pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / continuous-integration / hercules-ci-agent / default.nix
at 24.11-pre 3.8 kB view raw
1/* 2 3 This file is for NixOS-specific options and configs. 4 5 Code that is shared with nix-darwin goes in common.nix. 6 7*/ 8 9{ pkgs, config, lib, ... }: 10let 11 inherit (lib) mkIf mkDefault; 12 13 cfg = config.services.hercules-ci-agent; 14 15 command = "${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}"; 16 testCommand = "${command} --test-configuration"; 17 18in 19{ 20 imports = [ 21 ./common.nix 22 (lib.mkRenamedOptionModule [ "services" "hercules-ci-agent" "user" ] [ "systemd" "services" "hercules-ci-agent" "serviceConfig" "User" ]) 23 ]; 24 25 config = mkIf cfg.enable { 26 systemd.services.hercules-ci-agent = { 27 wantedBy = [ "multi-user.target" ]; 28 after = [ "network-online.target" ]; 29 wants = [ "network-online.target" ]; 30 path = [ config.nix.package ]; 31 startLimitBurst = 30 * 1000000; # practically infinite 32 serviceConfig = { 33 User = "hercules-ci-agent"; 34 ExecStart = command; 35 ExecStartPre = testCommand; 36 Restart = "on-failure"; 37 RestartSec = 120; 38 39 # If a worker goes OOM, don't kill the main process. It needs to 40 # report the failure and it's unlikely to be part of the problem. 41 OOMPolicy = "continue"; 42 43 # Work around excessive stack use by libstdc++ regex 44 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164 45 # A 256 MiB stack allows between 400 KiB and 1.5 MiB file to be matched by ".*". 46 LimitSTACK = 256 * 1024 * 1024; 47 }; 48 }; 49 50 # Changes in the secrets do not affect the unit in any way that would cause 51 # a restart, which is currently necessary to reload the secrets. 52 systemd.paths.hercules-ci-agent-restart-files = { 53 wantedBy = [ "hercules-ci-agent.service" ]; 54 pathConfig = { 55 Unit = "hercules-ci-agent-restarter.service"; 56 PathChanged = [ cfg.settings.clusterJoinTokenPath cfg.settings.binaryCachesPath ]; 57 }; 58 }; 59 systemd.services.hercules-ci-agent-restarter = { 60 serviceConfig.Type = "oneshot"; 61 script = '' 62 # Wait a bit, with the effect of bundling up file changes into a single 63 # run of this script and hopefully a single restart. 64 sleep 10 65 if systemctl is-active --quiet hercules-ci-agent.service; then 66 if ${testCommand}; then 67 systemctl restart hercules-ci-agent.service 68 else 69 echo 1>&2 "WARNING: Not restarting agent because config is not valid at this time." 70 fi 71 else 72 echo 1>&2 "Not restarting hercules-ci-agent despite config file update, because it is not already active." 73 fi 74 ''; 75 }; 76 77 # Trusted user allows simplified configuration and better performance 78 # when operating in a cluster. 79 nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; 80 services.hercules-ci-agent = { 81 settings = { 82 nixUserIsTrusted = true; 83 labels = 84 let 85 mkIfNotNull = x: mkIf (x != null) x; 86 in 87 { 88 nixos.configurationRevision = mkIfNotNull config.system.configurationRevision; 89 nixos.release = config.system.nixos.release; 90 nixos.label = mkIfNotNull config.system.nixos.label; 91 nixos.codeName = config.system.nixos.codeName; 92 nixos.tags = config.system.nixos.tags; 93 nixos.systemName = mkIfNotNull config.system.name; 94 }; 95 }; 96 }; 97 98 users.users.hercules-ci-agent = { 99 home = cfg.settings.baseDirectory; 100 createHome = true; 101 group = "hercules-ci-agent"; 102 description = "Hercules CI Agent system user"; 103 isSystemUser = true; 104 }; 105 106 users.groups.hercules-ci-agent = { }; 107 }; 108 109 meta.maintainers = [ lib.maintainers.roberth ]; 110}