nixos/github-runners: fix format of service file

2024-12-17 19:23:50 +00:00 · 2023-01-09 09:36:51 +01:00 · 2023-01-09 09:36:51 +01:00 · b634dbe576
commit b634dbe576
parent 66dbf9b199
1 changed files with 196 additions and 194 deletions
--- a/nixos/modules/services/continuous-integration/github-runner/service.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/service.nix
@ -45,222 +45,224 @@ in
    config.nix.package
  ] ++ cfg.extraPackages;
-  serviceConfig = mkMerge [{
+  serviceConfig = mkMerge [
-    ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
+    {
      ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
-    # Does the following, sequentially:
+      # Does the following, sequentially:
-    # - If the module configuration or the token has changed, purge the state directory,
+      # - If the module configuration or the token has changed, purge the state directory,
-    #   and create the current and the new token file with the contents of the configured
+      #   and create the current and the new token file with the contents of the configured
-    #   token. While both files have the same content, only the later is accessible by
+      #   token. While both files have the same content, only the later is accessible by
-    #   the service user.
+      #   the service user.
-    # - Configure the runner using the new token file. When finished, delete it.
+      # - Configure the runner using the new token file. When finished, delete it.
-    # - Set up the directory structure by creating the necessary symlinks.
+      # - Set up the directory structure by creating the necessary symlinks.
-    ExecStartPre =
+      ExecStartPre =
-      let
+        let
-        # Wrapper script which expects the full path of the state, working and logs
+          # Wrapper script which expects the full path of the state, working and logs
-        # directory as arguments. Overrides the respective systemd variables to provide
+          # directory as arguments. Overrides the respective systemd variables to provide
-        # unambiguous directory names. This becomes relevant, for example, if the
+          # unambiguous directory names. This becomes relevant, for example, if the
-        # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
+          # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
-        # to contain more than one directory. This causes systemd to set the respective
+          # to contain more than one directory. This causes systemd to set the respective
-        # environment variables with the path of all of the given directories, separated
+          # environment variables with the path of all of the given directories, separated
-        # by a colon.
+          # by a colon.
-        writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
+          writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
-          set -euo pipefail
+            set -euo pipefail
-          STATE_DIRECTORY="$1"
+            STATE_DIRECTORY="$1"
-          WORK_DIRECTORY="$2"
+            WORK_DIRECTORY="$2"
-          LOGS_DIRECTORY="$3"
+            LOGS_DIRECTORY="$3"
-          ${lines}
+            ${lines}
-        '';
+          '';
-        runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg;
+          runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg;
-        newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
+          newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
-        currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
+          currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
-        newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
+          newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
-        currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
+          currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
-        runnerCredFiles = [
+          runnerCredFiles = [
-          ".credentials"
+            ".credentials"
-          ".credentials_rsaparams"
+            ".credentials_rsaparams"
-          ".runner"
+            ".runner"
-        ];
+          ];
-        unconfigureRunner = writeScript "unconfigure" ''
+          unconfigureRunner = writeScript "unconfigure" ''
-          copy_tokens() {
+            copy_tokens() {
-            # Copy the configured token file to the state dir and allow the service user to read the file
+              # Copy the configured token file to the state dir and allow the service user to read the file
-            install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
+              install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
-            # Also copy current file to allow for a diff on the next start
+              # Also copy current file to allow for a diff on the next start
-            install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
+              install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
-          }
+            }
-          clean_state() {
+            clean_state() {
-            find "$STATE_DIRECTORY/" -mindepth 1 -delete
+              find "$STATE_DIRECTORY/" -mindepth 1 -delete
-            copy_tokens
+              copy_tokens
-          }
+            }
-          diff_config() {
+            diff_config() {
-            changed=0
+              changed=0
-            # Check for module config changes
+              # Check for module config changes
-            [[ -f "${currentConfigPath}" ]] \
+              [[ -f "${currentConfigPath}" ]] \
-              && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
+                && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
-              || changed=1
+                || changed=1
-            # Also check the content of the token file
+              # Also check the content of the token file
-            [[ -f "${currentConfigTokenPath}" ]] \
+              [[ -f "${currentConfigTokenPath}" ]] \
-              && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
+                && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
-              || changed=1
+                || changed=1
-            # If the config has changed, remove old state and copy tokens
+              # If the config has changed, remove old state and copy tokens
-            if [[ "$changed" -eq 1 ]]; then
+              if [[ "$changed" -eq 1 ]]; then
-              echo "Config has changed, removing old runner state."
