Deploy with nix-darwin for macOS

1. Installation

Evaluation currently requires an x86_64-linux machine to be in your build cluster!

To avoid compiling the agent you can use binary cache to speed it up:

$ nix-env -iA cachix -f https://cachix.org/api/v1/install
$ cachix use hercules-ci

On macOS run:

sh <(curl https://nixos.org/nix/install) --daemon
source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh

nix-build https://github.com/hercules-ci/nix-darwin/archive/hercules-ci-agent.tar.gz -A installer
./result/bin/darwin-installer

When asked for editing the darwin-configuration.nix add:

services.nix-daemon.enable = true;
services.hercules-ci-agent.enable = true;

2. Get a cluster join token.

  1. In the dashboard, find the account for which you would like to deploy the agent,

  2. Click the "Agents" button and the button in "Generate token" tab. This produces a private token that should be protected like a password.

  3. Save the token to a new file cluster-join-token.key on the target machine and run:

    sudo install \
        -o hercules-ci-agent  \
        -m 0600 \
        cluster-join-token.key \
        /var/lib/hercules-ci-agent/secrets/cluster-join-token.key
    rm cluster-join-token.key

    tail -f /var/log/hercules-ci-agent.log to see what is going on with your agent.

3. Configure binary caches

If you’re using more than one agent or would like to share resulting binaries outside the build farm you’ll need a binary cache.

On Cachix you can create a binary cache. After you complete the process, gather the keys into a binary-caches.json file, replacing all placeholders:

binary-caches.json
{ "mycache": (1)
    { "kind": "CachixCache"
    , "authToken": "eyJhaf23GH53a.bc23BUSI.9q3048hWHh" (2)
    , "publicKeys": ["mycache.cachix.org-1:EjBSHzF6VmDnzqlldGXbi0RM3HdjfTU3yDRi9Pd0jTY="] (3)
    , "signingKeys": ["uAhqM3jG..."] (4)
    }
}
1 The name of the Cachix cache; for example the mycache part from mycache.cachix.org.
2 Optional; only required for private binary caches. You may retrieve this from the Cachix Getting started instructions, step 3.
3 The public part of the signing key. Look for "Public Key" on your cache page (example page: https://mycache.cachix.org).
4 A cache-specific secret key to sign store paths. You can find it in ~/.config/cachix/cachix.dhall or your key backup after following the setup instructions on cachix.org. Make sure you copy the right key if you have multiple in your cachix.dhall.
For more detail, see The binary-caches.json format in the Reference.

To specify binary-caches.json via Nix:

services.hercules-ci-agent.enable = true;
services.hercules-ci-agent.binaryCachesFile = ./binary-caches.json
We’re working on Cachix to be able to restrict authToken to only reading one private cache. Subscribe to the issue to get notified when the token should be replaced. Save binary-caches.json on the target machine and install it by running:
sudo install \
    -o hercules-ci-agent  \
    -m 0600 \
    binary-caches.json \
    /var/lib/hercules-ci-agent/secrets/binary-caches.json

And activate via:

./result/bin/darwin-installer