feat(buildkite): configure the buildkite agent

Change-Id: Icee60f2372e17f6477a91e7f562c04507788c713
Reviewed-on: https://cl.fcuny.net/c/world/+/168
Reviewed-by: Franck Cuny <franck@fcuny.net>

2 files changed, 47 insertions, 0 deletions

diff --git a/modules/services/buildkite/default.nix b/modules/services/buildkite/default.nix
new file mode 100644
index 0000000..a1bd021
--- /dev/null
+++ b/modules/services/buildkite/default.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.my.services.buildkite;
+  agents = lib.range 1 5;
+  secrets = config.age.secrets;
+in {
+  options.my.services.buildkite = with lib; {
+    enable = mkEnableOption "buildkite agent";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # see https://buildkite.com/docs/agent/v3
+    # and https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/continuous-integration/buildkite-agents.nix
+    services.buildkite-agents = lib.listToAttrs (map (n: rec {
+      name = "builder-${toString n}";
+      value = {
+        inherit name;
+        enable = true;
+        tokenPath = secrets."buildkite/agent".path;
+        runtimePackages = with pkgs; [
+          bash
+          coreutils
+          curl
+          git
+          gnutar
+          gzip
+          jq
+          nix
+        ];
+      };
+    }) agents);
+
+    # Set up a group for all Buildkite agent users
+    users = {
+      groups.buildkite-agents = { };
+      users = builtins.listToAttrs (map (n: rec {
+        name = "buildkite-agent-builder-${toString n}";
+        value = {
+          isSystemUser = true;
+          group = lib.mkForce "buildkite-agents";
+          extraGroups = [ name "docker" ];
+        };
+      }) agents);
+    };
+  };
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 2c3ee63..73e2e6d 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./avahi
     ./backup
+    ./buildkite
     ./cgit
     ./drone
     ./fwupd