nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix at 22.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / continuous-integration / hercules-ci-agent / default.nix
at 22.05-pre 3.3 kB view raw
  1/*
  2
  3  This file is for NixOS-specific options and configs.
  4
  5  Code that is shared with nix-darwin goes in common.nix.
  6
  7*/
  8
  9{ pkgs, config, lib, ... }:
 10let
 11  inherit (lib) mkIf mkDefault;
 12
 13  cfg = config.services.hercules-ci-agent;
 14
 15  command = "${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}";
 16  testCommand = "${command} --test-configuration";
 17
 18in
 19{
 20  imports = [
 21    ./common.nix
 22    (lib.mkRenamedOptionModule [ "services" "hercules-ci-agent" "user" ] [ "systemd" "services" "hercules-ci-agent" "serviceConfig" "User" ])
 23  ];
 24
 25  config = mkIf cfg.enable {
 26    systemd.services.hercules-ci-agent = {
 27      wantedBy = [ "multi-user.target" ];
 28      after = [ "network-online.target" ];
 29      wants = [ "network-online.target" ];
 30      path = [ config.nix.package ];
 31      startLimitBurst = 30 * 1000000; # practically infinite
 32      serviceConfig = {
 33        User = "hercules-ci-agent";
 34        ExecStart = command;
 35        ExecStartPre = testCommand;
 36        Restart = "on-failure";
 37        RestartSec = 120;
 38      };
 39    };
 40
 41    # Changes in the secrets do not affect the unit in any way that would cause
 42    # a restart, which is currently necessary to reload the secrets.
 43    systemd.paths.hercules-ci-agent-restart-files = {
 44      wantedBy = [ "hercules-ci-agent.service" ];
 45      pathConfig = {
 46        Unit = "hercules-ci-agent-restarter.service";
 47        PathChanged = [ cfg.settings.clusterJoinTokenPath cfg.settings.binaryCachesPath ];
 48      };
 49    };
 50    systemd.services.hercules-ci-agent-restarter = {
 51      serviceConfig.Type = "oneshot";
 52      script = ''
 53        # Wait a bit, with the effect of bundling up file changes into a single
 54        # run of this script and hopefully a single restart.
 55        sleep 10
 56        if systemctl is-active --quiet hercules-ci-agent.service; then
 57          if ${testCommand}; then
 58            systemctl restart hercules-ci-agent.service
 59          else
 60            echo 1>&2 "WARNING: Not restarting agent because config is not valid at this time."
 61          fi
 62        else
 63          echo 1>&2 "Not restarting hercules-ci-agent despite config file update, because it is not already active."
 64        fi
 65      '';
 66    };
 67
 68    # Trusted user allows simplified configuration and better performance
 69    # when operating in a cluster.
 70    nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
 71    services.hercules-ci-agent = {
 72      settings = {
 73        nixUserIsTrusted = true;
 74        labels =
 75          let
 76            mkIfNotNull = x: mkIf (x != null) x;
 77          in
 78          {
 79            nixos.configurationRevision = mkIfNotNull config.system.configurationRevision;
 80            nixos.release = config.system.nixos.release;
 81            nixos.label = mkIfNotNull config.system.nixos.label;
 82            nixos.codeName = config.system.nixos.codeName;
 83            nixos.tags = config.system.nixos.tags;
 84            nixos.systemName = mkIfNotNull config.system.name;
 85          };
 86      };
 87    };
 88
 89    users.users.hercules-ci-agent = {
 90      home = cfg.settings.baseDirectory;
 91      createHome = true;
 92      group = "hercules-ci-agent";
 93      description = "Hercules CI Agent system user";
 94      isSystemUser = true;
 95    };
 96
 97    users.groups.hercules-ci-agent = { };
 98  };
 99
100  meta.maintainers = [ lib.maintainers.roberth ];
101}