nixos/github-runners: use mkMerge for serviceConfig

The `serviceOverrides` module option is commonly used to loosen the
systemd unit's hardening. This commit merges the `serviceConfig` with
`mkMerge` instead of using the update operator `//` which discards all
existing values on conflict. To avoid a breaking change which requires
defining each option with a higher priority (e.g., through `mkForce`),
this commit prefixes hardening values with `mkDefault`.

Notable exceptions are list hardening options which use `mkBefore`
instead of `mkDefault`. This allows for easy extension of the existing
settings. Resetting redefinitions are still possible through `mkForce`.

nixos/modules/services/continuous-integration/github-runner/options.nix

@@ -127,10 +127,11 @@ with lib;
   serviceOverrides = mkOption {
     type = types.attrs;
     description = lib.mdDoc ''
-      Overrides for the systemd service. Can be used to adjust the sandboxing options.
+      Modify the systemd service. Can be used to, e.g., adjust the sandboxing options.
     '';
     example = {
       ProtectHome = false;
+      RestrictAddressFamilies = [ "AF_PACKET" ];
     };
     default = {};
   };

nixos/modules/services/continuous-integration/github-runner/service.nix

@@ -45,7 +45,7 @@ in
     config.nix.package
   ] ++ cfg.extraPackages;
 
-  serviceConfig = {
+  serviceConfig = mkMerge [{
     ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
 
     # Does the following, sequentially:
@@ -202,30 +202,30 @@ in
     # Hardening (may overlap with DynamicUser=)
     # The following options are only for optimizing:
     # systemd-analyze security github-runner
-    AmbientCapabilities = "";
-    CapabilityBoundingSet = "";
+    AmbientCapabilities = mkBefore [ "" ];
+    CapabilityBoundingSet = mkBefore [ "" ];
     # ProtectClock= adds DeviceAllow=char-rtc r
-    DeviceAllow = "";
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateMounts = true;
-    PrivateTmp = true;
-    PrivateUsers = true;
-    ProtectClock = true;
-    ProtectControlGroups = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectSystem = "strict";
-    RemoveIPC = true;
-    RestrictNamespaces = true;
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    UMask = "0066";
-    ProtectProc = "invisible";
-    SystemCallFilter = [
+    DeviceAllow = mkBefore [ "" ];
+    NoNewPrivileges = mkDefault true;
+    PrivateDevices = mkDefault true;
+    PrivateMounts = mkDefault true;
+    PrivateTmp = mkDefault true;
+    PrivateUsers = mkDefault true;
+    ProtectClock = mkDefault true;
+    ProtectControlGroups = mkDefault true;
+    ProtectHome = mkDefault true;
+    ProtectHostname = mkDefault true;
+    ProtectKernelLogs = mkDefault true;
+    ProtectKernelModules = mkDefault true;
+    ProtectKernelTunables = mkDefault true;
+    ProtectSystem = mkDefault "strict";
+    RemoveIPC = mkDefault true;
+    RestrictNamespaces = mkDefault true;
+    RestrictRealtime = mkDefault true;
+    RestrictSUIDSGID = mkDefault true;
+    UMask = mkDefault "0066";
+    ProtectProc = mkDefault "invisible";
+    SystemCallFilter = mkBefore [
       "~@clock"
       "~@cpu-emulation"
       "~@module"
@@ -237,30 +237,30 @@ in
       "~setdomainname"
       "~sethostname"
     ];
-    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+    RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
 
     BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
 
     # Needs network access
-    PrivateNetwork = false;
+    PrivateNetwork = mkDefault false;
     # Cannot be true due to Node
-    MemoryDenyWriteExecute = false;
+    MemoryDenyWriteExecute = mkDefault false;
 
     # The more restrictive "pid" option makes `nix` commands in CI emit
     # "GC Warning: Couldn't read /proc/stat"
     # You may want to set this to "pid" if not using `nix` commands
-    ProcSubset = "all";
+    ProcSubset = mkDefault "all";
     # Coverage programs for compiled code such as `cargo-tarpaulin` disable
     # ASLR (address space layout randomization) which requires the
     # `personality` syscall
     # You may want to set this to `true` if not using coverage tooling on
     # compiled code
-    LockPersonality = false;
+    LockPersonality = mkDefault false;
 
     # Note that this has some interactions with the User setting; so you may
     # want to consult the systemd docs if using both.
-    DynamicUser = true;
-  } // (
-    lib.optionalAttrs (cfg.user != null) { User = cfg.user; }
-  ) // cfg.serviceOverrides;
+    DynamicUser = mkDefault true;
+  }
+    (mkIf (cfg.user != null) { User = cfg.user; })
+    cfg.serviceOverrides];
 }