switch to effect for darwin ssh deploy

dev/effect-deploy.nix

@@ -0,0 +1,56 @@
+{ self, withSystem, ... }:
+{
+  herculesCI = herculesCI: {
+    onPush.default.outputs.effects = withSystem "x86_64-linux" (
+      { hci-effects, ... }:
+      let
+        darwin01 = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin01.config.system.build.toplevel.drvPath;
+        darwin02 = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin02.config.system.build.toplevel.drvPath;
+        secretsMap.ssh-deployment = "ssh-deployment";
+        userSetupScript = "writeSSHKey ssh-deployment";
+      in
+      {
+        darwin01 = hci-effects.runIf (herculesCI.config.repo.branch == "refs/pull/1059/merge") (
+          hci-effects.mkEffect {
+            inherit secretsMap userSetupScript;
+            effectScript = ''
+              ${hci-effects.ssh
+                {
+                  destination = "[email protected]";
+                  buildOnDestination = true;
+                }
+                ''
+                  set -eux
+                  newProfile=$(nix-store --option narinfo-cache-negative-ttl 0 --realise ${darwin01})
+                  sudo -H nix-env --profile /nix/var/nix/profiles/system --set $newProfile
+                  $newProfile/sw/bin/darwin-rebuild activate
+                  set +x
+                ''
+              }
+            '';
+          }
+        );
+        darwin02 = hci-effects.runIf (herculesCI.config.repo.branch == "refs/pull/1059/merge") (
+          hci-effects.mkEffect {
+            inherit secretsMap userSetupScript;
+            effectScript = ''
+              ${hci-effects.ssh
+                {
+                  destination = "[email protected]";
+                  buildOnDestination = true;
+                }
+                ''
+                  set -eux
+                  newProfile=$(nix-store --option narinfo-cache-negative-ttl 0 --realise ${darwin02})
+                  sudo -H nix-env --profile /nix/var/nix/profiles/system --set $newProfile
+                  $newProfile/sw/bin/darwin-rebuild activate
+                  set +x
+                ''
+              }
+            '';
+          }
+        );
+      }
+    );
+  };
+}

flake.nix

@@ -60,7 +60,9 @@
       systems = import inputs.systems;
 
       imports = [
+        ./dev/effect-deploy.nix
         ./modules
+        inputs.hercules-ci-effects.flakeModule
         inputs.lite-config.flakeModule
         inputs.treefmt-nix.flakeModule
       ];

modules/darwin/common/users.nix

@@ -3,6 +3,7 @@ let
   authorizedKeys = {
     keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPVjRBomWFJNNkZb0g5ymLmc3pdRddIScitmJ9yC+ap" # deployment
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoUUwDIYFzuUk8pxzekyVhqdYhShAtRAG+K3AJMMdjz" # effects-deployment
     ];
     keyFiles = pkgs.lib.filesystem.listFilesRecursive "${inputs.self}/users/keys";
   };

modules/nixos/buildbot.nix

@@ -57,6 +57,14 @@ in
     };
   };
 
+  services.buildbot-nix.master.effects.perRepoSecretFiles = {
+    "github:nix-community/infra" = config.age.secrets.buildbot-effects-nix-community-infra.path;
+  };
+
+  age.secrets.buildbot-effects-nix-community-infra = {
+    file = "${inputs.self}/secrets/buildbot-effects-nix-community-infra.age";
+  };
+
   services.buildbot-master = {
     title = "Nix Community";
     titleUrl = "https://nix-community.org/";

secrets/secrets.nix

@@ -20,6 +20,9 @@ let
   web02 = knownHosts.web02.publicKey;
 
   secrets = {
+    buildbot-effects-nix-community-infra = [
+      build03
+    ];
     # fine-grained, no permissions github token, expires 2025-10-29
     # from `nix-community-buildbot` (user account, not the github app)
     community-builder-nix-access-tokens = [