Options
services.nix-ci.production.worker-unsafe.config
Coordinator config (merged into nix-ci-coordinator-config.yaml).
Type:
submodule
Default:
{ }
services.nix-ci.production.worker-unsafe.config.allowed
Allowed work
Type:
null or (submodule) or list of (submodule)
Default:
null
services.nix-ci.production.worker-unsafe.config.cachix-executable
Path to the cachix executable
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.git-executable
Path to the git executable
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.leader
Leader API
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.leader-web-url
Leader web URL, used for documentation links in log output
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.log-level
Minimal severity of log messages
Type:
null or one of "Debug", "Info", "Warn", "Error"
Default:
null
services.nix-ci.production.worker-unsafe.config.name
Worker name for registering with the leader
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.nix-daemon-shared-dir
Subdirectory of the runtime directory for files shared with the nix daemon
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.nix-executable
Path to the nix executable
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.private-key
Worker private key for authenticating with the leader
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.private-key-file
Worker private key for authenticating with the leader
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.runner-unit-template
Name of the runner template unit (without the @N.service suffix).
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.shared-nix-cache
Nix cache directory (NIX_CACHE_HOME)
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.slots-base
Base directory for per-slot job.json files.
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.ssh-executable
Path to the ssh executable
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.timeout
Maximum timeout for jobs
Type:
null or string or signed integer
Default:
null
services.nix-ci.production.worker-unsafe.config.timeout-executable
Path to the timeout executable
Type:
null or string
Default:
null
services.nix-ci.production.worker-unsafe.config.track-history
Whether to track per-VM history and act on JobOfferRebootRequired.
Type:
null or boolean
Default:
null
services.nix-ci.production.worker-unsafe.config.worker-count
How many runner slots this coordinator manages.
Type:
null or 32 bit unsigned integer; between 0 and 4294967295 (both inclusive)
Default:
null
services.nix-ci.production.worker-unsafe.enable
Enable the NixCI Coordinator + runner template on this VM
Type:
boolean
Default:
true
Example:
false
services.nix-ci.production.worker-unsafe.enableSettingsCheck
Enable a static settings check on the coordinator config. Turn this off if your system has secrets that are provisioned at runtime.
Type:
boolean
Default:
true
services.nix-ci.production.worker-unsafe.evaluatedConfig
The fully-resolved coordinator config (defaults merged with 'config' and 'extraConfig', module-derived fields applied on top) that gets written to nix-ci-coordinator-config.yaml. Exposed so callers and tests can assert on what the coordinator will actually see, including this module's own defaults.
Type:
unspecified value
Read only
services.nix-ci.production.worker-unsafe.extraConfig
Extra coordinator config overrides, merged on top of 'config'.
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker-unsafe.extraCoordinatorServiceConfig
Extra options on the coordinator unit's ServiceConfig.
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker-unsafe.extraCoordinatorUnitConfig
Extra options on the coordinator unit's unitConfig. The safe worker wrapper uses this to install FailureAction/SuccessAction = poweroff so the VM reboots between tenants; unsafe-only deployments leave it empty and the coordinator just auto-restarts in place.
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker-unsafe.extraRestartTriggers
Extra restart triggers for the coordinator systemd service. Use this to force a restart when something the unit text does not otherwise depend on changes — most importantly, the ciphertext of age secrets loaded via LoadCredential, whose runtime paths are stable across rotations.
Type:
list of string
Default:
[ ]
services.nix-ci.production.worker-unsafe.extraRunnerServiceConfig
Extra options on the runner template unit's ServiceConfig (applied to every slot instance).
Type:
unspecified value
Default:
{ }
services.nix-ci.production.worker-unsafe.gateway
The gateway to allow access to.
Type:
null or string
Default:
null
Example:
"10.0.0.0"
services.nix-ci.production.worker-unsafe.local-network
The local network to deny access to.
Type:
null or string
Default:
null
Example:
"10.0.0.0/8"
services.nix-ci.production.worker-unsafe.nix-git-cache
Shared Nix Git cache for runner slots, a relative path used as the single CacheDirectory of the runner template (shared across all slots so fetched revisions are reusable).
Type:
string
Default:
"nix-ci-worker"
services.nix-ci.production.worker-unsafe.recommendedOSSettings
Enable recommended OS settings.
Type:
boolean
Default:
true
Example:
false
services.nix-ci.production.worker-unsafe.worker-count
How many runner slots the coordinator manages.
Type:
positive integer, meaning >0
Default:
1
services.nix-ci.production.worker-unsafe.working-dir
Working directory of each runner slot, a relative path that will be the RuntimeDirectory.
Type:
string
Default:
"nix-ci-production-worker"