nixfiles/nixos/boxes/colony/vms/shill/hercules.nix

61 lines
1.6 KiB
Nix

{ lib, pkgs, config, ... }: {
config = {
system = {
activationScripts.herculesAWSCredsRoot.text = ''
mkdir -p /root/.aws
ln -sf "${config.age.secrets."hercules/aws-credentials.ini".path}" /root/.aws/credentials
'';
};
systemd = {
services = {
hercules-ci-agent-pre =
let
deps = [ "hercules-ci-agent.service" ];
awsCredsPath = "${config.services.hercules-ci-agent.settings.baseDirectory}/.aws/credentials";
in
{
before = deps;
requiredBy = deps;
serviceConfig = {
Type = "oneshot";
User = "hercules-ci-agent";
};
script = ''
mkdir -p "$(dirname "${awsCredsPath}")"
ln -sf "${config.age.secrets."hercules/aws-credentials.ini".path}" "${awsCredsPath}"
'';
};
};
};
services = {
hercules-ci-agent = {
enable = true;
settings = {
concurrentTasks = 20;
clusterJoinTokenPath = config.age.secrets."hercules/cluster-join-token.key".path;
binaryCachesPath = config.age.secrets."hercules/binary-caches.json".path;
};
};
};
my = {
secrets = {
files =
let
ownedByAgent = {
owner = "hercules-ci-agent";
group = "hercules-ci-agent";
};
in
{
"hercules/cluster-join-token.key" = ownedByAgent;
"hercules/binary-caches.json" = ownedByAgent;
"hercules/aws-credentials.ini" = ownedByAgent;
};
};
};
};
}