users/grfn/system/system/machines/ogopogo.nix
index eeb016921f84..d6b70d834fab 100644
--- a/users/grfn/system/system/machines/ogopogo.nix
+++ b/users/grfn/system/system/machines/ogopogo.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
+    (depot.third_party.agenix.src + "/modules/age.nix")
     ../modules/common.nix
     ../modules/xserver.nix
     ../modules/fonts.nix
@@ -94,4 +95,46 @@
       wal_level = "logical";
     };
   };
+
+  services.buildkite-agents.ogopogo-1 = rec {
+    enable = true;
+    tokenPath = config.age.secretsDir + "/buildkite-token";
+    privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key";
+    runtimePackages = with pkgs; [
+      docker
+      nix
+      gnutar
+      gzip
+      bash
+    ];
+    tags = {
+      queue = "ogopogo";
+    };
+    dataDir = "/home/grfn/buildkite-agent";
+
+    hooks.environment = ''
+      export BUILDKITE_AGENT_HOME=${dataDir}
+    '';
+  };
+  systemd.services.buildkite-agent-ogopogo-1.serviceConfig.User =
+    lib.mkForce "grfn";
+  users.users.grfn.extraGroups = [ "keys" ];
+
+  age.secrets =
+    let
+      secret = name: depot.users.grfn.secrets."${name}.age";
+    in
+    {
+      buildkite-ssh-key = {
+        file = secret "buildkite-ssh-key";
+        group = "keys";
+        mode = "0440";
+      };
+
+      buildkite-token = {
+        file = secret "buildkite-token";
+        group = "keys";
+        mode = "0440";
+      };
+    };
 }
-- 
cgit 1.4.1