Options
services.nix-ci.production.worker.enable
Enable the NixCI Workers
Type:
boolean
Default:
true
Example:
false
services.nix-ci.production.worker.innerSystems
The evaluated guest nixosSystem for each worker, keyed by worker name. Exposed so callers and tests can assert on the inner module state (e.g. the coordinator unit's serviceConfig/unitConfig) without having to inspect the guest at runtime.
Type:
attribute set of unspecified value
Default:
{ }
Read only
services.nix-ci.production.worker.recommendedOSSettings
Enable recommended OS settings.
Type:
boolean
Default:
true
Example:
false
services.nix-ci.production.worker.workers
This option has no description.
Type:
attribute set of (submodule)
Default:
{ }
services.nix-ci.production.worker.workers.<name>.auto-wipe
Remove the VM state on every boot, for truly ephemeral workers.
Type:
boolean
Default:
true
services.nix-ci.production.worker.workers.<name>.cache-subdir
Cache directory of the worker VM (where the VM state is stored).
Type:
null or string
Default:
"nix-ci-production-worker/‹name›"
services.nix-ci.production.worker.workers.<name>.config
Coordinator config (forwarded to the guest's worker-unsafe module).
Type:
submodule
Default:
{ }
services.nix-ci.production.worker.workers.<name>.config.allowed
Allowed work
Type:
null or (submodule) or list of (submodule)
Default:
null
services.nix-ci.production.worker.workers.<name>.config.cachix-executable
Path to the cachix executable
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.git-executable
Path to the git executable
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.leader
Leader API
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.leader-web-url
Leader web URL, used for documentation links in log output
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.log-level
Minimal severity of log messages
Type:
null or one of "Debug", "Info", "Warn", "Error"
Default:
null
services.nix-ci.production.worker.workers.<name>.config.name
Worker name for registering with the leader
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.nix-daemon-shared-dir
Subdirectory of the runtime directory for files shared with the nix daemon
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.nix-executable
Path to the nix executable
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.private-key
Worker private key for authenticating with the leader
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.private-key-file
Worker private key for authenticating with the leader
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.runner-unit-template
Name of the runner template unit (without the @N.service suffix).
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.shared-nix-cache
Nix cache directory (NIX_CACHE_HOME)
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.slots-base
Base directory for per-slot job.json files.
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.ssh-executable
Path to the ssh executable
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.timeout
Maximum timeout for jobs
Type:
null or string or signed integer
Default:
null
services.nix-ci.production.worker.workers.<name>.config.timeout-executable
Path to the timeout executable
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.config.track-history
Whether to track per-VM history and act on JobOfferRebootRequired.
Type:
null or boolean
Default:
null
services.nix-ci.production.worker.workers.<name>.config.worker-count
How many runner slots this coordinator manages.
Type:
null or 32 bit unsigned integer; between 0 and 4294967295 (both inclusive)
Default:
null
services.nix-ci.production.worker.workers.<name>.debug
This option has no description.
Type:
null or (submodule)
Default:
null
services.nix-ci.production.worker.workers.<name>.debug.authorizedKeysFiles
SSH public key files with which the host can ssh into the VM
Type:
list of string
Default:
[ ]
services.nix-ci.production.worker.workers.<name>.debug.enable
Whether to enable NixCI Worker debug options.
Type:
boolean
Default:
false
Example:
true
services.nix-ci.production.worker.workers.<name>.debug.port
Port to ssh into the VM
Type:
16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
2222
services.nix-ci.production.worker.workers.<name>.debug.rootPassword
Root password for debugging
Type:
string
Default:
"root"
services.nix-ci.production.worker.workers.<name>.enable
Enable the worker VM: ‹name›
Type:
boolean
Default:
true
services.nix-ci.production.worker.workers.<name>.extraConfig
Extra coordinator config overrides (forwarded).
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker.workers.<name>.extraCoordinatorServiceConfig
Extra ServiceConfig fields for the coordinator unit inside the guest VM. Use this to add LoadCredential for the worker private key: the guest receives the host's $CREDENTIALS_DIRECTORY mounted via 9p as root:root 0440, which the DynamicUser coordinator cannot read directly. systemd LoadCredential re-reads it as root and exposes a unit-owned copy at the coordinator's own $CREDENTIALS_DIRECTORY. Example: extraCoordinatorServiceConfig = { LoadCredential = [ "worker-private-key:/secrets/worker-private-key" ]; }; config.private-key-file = "/run/credentials/nix-ci-production-coordinator.service/worker-private-key"; (where /secrets is the 9p mount target inside the guest, e.g. via virtualisation.sharedDirectories.)
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker.workers.<name>.extraRestartTriggers
Extra restart triggers for the coordinator unit inside the VM. Use this to force a restart when something the unit text does not otherwise depend on changes (e.g. the ciphertext of an age secret).
Type:
list of string
Default:
[ ]
services.nix-ci.production.worker.workers.<name>.extraRunnerServiceConfig
Extra runner template service config (forwarded).
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker.workers.<name>.extraServiceConfig
Extra options in the worker VM's outer ServiceConfig (the systemd unit on the host that runs QEMU). Use this to put LoadCredential entries for any age-decrypted secrets that should be visible to the guest. The host service's $CREDENTIALS_DIRECTORY is what virtualisation.sharedDirectories.secrets typically points at, so any key loaded here appears in the guest under that mount target. The inner coordinator unit must then re-load the same credential as itself (see extraCoordinatorServiceConfig).
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker.workers.<name>.gateway
The gateway to allow access to.
Type:
null or string
Default:
null
Example:
"10.0.0.0"
services.nix-ci.production.worker.workers.<name>.guest-imports
This option has no description.
Type:
unspecified value
Default:
[ ]
services.nix-ci.production.worker.workers.<name>.hostName
Hostname for the guest vm
Type:
null or string
Default:
null
services.nix-ci.production.worker.workers.<name>.local-network
The local network to deny access to.
Type:
null or string
Default:
null
Example:
"10.0.0.0/8"
services.nix-ci.production.worker.workers.<name>.virtualisation
This option has no description.
Type:
unspecified value
services.nix-ci.production.worker.workers.<name>.worker-count
How many runner slots the coordinator inside this VM manages.
Type:
positive integer, meaning >0
Default:
1