Should the fact that it is declared assume that you want it enabled?

Yes. Would be weird if you declared an agent and then you have to explicitly enable it.

Do we still want to have the option to then explicitly disable it? Seems weird, as we filter by enabled agents…

do you know usecases of where this should be somewhere else than at this location?

If we restrict it to /var/lib/buildkite-agent-${name}, we could just set StateDirectory=buildkite-agent=${name}, and DynamicUser=true, and don't need to setup a system-wide user at all.

Yes, we use the buildkite directory to store some gc roots that are used for Continuous Delivery. We could change to a ReadWriteDirectory, but I don't think DynamicUser is really set up for communication with the outside world.

Our approach to CD is arguably horrible by abusing this.

Well, I'd recommend using some post-build-hook on the global nix-daemon to sign and upload to a binary cache, but hmm… I can understand you can't change this that quick.

Still, what about defaulting to use DynamicUser=true, and StateDirectory=buidlkite-agent-${name}, and only use a system-wide user if both a user attribute and that dataDir attribute is set?

using some post-build-hook on the global nix-daemon to sign and upload to a binary cache

Been there, tried that :(. Builds become horribly slow and the host becomes almost unusable as it is uploading everything, even your user environment after nix-env -i (and that’s slow too).

Well, the naive approach blocks the build loop, as documented in https://nixos.org/nix/manual/#chap-post-build-hook-caveats .

In your case, you might want to have the executed hook to fork away as fast as possible.

However, I see that discussion as not really related to this PR - it doesn't yet introduce DynamicUser.

It should be relatively easy to make this backwards compatible with mkChangedOptionModule, which will also issue a warning when the old option is used.

We could do that, but what should we make the default agent name? The state paths for it would still change.

Since people are expected to have used dataDir to refer to the path, I don't think it should be a problem. Also from this PR I can see that the service previously didn't even use dataDir to get its config, seemingly indicating that it was never fully supported anyways.

Also I correct myself: A simple

mkRenamedOptionModule [ "services" "buildkite-agent" ]
  [ "services" "buildkite-agents" "legacy" ]

should work (using the name legacy, or maybe single or nixos-single or so)

the dataDir actually contains long-term state. People would have to move the contents of /var/lib/buildkite-agent to /var/lib/buildkite-agent-legacy, or get unexpected behavior. I think it's safer to have it break during the build, instead of during runtime.

Ohh good point, didn't think of that. Okay so a mkRenamedOptionModule won't work, but a mkChangedOptionModule should still be possible with a legacy attribute (or similar) and by defaulting its dataDir to /var/lib/buildkite-agent

I still think breaking old config and making sure the user did read the release notes is a better way forward here.

There have been quite some changes, and just silently assuming everything will still work as it did before is probably a bad idea anyways.

I also proposed to default to use DynamicUsers, and make the usage of a non-dynamic user, and custom StateDirectory the non-default case, which might cause nontrivial migrations aswell.

I think batching all these with the option syntax change is a reasonable path forward.

What are the "quite some changes"? From what I can see all this PR does is to add support for multiple agents as it says, which imo really doesn't warrant breaking people's configs, especially if it only takes a couple lines to make it automatic.

@infinisil see the earlier PRs and the corresponding release notes:

https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2003.xml#L417

As for the "defaulting to DynamicUser": #78373 (comment)

Were any of those not backwards compatible? If so they should've added a warning/error themselves. This PR itself seems 100% backwards compatible with a mkChangedOptionModule. Unless backwards compat has to be broken I'd rather not.

Well, the module options themselves not, but the upgrade from buildkite 2 to 3 might have introduced some behavorial changes in how the bootstrap/hooks were configured: https://buildkite.com/docs/agent/v3/upgrading