Deploy with nix-darwin for macOS

1. Installation

Evaluation currently requires an x86_64-linux machine to be in your build cluster!

On macOS run:

[root@mac]# sh <(curl -L https://nixos.org/nix/install) --daemon
[root@mac]# source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh

[root@mac]# nix-build https://github.com/hercules-ci/nix-darwin/archive/hercules-ci-agent.tar.gz -A installer
[root@mac]# ./result/bin/darwin-installer

When asked for editing the darwin-configuration.nix add:

services.nix-daemon.enable = true;
services.hercules-ci-agent.enable = true;

2. Get a cluster join token.

  1. In the dashboard, find the account for which you would like to deploy the agent,

  2. Select your deployment method, select the Generate a token tab and use the button.

  3. Save the token to a new file cluster-join-token.key on the target machine and run:

    $ sudo install \
    -o _hercules-ci-agent \
    -m 0600 \
    cluster-join-token.key \
    /var/lib/hercules-ci-agent/secrets/cluster-join-token.key
$ rm cluster-join-token.key

    tail -f /var/log/hercules-ci-agent.log to see what is going on with your agent.

3. Configure binary caches

Although a single agent works with empty {} binary cache configuration, we highly recommend setting up a cache from the start. Running without a cache will break some features and will cause unexpectedly long build times due to eventual garbage collection.

On Cachix you can create a binary cache. After you complete the process, gather the keys into a binary-caches.json file, replacing all placeholders:

binary-caches.json
{ "mycache": (1)
    { "kind": "CachixCache"
    , "authToken": "eyJhaf23GH53a.bc23BUSI.9q3048hWHh" (2)
    , "publicKeys": ["mycache.cachix.org-1:EjBSHzF6VmDnzqlldGXbi0RM3HdjfTU3yDRi9Pd0jTY="] (3)
    , "signingKeys": ["uAhqM3jG..."] (4)
    }
}
1 The name of the Cachix cache; for example the mycache part from mycache.cachix.org.
2 Omit if you use a local signing key. Required if you use a Write token. You can retrieve one from cachix, click a cache, click per cache auth token. Select Write permission and generate a key. If you can only select Read permission, you have to ask a cache admin for a Write token or, if applicable, for the signing key.
3 The public part of the signing key. Look for "Public Key" on your cache page (example page: https://mycache.cachix.org).
4 Omit if you use a Write token. Otherwise, this is the cache-specific secret key to sign store paths. You can find it in ~/.config/cachix/cachix.dhall or your key backup after following the setup instructions on cachix.org. Make sure you copy the right key if you have multiple in your cachix.dhall.
For more detail, see The binary-caches.json format in the Reference. Save binary-caches.json on the target machine and install it by running: 
$ sudo install \
    -o _hercules-ci-agent \
    -m 0600 \
    binary-caches.json \
    /var/lib/hercules-ci-agent/secrets/binary-caches.json

And activate via:

$ sudo ./result/bin/darwin-installer

4. Repository Setup

The goal of this step is to make sure everything is set up correctly.

  1. If you are familiar with Nix, set up your own git repository

  2. Otherwise verify your agent setup with a minimal git repository