movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-26 02:56:36 +03:00
Code Activity

nixos/services.github-runners: remove with lib;

Browse source
This commit is contained in:
Felix Buehler 2024-12-08 13:18:23 +01:00
parent 5ee4c4b0a1
commit d575253885
2 changed files with 89 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

78
nixos/modules/services/continuous-integration/github-runner/options.nix
View file

@ -2,10 +2,8 @@
, pkgs
, ...
}:
with lib;
{
options.services.github-runners = mkOption {
options.services.github-runners = lib.mkOption {
description = ''
Multiple GitHub Runners.
'';
@ -25,9 +23,9 @@ with lib;
};
};
default = { };
type = types.attrsOf (types.submodule ({ name, ... }: {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = mkOption {
enable = lib.mkOption {
default = false;
example = true;
description = ''
@ -36,11 +34,11 @@ with lib;
Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here:
[About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners).
'';
type = types.bool;
type = lib.types.bool;
};
url = mkOption {
type = types.str;
url = lib.mkOption {
type = lib.types.str;
description = ''
Repository to add the runner to.
@ -57,8 +55,8 @@ with lib;
example = "https://github.com/nixos/nixpkgs";
};
tokenFile = mkOption {
type = types.path;
tokenFile = lib.mkOption {
type = lib.types.path;
description = ''
The full path to a file which contains either
@ -100,8 +98,8 @@ with lib;
example = "/run/secrets/github-runner/nixos.token";
};
name = mkOption {
type = types.nullOr types.str;
name = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Name of the runner to configure. If null, defaults to the hostname.
@ -111,8 +109,8 @@ with lib;
default = name;
};
runnerGroup = mkOption {
type = types.nullOr types.str;
runnerGroup = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Name of the runner group to add this runner to (defaults to the default runner group).
@ -121,19 +119,19 @@ with lib;
default = null;
};
extraLabels = mkOption {
type = types.listOf types.str;
extraLabels = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
Extra labels in addition to the default (unless disabled through the `noDefaultLabels` option).
Changing this option triggers a new runner registration.
'';
example = literalExpression ''[ "nixos" ]'';
example = lib.literalExpression ''[ "nixos" ]'';
default = [ ];
};
noDefaultLabels = mkOption {
type = types.bool;
noDefaultLabels = lib.mkOption {
type = lib.types.bool;
description = ''
Disables adding the default labels. Also see the `extraLabels` option.
@ -142,8 +140,8 @@ with lib;
default = false;
};
replace = mkOption {
type = types.bool;
replace = lib.mkOption {
type = lib.types.bool;
description = ''
Replace any existing runner with the same name.
@ -152,16 +150,16 @@ with lib;
default = false;
};
extraPackages = mkOption {
type = types.listOf types.package;
extraPackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
description = ''
Extra packages to add to `PATH` of the service to make them available to workflows.
'';
default = [ ];
};
extraEnvironment = mkOption {
type = types.attrs;
extraEnvironment = lib.mkOption {
type = lib.types.attrs;
description = ''
Extra environment variables to set for the runner, as an attrset.
'';
@ -171,8 +169,8 @@ with lib;
default = { };
};
serviceOverrides = mkOption {
type = types.attrs;
serviceOverrides = lib.mkOption {
type = lib.types.attrs;
description = ''
Modify the systemd service. Can be used to, e.g., adjust the sandboxing options.
See {manpage}`systemd.exec(5)` for more options.
@ -184,10 +182,10 @@ with lib;
default = { };
};
package = mkPackageOption pkgs "github-runner" { };
package = lib.mkPackageOption pkgs "github-runner" { };
ephemeral = mkOption {
type = types.bool;
ephemeral = lib.mkOption {
type = lib.types.bool;
description = ''
If enabled, causes the following behavior:
@ -206,8 +204,8 @@ with lib;
default = false;
};
user = mkOption {
type = types.nullOr types.str;
user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
User under which to run the service.
@ -217,11 +215,11 @@ with lib;
Also see the `group` option for an overview on the effects of the `user` and `group` settings.
'';
default = null;
defaultText = literalExpression "username";
defaultText = lib.literalExpression "username";
};
group = mkOption {
type = types.nullOr types.str;
group = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Group under which to run the service.
@ -236,11 +234,11 @@ with lib;
but run as root implicitly. If this is really what you want, set `user = "root"` explicitly.
'';
default = null;
defaultText = literalExpression "groupname";
defaultText = lib.literalExpression "groupname";
};
workDir = mkOption {
type = with types; nullOr str;
workDir = lib.mkOption {
type = with lib.types; nullOr str;
description = ''
Working directory, available as `$GITHUB_WORKSPACE` during workflow runs
and used as a default for [repository checkouts](https://github.com/actions/checkout).
@ -253,8 +251,8 @@ with lib;
default = null;
};
nodeRuntimes = mkOption {
type = with types; nonEmptyListOf (enum [ "node20" ]);
nodeRuntimes = lib.mkOption {
type = with lib.types; nonEmptyListOf (enum [ "node20" ]);
default = [ "node20" ];
description = ''
List of Node.js runtimes the runner should support.

