From 17fcc7e58f034eb0eb812a1821bac2f38dca5f02 Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Fri, 16 Aug 2024 16:30:58 +0200
Subject: [PATCH] Set up private-key for yoga build farm

---
 modules/services/nix-build-farm/default.nix | 11 +----------
 modules/services/nix-build-farm/hosts.nix   |  2 +-
 nki-yoga-g8/configuration.nix               |  5 +++++
 nki-yoga-g8/secrets.yaml                    |  6 ++++--
 4 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/modules/services/nix-build-farm/default.nix b/modules/services/nix-build-farm/default.nix
index 74ccbc0..4188bfd 100644
--- a/modules/services/nix-build-farm/default.nix
+++ b/modules/services/nix-build-farm/default.nix
@@ -38,19 +38,10 @@ in
         (name: host: {
           hostName = host.host;
           sshUser = build-user;
+          sshKey = cfg.privateKeyFile;
         } // host.builder)
         otherBuilders;
 
-      programs.ssh.extraConfig = (lib.concatStringsSep "\n" (lib.mapAttrsToList
-        (name: host: ''
-          Host ${name}
-            HostName ${host.host}
-            User ${build-user}
-            IdentitiesOnly yes
-            IdentityFile ${cfg.privateKeyFile}
-        '')
-        otherBuilders));
-
       users = mkIf (isBuilder host) {
         users.${build-user} = {
           description = "Nix build farm user";
diff --git a/modules/services/nix-build-farm/hosts.nix b/modules/services/nix-build-farm/hosts.nix
index 3b09874..063b346 100644
--- a/modules/services/nix-build-farm/hosts.nix
+++ b/modules/services/nix-build-farm/hosts.nix
@@ -4,7 +4,7 @@
     pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6N1uTxnbo73tyzD9X7d7OgPeoOpY7JmQaHASjSWFPI nki@kagamiPC";
 
     builder = {
-      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUN5UUc3YWUrZEY3SWN0dVU3T3FnR3hqRlJydGpPaGpxSmF6UW5RUVlqbUQgcm9vdEBua2kteW9nYS1nOAo=";
+      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUhiVTh2NlNBa0kyOTBCc1QzVG1IRVVJQWdXcVFyNm9jRmpjakRRczRoT2ggcm9vdEBrYWdhbWlQQwo=";
       systems = [ "x86_64-linux" "aarch64-linux" ];
       maxJobs = 16;
       speedFactor = 2;
diff --git a/nki-yoga-g8/configuration.nix b/nki-yoga-g8/configuration.nix
index 2a8bcd7..672292f 100644
--- a/nki-yoga-g8/configuration.nix
+++ b/nki-yoga-g8/configuration.nix
@@ -19,6 +19,11 @@
   common.linux.sops.enable = true;
   common.linux.sops.file = ./secrets.yaml;
 
+  # Build farm
+  sops.secrets."nix-build-farm/private-key" = { mode = "0400"; };
+  services.nix-build-farm.hostname = "yoga";
+  services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path;
+
   ## tinc
   sops.secrets."tinc-private-key" = { };
   services.my-tinc = {
diff --git a/nki-yoga-g8/secrets.yaml b/nki-yoga-g8/secrets.yaml
index 40f588c..521434f 100644
--- a/nki-yoga-g8/secrets.yaml
+++ b/nki-yoga-g8/secrets.yaml
@@ -1,4 +1,6 @@
 tinc-private-key: ENC[AES256_GCM,data:lzmisexQPfRlIMGqbmb+uqGtOPceQ3CJGlVOeOC6nbP/IDwkufSWtxugYmUwi9IJKwO0mldijiKWuG3p9005H++8567hhPy/bU7fA4vyVC+3UVGW6l0mE+yKQXTyI7kzxkXMCK5a4Q4rUJj544vU6pt75/mytfg+Cox2woGZAHZvJ/pRuHDe2t3R6w3EYYTu6x1w5azGnFvCOVdR6XPsGJA2p3oRnEpz64L7KD2QOdtm0YsfMnorH9FbvkZgNr927VbRnBRJ1QM=,iv:4K4w6ruQxtRGjmFnWszlXZKp36TuTTnrB0sDEE/tmrM=,tag:NBP897Sw84bvZTvo/+fVfA==,type:str]
+nix-build-farm:
+    private-key: ENC[AES256_GCM,data:etqFl2T2atN2djxqktFRtrTGqsC61A+ZUd2yS0PLm5KPO2s2/k6XqQGac9rUWP86C1YGpTJhUMzYuOPGW4yNc0YmoeHVslxBR7nX8pubXabZNdB2YMm/yAgsdeeflo4slbxJ6+00eH0iCrtWcHtWbZafHnxojborZABOvCsODdx/ahJ4J9aHqf22cAqe9iJY3L0TgE+iazKS8OO+C/PTaQiV02NZjP8GajRMXzPVoYT7wz3u0t0q0m/t8FkhMIDl9QKL+kFUDeLEGoCBzR57JXLZiW1gJsRxbkP8hVIB3s4TQnhasxqQQlCJuqBSNFl/cGdBm/ADm/yi78VHQG7rUxUrFVDL4Aoidjp6GyoojLIEpdQjtlvC7RCLNpTibV6B71EB3obpjMmmIwfoDLT4jEWhXNx3b8DnMoa0Qh4ba+HBJf+XKA93B0qOJWwJzj4qH9uqBK3xPOGTkqQMmd9M1HYrStTcI/JUX0WvEMwk8xI8MZN/TsLij4w5i6NCwSqa8Dn2lyLK0BGp5C8RT8R4k6U2ieyY6lmxsGIe,iv:703rM/FQz65upd1JWTHNsjAXh2BeoknkALShKuHUsis=,tag:yAB6KJqpm1mOFT5GzKRPBw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +25,8 @@ sops:
             eitNc1E2SzY5bkUxNWtNczRsWWJaU2MKUIu9GT7zu0MvvnXxiQfLW9pQcxFKOwPm
             VRU2k3XQkYjSDZX29DxrOzaPS/L3OYNyBYMyOW8GyMa2V12lMH6lPQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-23T16:24:43Z"
-    mac: ENC[AES256_GCM,data:YTPZCX2Nkws0EJB/+PJVCYlKN0BoWqDRIH5QfhB7ayQ42tkUlz60Bt1ksbEMNtz2RS4sJSp4dlihTBLO4gRHbeMZf40f+j42Td4Dj0etqOkaspR5q5mE1XR8ml7QRzALEq5SHRi13szfO4BHaaFsSHTyFgKxA4uDzZ4JnBoxjAQ=,iv:KuO4rhO9vH+HqcgqTvOYBayitFzLhm4CQRTyzIplKnM=,tag:G/qgcxZoc89etzkUnkw02Q==,type:str]
+    lastmodified: "2024-08-16T14:17:07Z"
+    mac: ENC[AES256_GCM,data:qrMyVDLhtK4URqrHFBx+08PMrFyfib4iH0y7iAeVB/oFGazjm3O5MeS9fNYJeONghuelux69nh2FRfSJHG/moEBcWlL68R4xbCb4he528P+n7mQnR54BNFJdT2oOra4bqO9n/4m2UA8jmA0veoqSrZUVjnmjftqOedjnRESY1L8=,iv:jql79ItwPcJg/nnbsUywOzWz/UJy0ZpY04pvEF290c4=,tag:XKrToym2dXdippnivoK1/Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1