Merge pull request #78045 from flokli/buildkite-agent-user-runtime-test

nixos/buildkite: add option to configure user, add nix-required packages to runtime, add test
2025-07-13 13:40:28 +03:00 · 2020-01-20 13:50:10 +00:00 · 2020-01-20 13:50:10 +00:00 · e20de6b57a
commit e20de6b57a
parent da9c031024 4b73d3c444
3 changed files with 52 additions and 16 deletions
--- a/nixos/modules/services/continuous-integration/buildkite-agent.nix
+++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix
@ -29,6 +29,8 @@ let
    ${concatStringsSep "\n" (mapAttrsToList mkHookEntry (filterAttrs (n: v: v != null) cfg.hooks))}
  '';

+  defaultUser = "buildkite-agent";
+
 in

 {
@ -50,12 +52,21 @@ in
      };

      runtimePackages = mkOption {
-        default = [ pkgs.bash pkgs.nix ];
-        defaultText = "[ pkgs.bash pkgs.nix ]";
+        default = [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ];
+        defaultText = "[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]";
        description = "Add programs to the buildkite-agent environment";
        type = types.listOf types.package;
      };

+      user = mkOption {
+        type = types.str;
+        default = defaultUser;
+        description = ''
+          Set this option when you want to run the buildkite agent as something else
+          than the default user "buildkite-agent".
+        '';
+      };
+
      tokenPath = mkOption {
        type = types.path;
        description = ''
@ -93,7 +104,8 @@ in
      };

      privateSshKeyPath = mkOption {
-        type = types.path;
+        type = types.nullOr types.path;
+        default = null;
        ## maximum care is taken so that secrets (ssh keys and the CI token)
        ## don't end up in the Nix store.
        apply = final: if final == null then null else toString final;
@ -185,14 +197,14 @@ in
  };

  config = mkIf config.services.buildkite-agent.enable {
-    users.users.buildkite-agent =
-      { name = "buildkite-agent";
-        home = cfg.dataDir;
-        createHome = true;
-        description = "Buildkite agent user";
-        extraGroups = [ "keys" ];
-        isSystemUser = true;
-      };
+    users.users.buildkite-agent = mkIf (cfg.user == defaultUser) {
+      name = "buildkite-agent";
+      home = cfg.dataDir;
+      createHome = true;
+      description = "Buildkite agent user";
+      extraGroups = [ "keys" ];
+      isSystemUser = true;
+    };

    environment.systemPackages = [ cfg.package ];

@ -212,11 +224,11 @@ in
          sshDir = "${cfg.dataDir}/.ssh";
          tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags);
        in
-          ''
+          optionalString (cfg.privateSshKeyPath != null) ''
            mkdir -m 0700 -p "${sshDir}"
-            cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa"
-            chmod 600 "${sshDir}"/id_rsa*
-
+            cp -f "${toString cfg.privateSshKeyPath}" "${sshDir}/id_rsa"
+            chmod 600 "${sshDir}"/id_rsa
+          '' + ''
            cat > "${cfg.dataDir}/buildkite-agent.cfg" <<EOF
            token="$(cat ${toString cfg.tokenPath})"
            name="${cfg.name}"
@ -230,7 +242,7 @@ in

        serviceConfig =
          { ExecStart = "${cfg.package}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg";
-            User = "buildkite-agent";
+            User = cfg.user;
            RestartSec = 5;
            Restart = "on-failure";
            TimeoutSec = 10;