Configuration file

When deploying with NixOS, NixOps or nix-darwin you should use the module documentation instead, or skip ahead to read about less frequently used options to use with extraOptions.

The configuration format for the agent is TOML markup. Its location can be specified by invoking hercules-ci-agent --config agent.toml. Alternatively, the NixOS and nix-darwin module can generate this file for you. See also the setup guide.

A basic agent.toml looks as follows:

baseDirectory = "/var/lib/hercules-ci-agent"
concurrentTasks = 4
If you are deploying an agent, the guide is a better starting point.


Optional. Defaults to

HTTP API agent will connect to.



Directory with all the agent state: secrets, work, etc.


Optional. Defaults to staticSecretsDirectory/binary-caches.json if that file exists. With the NixOS module this defaults to /var/lib/hercules-ci-agent/secrets/binary-caches.json.

Path to a JSON file containing binary cache secret keys.

The contents of the file are described in binary-caches.json.


Optional. Defaults to staticSecretsDirectory/cluster-join-token.key.

Path to a secret token retrieved when creating a new agent via

This token is used for authentication with apiBaseUrl.


Optional. Defaults to 4.

Combined number of workers to use for building and evaluating Nix derivations.

The optimal value depends on the resource consumption characteristics of your workload, including memory usage and in-task parallelism. This is typically determined empirically.


Optional. Defaults to baseDirectory/secrets.

This is the default directory to look for statically configured secrets like clusterJoinTokenPath.


Optional. Defaults to baseDirectory/work.

The directory in which temporary subdirectories are created for task state. This includes sources for Nix evaluation.