[NixPkgs.git] / nixos / modules / services / continuous-integration / hercules-ci-agent / default.nix
| blob | ad26b5316ddefd2823d34fdb3be47d3d0362defa |
1 /*
3 This file is for NixOS-specific options and configs.
5 Code that is shared with nix-darwin goes in common.nix.
7 */
9 { pkgs, config, lib, ... }:
10 let
11 inherit (lib) mkIf mkDefault;
13 cfg = config.services.hercules-ci-agent;
15 command = "${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}";
16 testCommand = "${command} --test-configuration";
18 in
19 {
20 imports = [
21 ./common.nix
22 (lib.mkRenamedOptionModule [ "services" "hercules-ci-agent" "user" ] [ "systemd" "services" "hercules-ci-agent" "serviceConfig" "User" ])
23 ];
25 config = mkIf cfg.enable {
26 systemd.services.hercules-ci-agent = {
27 wantedBy = [ "multi-user.target" ];
28 after = [ "network-online.target" ];
29 wants = [ "network-online.target" ];
30 path = [ config.nix.package ];
31 startLimitBurst = 30 * 1000000; # practically infinite
32 serviceConfig = {
33 User = "hercules-ci-agent";
34 ExecStart = command;
35 ExecStartPre = testCommand;
36 Restart = "on-failure";
37 RestartSec = 120;
39 # If a worker goes OOM, don't kill the main process. It needs to
40 # report the failure and it's unlikely to be part of the problem.
41 OOMPolicy = "continue";
43 # Work around excessive stack use by libstdc++ regex
44 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
45 # A 256 MiB stack allows between 400 KiB and 1.5 MiB file to be matched by ".*".
46 LimitSTACK = 256 * 1024 * 1024;
47 };
48 };
50 # Changes in the secrets do not affect the unit in any way that would cause
51 # a restart, which is currently necessary to reload the secrets.
52 systemd.paths.hercules-ci-agent-restart-files = {
53 wantedBy = [ "hercules-ci-agent.service" ];
54 pathConfig = {
55 Unit = "hercules-ci-agent-restarter.service";
56 PathChanged = [ cfg.settings.clusterJoinTokenPath cfg.settings.binaryCachesPath ];
57 };
58 };
59 systemd.services.hercules-ci-agent-restarter = {
60 serviceConfig.Type = "oneshot";
61 script = ''
62 # Wait a bit, with the effect of bundling up file changes into a single
63 # run of this script and hopefully a single restart.
64 sleep 10
65 if systemctl is-active --quiet hercules-ci-agent.service; then
66 if ${testCommand}; then
67 systemctl restart hercules-ci-agent.service
68 else
69 echo 1>&2 "WARNING: Not restarting agent because config is not valid at this time."
70 fi
71 else
72 echo 1>&2 "Not restarting hercules-ci-agent despite config file update, because it is not already active."
73 fi
74 '';
75 };
77 # Trusted user allows simplified configuration and better performance
78 # when operating in a cluster.
79 nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
80 services.hercules-ci-agent = {
81 settings = {
82 nixUserIsTrusted = true;
83 labels =
84 let
85 mkIfNotNull = x: mkIf (x != null) x;
86 in
87 {
88 nixos.configurationRevision = mkIfNotNull config.system.configurationRevision;
89 nixos.release = config.system.nixos.release;
90 nixos.label = mkIfNotNull config.system.nixos.label;
91 nixos.codeName = config.system.nixos.codeName;
92 nixos.tags = config.system.nixos.tags;
93 nixos.systemName = mkIfNotNull config.system.name;
94 };
95 };
96 };
98 users.users.hercules-ci-agent = {
99 home = cfg.settings.baseDirectory;
100 createHome = true;
101 group = "hercules-ci-agent";
102 description = "Hercules CI Agent system user";
103 isSystemUser = true;
104 };
106 users.groups.hercules-ci-agent = { };
107 };
109 meta.maintainers = [ lib.maintainers.roberth ];
110 }