Wire namespace caches and agenix secrets

2026-03-19 03:51:53 -07:00 · 2026-03-19 03:51:53 -07:00 · 028627bfcb
commit 028627bfcb
parent 5bd95b7a7c
8 changed files with 66 additions and 102 deletions
--- a/services/forgejo-nsc/README.md
+++ b/services/forgejo-nsc/README.md
@ -46,8 +46,9 @@ profile. The important knobs are:
  Namespace environment. The dispatcher destroys the instance after a job so the
  TTL acts as a hard cap, not an idle timeout.
 - `namespace.linux_cache_*` / `namespace.macos_cache_*` – persistent cache
-  volumes mounted into runners so Linux can keep `/nix` plus build caches warm
-  and macOS can reuse Rust toolchains, Xcode package caches, and derived data.
+  volumes mounted into runners so Linux can keep `/nix` plus shared build
+  caches warm and macOS can reuse Rust toolchains, Xcode package caches, and
+  lane-local derived data.

 ### Running locally

@ -159,8 +160,8 @@ generate a Namespace token from the logged-in Namespace account, and refresh
 `secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age`.
 The token file is emitted as JSON with a `bearer_token` field so both the
 Compute API path and the `nsc` CLI fallback can consume the same secret
-material. Use `--write-intake` only when you explicitly need local plaintext
-debug copies.
+material. The forge host consumes the encrypted secrets through agenix; avoid
+keeping local plaintext `intake/` copies around.

 Long-lived runtime state is now sourced from age-encrypted files:

--- a/services/forgejo-nsc/config.example.yaml
+++ b/services/forgejo-nsc/config.example.yaml
@ -11,10 +11,10 @@ forgejo:
  timeout: "30s"

 namespace:
-  nsc_binary: "/app/bin/nsc"
+  nsc_binary: "nsc"
  compute_base_url: "https://ord4.compute.namespaceapis.com"
-  image: "ghcr.io/forgejo/runner:3"
-  machine_type: "8x16"
+  image: "code.forgejo.org/forgejo/runner:11"
+  machine_type: "4x8"
  macos_base_image_id: "tahoe"
  macos_machine_arch: "arm64"
  duration: "30m"
@ -31,9 +31,15 @@ namespace:
      size_gb: 40
  macos_cache_path: "/Users/runner/.cache/burrow"
  macos_cache_volumes:
-    - tag: "burrow-forgejo-macos-cache"
-      mount_point: "/Users/runner/.cache/burrow"
-      size_gb: 60
+    - tag: "burrow-forgejo-macos-shared-v1"
+      mount_point: "/Users/runner/.cache/burrow/shared"
+      size_gb: 80
+    - tag: "burrow-forgejo-macos-macos-v1"
+      mount_point: "/Users/runner/.cache/burrow/lane/macos"
+      size_gb: 80
+    - tag: "burrow-forgejo-macos-ios-simulator-v1"
+      mount_point: "/Users/runner/.cache/burrow/lane/ios-simulator"
+      size_gb: 80

 runner:
  name_prefix: "nscloud-"