## Tenant-specific build capacity.
## This can come from anywhere and is not hold to the same level of responsibility that our build-infra has.
{ pkgs, config, lib, nodes, ... }:
let
  inherit (lib) mkIf types mkEnableOption mkOption;
  freeGbDiskSpace = 10;
  cfg = config.bagel.builders.extra-build-capacity.provider;
in
{
  options.bagel.builders.extra-build-capacity.provider = {
    enable = mkEnableOption "providing of extra build capacity to other systems";

    buildfarmPublicKeys = mkOption {
      type = types.listOf types.str;
      description = "SSH public keys to allow to connect for remote builds";
    };

    # TODO: register tenant in some deployment wide module
    # so that the consumer side can just automatically generate buildMachines entries.
    tenant = mkOption {
      type = types.enum [ "lix" ];
    };
  };

  config = mkIf cfg.enable {
    users.groups.builders = {};
    users.users.nix = {
      openssh.authorizedKeys.keys = cfg.buildfarmPublicKeys;
      extraGroups = [ "builders" ];
      isNormalUser = true;
    };

    nix.settings.allowed-users = [ "@wheel" "@builders" ];
    nix.settings.trusted-users = [ "@builders" ];

    nix.gc.automatic = true;
    nix.gc.dates = "hourly";
    nix.gc.options = ''
      --max-freed "$((${toString freeGbDiskSpace} * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"
    '';
    # Bump the open files limit so that non-root users can run NixOS VM tests, if supported at all.
    security.pam.loginLimits = [
      { domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
    ];
  };
}