hercules-ci-agent: init

Source files originate from the hercules-ci-agent repository and
I will make sure to keep them in sync, bidirectionally.

The module is split into two files to make maintenance of the
common parts with NixOS easier.

1 files changed, 81 insertions, 0 deletions

diff --git a/modules/services/hercules-ci-agent/default.nix b/modules/services/hercules-ci-agent/default.nix
new file mode 100644
index 0000000..d9fbf37
--- /dev/null
+++ b/modules/services/hercules-ci-agent/default.nix
@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.hercules-ci-agent;
+  user = config.users.users._hercules-ci-agent;
+in
+{
+  imports = [ ./common.nix ];
+
+  meta.maintainers = [
+    lib.maintainers.roberth or "roberth"
+  ];
+
+  options.services.hercules-ci-agent = {
+
+    logFile = mkOption {
+      type = types.path;
+      default = "/var/log/hercules-ci-agent.log";
+      description = "Stdout and sterr of hercules-ci-agent process.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    launchd.daemons.hercules-ci-agent = {
+      script = "exec ${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}";
+
+      path = [ config.nix.package ];
+      environment = {
+        NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+      };
+
+      serviceConfig.KeepAlive = true;
+      serviceConfig.RunAtLoad = true;
+      serviceConfig.StandardErrorPath = cfg.logFile;
+      serviceConfig.StandardOutPath = cfg.logFile;
+      serviceConfig.GroupName = "_hercules-ci-agent";
+      serviceConfig.UserName = "_hercules-ci-agent";
+      serviceConfig.WorkingDirectory = user.home;
+      serviceConfig.WatchPaths = [
+        cfg.settings.staticSecretsDirectory
+      ];
+    };
+
+    system.activationScripts.preActivation.text = ''
+      touch '${cfg.logFile}'
+      chown ${toString user.uid}:${toString user.gid} '${cfg.logFile}'
+    '';
+
+    # Trusted user allows simplified configuration and better performance
+    # when operating in a cluster.
+    nix.settings.trusted-users = [ "_hercules-ci-agent" ];
+    services.hercules-ci-agent.settings.nixUserIsTrusted = true;
+
+    users.knownGroups = [ "hercules-ci-agent" "_hercules-ci-agent" ];
+    users.knownUsers = [ "hercules-ci-agent" "_hercules-ci-agent" ];
+
+    users.users._hercules-ci-agent = {
+      uid = mkDefault 399;
+      gid = mkDefault config.users.groups._hercules-ci-agent.gid;
+      home = mkDefault cfg.settings.baseDirectory;
+      name = "_hercules-ci-agent";
+      createHome = true;
+      shell = "/bin/bash";
+      description = "System user for the Hercules CI Agent";
+    };
+    users.groups._hercules-ci-agent = {
+      gid = mkDefault 32001;
+      name = "_hercules-ci-agent";
+      description = "System group for the Hercules CI Agent";
+    };
+
+    services.hercules-ci-agent.settings.labels = {
+      darwin.label = config.system.darwinLabel;
+      darwin.revision = config.system.darwinRevision;
+      darwin.version = config.system.darwinVersion;
+      darwin.nix.daemon = config.nix.useDaemon;
+      darwin.nix.sandbox = config.nix.settings.sandbox;
+    };
+  };
+}