111 lines
3.7 KiB
Nix
111 lines
3.7 KiB
Nix
/*
|
|
|
|
This file is for NixOS-specific options and configs.
|
|
|
|
Code that is shared with nix-darwin goes in common.nix.
|
|
|
|
*/
|
|
|
|
{ pkgs, config, lib, ... }:
|
|
let
|
|
inherit (lib) mkIf mkDefault;
|
|
|
|
cfg = config.services.hercules-ci-agent;
|
|
|
|
command = "${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}";
|
|
testCommand = "${command} --test-configuration";
|
|
|
|
in
|
|
{
|
|
imports = [
|
|
./common.nix
|
|
(lib.mkRenamedOptionModule [ "services" "hercules-ci-agent" "user" ] [ "systemd" "services" "hercules-ci-agent" "serviceConfig" "User" ])
|
|
];
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.hercules-ci-agent = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
path = [ config.nix.package ];
|
|
startLimitBurst = 30 * 1000000; # practically infinite
|
|
serviceConfig = {
|
|
User = "hercules-ci-agent";
|
|
ExecStart = command;
|
|
ExecStartPre = testCommand;
|
|
Restart = "on-failure";
|
|
RestartSec = 120;
|
|
|
|
# If a worker goes OOM, don't kill the main process. It needs to
|
|
# report the failure and it's unlikely to be part of the problem.
|
|
OOMPolicy = "continue";
|
|
|
|
# Work around excessive stack use by libstdc++ regex
|
|
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
|
|
# A 256 MiB stack allows between 400 KiB and 1.5 MiB file to be matched by ".*".
|
|
LimitSTACK = 256 * 1024 * 1024;
|
|
};
|
|
};
|
|
|
|
# Changes in the secrets do not affect the unit in any way that would cause
|
|
# a restart, which is currently necessary to reload the secrets.
|
|
systemd.paths.hercules-ci-agent-restart-files = {
|
|
wantedBy = [ "hercules-ci-agent.service" ];
|
|
pathConfig = {
|
|
Unit = "hercules-ci-agent-restarter.service";
|
|
PathChanged = [ cfg.settings.clusterJoinTokenPath cfg.settings.binaryCachesPath ];
|
|
};
|
|
};
|
|
systemd.services.hercules-ci-agent-restarter = {
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
# Wait a bit, with the effect of bundling up file changes into a single
|
|
# run of this script and hopefully a single restart.
|
|
sleep 10
|
|
if systemctl is-active --quiet hercules-ci-agent.service; then
|
|
if ${testCommand}; then
|
|
systemctl restart hercules-ci-agent.service
|
|
else
|
|
echo 1>&2 "WARNING: Not restarting agent because config is not valid at this time."
|
|
fi
|
|
else
|
|
echo 1>&2 "Not restarting hercules-ci-agent despite config file update, because it is not already active."
|
|
fi
|
|
'';
|
|
};
|
|
|
|
# Trusted user allows simplified configuration and better performance
|
|
# when operating in a cluster.
|
|
nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
|
|
services.hercules-ci-agent = {
|
|
settings = {
|
|
nixUserIsTrusted = true;
|
|
labels =
|
|
let
|
|
mkIfNotNull = x: mkIf (x != null) x;
|
|
in
|
|
{
|
|
nixos.configurationRevision = mkIfNotNull config.system.configurationRevision;
|
|
nixos.release = config.system.nixos.release;
|
|
nixos.label = mkIfNotNull config.system.nixos.label;
|
|
nixos.codeName = config.system.nixos.codeName;
|
|
nixos.tags = config.system.nixos.tags;
|
|
nixos.systemName = mkIfNotNull config.system.name;
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.hercules-ci-agent = {
|
|
home = cfg.settings.baseDirectory;
|
|
createHome = true;
|
|
group = "hercules-ci-agent";
|
|
description = "Hercules CI Agent system user";
|
|
isSystemUser = true;
|
|
};
|
|
|
|
users.groups.hercules-ci-agent = { };
|
|
};
|
|
|
|
meta.maintainers = [ lib.maintainers.roberth ];
|
|
}
|