104
nixos/modules/services/continuous-integration/github-runner/service.nix
View file

@ -3,11 +3,9 @@
, pkgs
, ...
}:
with lib;
{
config.assertions = flatten (
flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [
config.assertions = lib.flatten (
lib.flip lib.mapAttrsToList config.services.github-runners (name: cfg: map (lib.mkIf cfg.enable) [
{
assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
@ -20,8 +18,8 @@ with lib;
);
config.systemd.services =
let enabledRunners = filterAttrs (_: cfg: cfg.enable) config.services.github-runners;
in (flip mapAttrs' enabledRunners (name: cfg:
let enabledRunners = lib.filterAttrs (_: cfg: cfg.enable) config.services.github-runners;
in (lib.flip lib.mapAttrs' enabledRunners (name: cfg:
let
svcName = "github-runner-${name}";
systemdDir = "github-runner/${name}";
@ -37,9 +35,9 @@ with lib;
workDir = if cfg.workDir == null then runtimeDir else cfg.workDir;
# Support old github-runner versions which don't have the `nodeRuntimes` arg yet.
package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; });
package = cfg.package.override (old: lib.optionalAttrs (lib.hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; });
in
nameValuePair svcName {
lib.nameValuePair svcName {
description = "GitHub Actions runner";
wantedBy = [ "multi-user.target" ];
@ -61,7 +59,7 @@ with lib;
config.nix.package
] ++ cfg.extraPackages;
serviceConfig = mkMerge [
serviceConfig = lib.mkMerge [
{
ExecStart = "${package}/bin/Runner.Listener run --startuptype service";
@ -90,7 +88,7 @@ with lib;
${lines}
'';
runnerRegistrationConfig = getAttrs [
runnerRegistrationConfig = lib.getAttrs [
"ephemeral"
"extraLabels"
"name"
@ -114,9 +112,9 @@ with lib;
unconfigureRunner = writeScript "unconfigure" ''
copy_tokens() {
# Copy the configured token file to the state dir and allow the service user to read the file
install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
install --mode=666 ${lib.escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
# Also copy current file to allow for a diff on the next start
install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
install --mode=600 ${lib.escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
}
clean_state() {
find "$STATE_DIRECTORY/" -mindepth 1 -delete
@ -130,7 +128,7 @@ with lib;
|| changed=1
# Also check the content of the token file
[[ -f "${currentConfigTokenPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${lib.escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
|| changed=1
# If the config has changed, remove old state and copy tokens
if [[ "$changed" -eq 1 ]]; then
@ -140,7 +138,7 @@ with lib;
clean_state
fi
}
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
if [[ "${lib.optionalString cfg.ephemeral "1"}" ]]; then
# In ephemeral mode, we always want to start with a clean state
clean_state
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
@ -161,13 +159,13 @@ with lib;
--unattended
--disableupdate
--work "$WORK_DIRECTORY"
--url ${escapeShellArg cfg.url}
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
${optionalString cfg.noDefaultLabels "--no-default-labels"}
--url ${lib.escapeShellArg cfg.url}
--labels ${lib.escapeShellArg (lib.concatStringsSep "," cfg.extraLabels)}
${lib.optionalString (cfg.name != null ) "--name ${lib.escapeShellArg cfg.name}"}
