diff options
Diffstat (limited to 'nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix')
| -rw-r--r-- | nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix new file mode 100644 index 00000000000..ef1933e1228 --- /dev/null +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix @@ -0,0 +1,101 @@ +/* + + This file is for NixOS-specific options and configs. + + Code that is shared with nix-darwin goes in common.nix. + +*/ + +{ pkgs, config, lib, ... }: +let + inherit (lib) mkIf mkDefault; + + cfg = config.services.hercules-ci-agent; + + command = "${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}"; + testCommand = "${command} --test-configuration"; + +in +{ + imports = [ + ./common.nix + (lib.mkRenamedOptionModule [ "services" "hercules-ci-agent" "user" ] [ "systemd" "services" "hercules-ci-agent" "serviceConfig" "User" ]) + ]; + + config = mkIf cfg.enable { + systemd.services.hercules-ci-agent = { + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + path = [ config.nix.package ]; + startLimitBurst = 30 * 1000000; # practically infinite + serviceConfig = { + User = "hercules-ci-agent"; + ExecStart = command; + ExecStartPre = testCommand; + Restart = "on-failure"; + RestartSec = 120; + }; + }; + + # Changes in the secrets do not affect the unit in any way that would cause + # a restart, which is currently necessary to reload the secrets. + systemd.paths.hercules-ci-agent-restart-files = { + wantedBy = [ "hercules-ci-agent.service" ]; + pathConfig = { + Unit = "hercules-ci-agent-restarter.service"; + PathChanged = [ cfg.settings.clusterJoinTokenPath cfg.settings.binaryCachesPath ]; + }; + }; + systemd.services.hercules-ci-agent-restarter = { + serviceConfig.Type = "oneshot"; + script = '' + # Wait a bit, with the effect of bundling up file changes into a single + # run of this script and hopefully a single restart. + sleep 10 + if systemctl is-active --quiet hercules-ci-agent.service; then + if ${testCommand}; then + systemctl restart hercules-ci-agent.service + else + echo 1>&2 "WARNING: Not restarting agent because config is not valid at this time." + fi + else + echo 1>&2 "Not restarting hercules-ci-agent despite config file update, because it is not already active." + fi + ''; + }; + + # Trusted user allows simplified configuration and better performance + # when operating in a cluster. + nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; + services.hercules-ci-agent = { + settings = { + nixUserIsTrusted = true; + labels = + let + mkIfNotNull = x: mkIf (x != null) x; + in + { + nixos.configurationRevision = mkIfNotNull config.system.configurationRevision; + nixos.release = config.system.nixos.release; + nixos.label = mkIfNotNull config.system.nixos.label; + nixos.codeName = config.system.nixos.codeName; + nixos.tags = config.system.nixos.tags; + nixos.systemName = mkIfNotNull config.system.name; + }; + }; + }; + + users.users.hercules-ci-agent = { + home = cfg.settings.baseDirectory; + createHome = true; + group = "hercules-ci-agent"; + description = "Hercules CI Agent system user"; + isSystemUser = true; + }; + + users.groups.hercules-ci-agent = { }; + }; + + meta.maintainers = [ lib.maintainers.roberth ]; +} |