{ lib, pkgs, config, ... }: { config = { system = { activationScripts.herculesAWSCredsRoot.text = '' mkdir -p /root/.aws ln -sf "${config.age.secrets."hercules/aws-credentials.ini".path}" /root/.aws/credentials ''; }; systemd = { services = { # TODO: get working again hercules-ci-agent.enable = false; hercules-ci-agent-pre = let deps = [ "hercules-ci-agent.service" ]; awsCredsPath = "${config.services.hercules-ci-agent.settings.baseDirectory}/.aws/credentials"; in { before = deps; requiredBy = deps; serviceConfig = { Type = "oneshot"; User = "hercules-ci-agent"; }; script = '' mkdir -p "$(dirname "${awsCredsPath}")" ln -sf "${config.age.secrets."hercules/aws-credentials.ini".path}" "${awsCredsPath}" ''; }; nix-cache-gc = let configFile = pkgs.writeText "nix-cache-gc.ini" '' [gc] threshold = 256000 stop = 204800 [s3] endpoint = s3.nul.ie bucket = nix-cache access_key = nix-gc ''; in { description = "Nix cache garbage collection"; path = [ (pkgs.python310.withPackages (ps: with ps; [ minio ])) ]; serviceConfig = { Type = "oneshot"; ExecStart = [ ''${./nix_cache_gc.py} -c ${configFile} -c ${config.age.secrets."nix-cache-gc.ini".path}'' ]; }; }; }; timers = { nix-cache-gc = { description = "Nix cache garbage collection timer"; wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "hourly"; }; }; }; services = { hercules-ci-agent = { enable = true; settings = { concurrentTasks = 20; clusterJoinTokenPath = config.age.secrets."hercules/cluster-join-token.key".path; binaryCachesPath = config.age.secrets."hercules/binary-caches.json".path; }; }; }; my = { secrets = { files = let ownedByAgent = { owner = "hercules-ci-agent"; group = "hercules-ci-agent"; }; in { "hercules/cluster-join-token.key" = ownedByAgent; "hercules/binary-caches.json" = ownedByAgent; "hercules/aws-credentials.ini" = ownedByAgent; "nix-cache-gc.ini" = {}; }; }; }; }; }