mirror of
https://github.com/srid/nixos-config.git
synced 2026-01-10 18:22:35 +08:00
38 lines
1.1 KiB
Nix
38 lines
1.1 KiB
Nix
{ config, pkgs, lib, inputs, ... }:
|
|
|
|
# A separate container to run Hercules effects
|
|
# https://docs.hercules-ci.com/hercules-ci/effects/
|
|
#
|
|
# TODO: Prevent access to local network, while allowing internet access
|
|
{
|
|
nix.binaryCachePublicKeys = [
|
|
"hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
|
|
];
|
|
nix.binaryCaches = [
|
|
"https://hercules-ci.cachix.org"
|
|
];
|
|
|
|
# FIXME: User id of `hercules-ci-agent` won't match that of guest, so we do
|
|
# this. But it compromises security. See
|
|
# https://github.com/hercules-ci/hercules-ci-agent/issues/345#issuecomment-986329977
|
|
#
|
|
# TODO: Find a way to resolve this.
|
|
nix.allowedUsers = [ "*" ];
|
|
nix.trustedUsers = [ "*" ];
|
|
|
|
containers.hercules = {
|
|
ephemeral = false;
|
|
autoStart = true;
|
|
config = { config, pkgs, ... }: {
|
|
imports = [
|
|
inputs.hercules-ci-agent.nixosModules.agent-service
|
|
];
|
|
services.hercules-ci-agent.enable = true;
|
|
services.hercules-ci-agent.settings.concurrentTasks = 4;
|
|
nix.allowedUsers = [ "*" ];
|
|
nix.trustedUsers = [ "*" ];
|
|
|
|
networking.firewall.allowedTCPPorts = [ ];
|
|
};
|
|
};
|
|
}
|