From b83ba410dc2ebcbc84adf954e81196d15a859599 Mon Sep 17 00:00:00 2001
From: "Alexander V. Nikolaev" <avn@avnik.info>
Date: Wed, 27 Mar 2024 21:24:49 +0200
Subject: [PATCH] Improvements and amendaments (to be rebased/squashed)

---
 internal/nix/nix-darwin/multi.nix | 51 ++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 18 deletions(-)

diff --git a/internal/nix/nix-darwin/multi.nix b/internal/nix/nix-darwin/multi.nix
index bb523cea..3051ca22 100644
--- a/internal/nix/nix-darwin/multi.nix
+++ b/internal/nix/nix-darwin/multi.nix
@@ -6,6 +6,7 @@ systemArgs@{ pkgs, config, lib, ... }:
 let
   inherit (lib) mkIf mkDefault types mkOption;
   inherit (lib.strings) match;
+  topConfig = config;
   literalDocBook = lib.literalDocBook or lib.literalExample;
   literalExpression = lib.literalExpression or lib.literalExample;
 
@@ -16,7 +17,7 @@ let
       command = "${config.package}/bin/hercules-ci-agent --config ${configFile}";
       testCommand = "${command} --test-configuration";
       suffix = if name == "" then "" else "-${name}";
-      user = if name == "" then "hercules-ci-agent" else "hci-${name}";
+      user = topConfig.users.${config.user}; 
     in
     {
       options = {
@@ -36,6 +37,18 @@ let
           type = types.str;
           default = "_hercules-ci-agent";
         };
+        group = mkOption {
+          type = types.str;
+          default = "_hercules-ci-agent";
+        };
+        logFile = mkOption {
+          type = types.str;
+          default = "/var/log/hci-agent${suffix}.log";
+        };
+        baseDirectory = mkOption {
+          type = types.str;
+          default = "/var/lib/hercules-ci-agent${if name == "" then "" else "/${name}"}"; # Almost a `suffix` logic, but yield subdir
+        };
       } // makeSettingsOptions { cfg = config; opt = options; };
       config = let cfg = config; in
         {
@@ -44,23 +57,23 @@ let
               packageOption = options.package;
               inherit pkgs;
             };
-            baseDirectory = "/var/lib/hercules-ci-agent${if name == "" then "" else "/${name}"}"; # Almost a `suffix` logic, but yield subdir
+            baseDirectory = cfg.baseDirectory; 
             nixUserIsTrusted = true;
             labels =
               let
                 mkIfNotNull = x: mkIf (x != null) x;
               in
               {
-                darwin.label = config.system.darwinLabel;
-                darwin.revision = config.system.darwinRevision;
-                darwin.version = config.system.darwinVersion;
-                darwin.nix.daemon = config.nix.useDaemon;
-                darwin.nix.sandbox = config.nix.settings.sandbox;
+                darwin.label = topConfig.system.darwinLabel;
+                darwin.revision = topConfig.system.darwinRevision;
+                darwin.version = topConfig.system.darwinVersion;
+                darwin.nix.daemon = topConfig.nix.useDaemon;
+                darwin.nix.sandbox = topConfig.nix.settings.sandbox;
               };
           };
           systemConfig = { config, ... }: {
-            launchd.daemons.hercules-ci-agent = {
-              script = "exec ${cfg.package}/bin/hercules-ci-agent --config ${cfg.jsonFile}";
+            launchd.daemons."hci-agent${suffix}" = {
+              script = "exec ${command}";
 
               path = [ config.nix.package ];
               environment = {
@@ -71,21 +84,24 @@ let
               serviceConfig.RunAtLoad = true;
               serviceConfig.StandardErrorPath = cfg.logFile;
               serviceConfig.StandardOutPath = cfg.logFile;
-              serviceConfig.GroupName = "_hercules-ci-agent";
-              serviceConfig.UserName = "_hercules-ci-agent";
-              serviceConfig.WorkingDirectory = user.home;
+              serviceConfig.GroupName = cfg.user;
+              serviceConfig.UserName = cfg.group;
+              serviceConfig.WorkingDirectory = cfg.baseDirectory;
               serviceConfig.WatchPaths = [
                 cfg.settings.staticSecretsDirectory
               ];
             };
+      
+            nix.settings.trusted-users = [ cfg.user ];
 
             system.activationScripts.preActivation.text = ''
               touch '${cfg.logFile}'
               chown ${toString user.uid}:${toString user.gid} '${cfg.logFile}'
+              if ! test -d ${cfg.baseDirectory}; then
+                mkdir -p ${cfg.baseDirectory}
+                chown ${toString user.uid}:${toString user.gid} ${cfg.baseDirectory}
+              fi
             '';
-            # Trusted user allows simplified configuration and better performance
-            # when operating in a cluster.
-            nix.settings.trusted-users = [ config.systemd.services."hercules-ci-agent${suffix}".serviceConfig.User ];
           };
         };
     };
@@ -107,7 +123,7 @@ in {
         - Default base directory: `/var/lib/hercules-ci-agent`
 
         Otherwise:
-        - User: `hci-''${name}`
+        - User: `hercules-ci-agent` (on darwin we use same username)
         - Default base directory: `/var/lib/hercules-ci-agent-''${name}`
       '';
     };
@@ -117,8 +133,7 @@ in {
     {
       nix = mergeSub (c: c.nix);
       launchd = mergeSub (c: c.launchd);
-# FIXME: no per-agent user support      
-#      users = mergeSub (c: c.users);
+      system = mergeSub (c: c.system);
     }
     {
       nix.extraOptions = lib.mkIf (config.services.hercules-ci-agents != { }) ''