nixos/server: init (again)

1 files changed, 53 insertions, 0 deletions

diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/server/mixins/hercules.nix
new file mode 100644
index 0000000..103f58e
--- /dev/null
+++ b/modules/nixos/server/mixins/hercules.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  unstable,
+  secretsDir,
+  ...
+}: let
+  cfg = config.server.mixins.hercules-ci;
+in {
+  options.server.mixins.hercules-ci = {
+    enable = lib.mkEnableOption "hercules-ci mixin";
+    manageSecrets =
+      lib.mkEnableOption "automatic secrets management"
+      // {
+        default = config.traits.secrets.enable;
+      };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        services.hercules-ci-agent = {
+          enable = true;
+          package = unstable.hercules-ci-agent;
+        };
+      }
+
+      (let
+        secretNames = [
+          "binaryCaches"
+          "clusterJoinToken"
+          "secretsJson"
+        ];
+      in
+        lib.mkIf cfg.manageSecrets {
+          age.secrets = lib.genAttrs secretNames (
+            file: {
+              file = "${secretsDir}/${file}.age";
+              mode = "400";
+              owner = "hercules-ci-agent";
+              group = "hercules-ci-agent";
+            }
+          );
+
+          services.hercules-ci-agent = {
+            settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) (
+              lib.genAttrs secretNames (name: config.age.secrets.${name}.path)
+            );
+          };
+        })
+    ]
+  );
+}