${lib.optionalString cfg.replace "--replace"}
${lib.optionalString (cfg.runnerGroup != null) "--runnergroup ${lib.escapeShellArg cfg.runnerGroup}"}
${lib.optionalString cfg.ephemeral "--ephemeral"}
${lib.optionalString cfg.noDefaultLabels "--no-default-labels"}
)
# If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
@ -196,7 +194,7 @@ with lib;
ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
'';
in
map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [
map (x: "${x} ${lib.escapeShellArgs [ stateDir workDir logsDir ]}") [
"+${unconfigureRunner}" # runs as root
configureRunner
setupWorkDir
@ -230,30 +228,30 @@ with lib;
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing:
# systemd-analyze security github-runner
AmbientCapabilities = mkBefore [ "" ];
CapabilityBoundingSet = mkBefore [ "" ];
AmbientCapabilities = lib.mkBefore [ "" ];
CapabilityBoundingSet = lib.mkBefore [ "" ];
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = mkBefore [ "" ];
NoNewPrivileges = mkDefault true;
PrivateDevices = mkDefault true;
PrivateMounts = mkDefault true;
PrivateTmp = mkDefault true;
PrivateUsers = mkDefault true;
ProtectClock = mkDefault true;
ProtectControlGroups = mkDefault true;
ProtectHome = mkDefault true;
ProtectHostname = mkDefault true;
ProtectKernelLogs = mkDefault true;
ProtectKernelModules = mkDefault true;
ProtectKernelTunables = mkDefault true;
ProtectSystem = mkDefault "strict";
RemoveIPC = mkDefault true;
RestrictNamespaces = mkDefault true;
RestrictRealtime = mkDefault true;
RestrictSUIDSGID = mkDefault true;
UMask = mkDefault "0066";
ProtectProc = mkDefault "invisible";
SystemCallFilter = mkBefore [
DeviceAllow = lib.mkBefore [ "" ];
NoNewPrivileges = lib.mkDefault true;
PrivateDevices = lib.mkDefault true;
PrivateMounts = lib.mkDefault true;
PrivateTmp = lib.mkDefault true;
PrivateUsers = lib.mkDefault true;
ProtectClock = lib.mkDefault true;
ProtectControlGroups = lib.mkDefault true;
ProtectHome = lib.mkDefault true;
ProtectHostname = lib.mkDefault true;
ProtectKernelLogs = lib.mkDefault true;
ProtectKernelModules = lib.mkDefault true;
ProtectKernelTunables = lib.mkDefault true;
ProtectSystem = lib.mkDefault "strict";
RemoveIPC = lib.mkDefault true;
RestrictNamespaces = lib.mkDefault true;
RestrictRealtime = lib.mkDefault true;
RestrictSUIDSGID = lib.mkDefault true;
UMask = lib.mkDefault "0066";
ProtectProc = lib.mkDefault "invisible";
SystemCallFilter = lib.mkBefore [
"~@clock"
"~@cpu-emulation"
"~@module"
@ -265,33 +263,33 @@ with lib;
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
RestrictAddressFamilies = lib.mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
# Needs network access
PrivateNetwork = mkDefault false;
PrivateNetwork = lib.mkDefault false;
# Cannot be true due to Node
MemoryDenyWriteExecute = mkDefault false;
MemoryDenyWriteExecute = lib.mkDefault false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = mkDefault "all";
ProcSubset = lib.mkDefault "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = mkDefault false;
LockPersonality = lib.mkDefault false;
DynamicUser = mkDefault true;
DynamicUser = lib.mkDefault true;
}
(mkIf (cfg.user != null) {
(lib.mkIf (cfg.user != null) {
DynamicUser = false;
User = cfg.user;
})
(mkIf (cfg.group != null) {
(lib.mkIf (cfg.group != null) {
DynamicUser = false;
Group = cfg.group;
})