+                echo "Config has changed, removing old runner state."
-              echo "The old runner will still appear in the GitHub Actions UI." \
+                echo "The old runner will still appear in the GitHub Actions UI." \
-                   "You have to remove it manually."
+                     "You have to remove it manually."
                clean_state
              fi
            }
            if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
              # In ephemeral mode, we always want to start with a clean state
              clean_state
-            fi
+            elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
-          }
+              # There are state files from a previous run; diff them to decide if we need a new registration
-          if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
+              diff_config
            # In ephemeral mode, we always want to start with a clean state
            clean_state
          elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
            # There are state files from a previous run; diff them to decide if we need a new registration
            diff_config
          else
            # The state directory is entirely empty which indicates a first start
            copy_tokens
          fi
        '';
        configureRunner = writeScript "configure" ''
          if [[ -e "${newConfigTokenPath}" ]]; then
            echo "Configuring GitHub Actions Runner"
            args=(
              --unattended
              --disableupdate
              --work "$WORK_DIRECTORY"
              --url ${escapeShellArg cfg.url}
              --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
              --name ${escapeShellArg cfg.name}
              ${optionalString cfg.replace "--replace"}
              ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
              ${optionalString cfg.ephemeral "--ephemeral"}
            )
            # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
            # if it is not a PAT, we assume it contains a registration token and use the --token option
            token=$(<"${newConfigTokenPath}")
            if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
              args+=(--pat "$token")
            else
-              args+=(--token "$token")
+              # The state directory is entirely empty which indicates a first start
              copy_tokens
            fi
-            ${cfg.package}/bin/config.sh "''${args[@]}"
+          '';
-            # Move the automatically created _diag dir to the logs dir
+          configureRunner = writeScript "configure" ''
-            mkdir -p  "$STATE_DIRECTORY/_diag"
+            if [[ -e "${newConfigTokenPath}" ]]; then
-            cp    -r  "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
+              echo "Configuring GitHub Actions Runner"
-            rm    -rf "$STATE_DIRECTORY/_diag/"
+              args=(
-            # Cleanup token from config
+                --unattended
-            rm "${newConfigTokenPath}"
+                --disableupdate
-            # Symlink to new config
+                --work "$WORK_DIRECTORY"
-            ln -s '${newConfigPath}' "${currentConfigPath}"
+                --url ${escapeShellArg cfg.url}
-          fi
+                --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
-        '';
+                --name ${escapeShellArg cfg.name}
-        setupWorkDir = writeScript "setup-work-dirs" ''
+                ${optionalString cfg.replace "--replace"}
-          # Cleanup previous service
+                ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
-          ${pkgs.findutils}/bin/find -H "$WORK_DIRECTORY" -mindepth 1 -delete
+                ${optionalString cfg.ephemeral "--ephemeral"}
              )
              # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
              # if it is not a PAT, we assume it contains a registration token and use the --token option
              token=$(<"${newConfigTokenPath}")
              if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
                args+=(--pat "$token")
              else
                args+=(--token "$token")
              fi
              ${cfg.package}/bin/config.sh "''${args[@]}"
              # Move the automatically created _diag dir to the logs dir
              mkdir -p  "$STATE_DIRECTORY/_diag"
              cp    -r  "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
              rm    -rf "$STATE_DIRECTORY/_diag/"
              # Cleanup token from config
              rm "${newConfigTokenPath}"
              # Symlink to new config
              ln -s '${newConfigPath}' "${currentConfigPath}"
            fi
          '';
          setupWorkDir = writeScript "setup-work-dirs" ''
            # Cleanup previous service
            ${pkgs.findutils}/bin/find -H "$WORK_DIRECTORY" -mindepth 1 -delete
-          # Link _diag dir
+            # Link _diag dir
-          ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"
+            ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"
-          # Link the runner credentials to the work dir
+            # Link the runner credentials to the work dir
-          ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
+            ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
-        '';
+          '';
-      in
+        in
        map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [
          "+${unconfigureRunner}" # runs as root
          configureRunner
          setupWorkDir
        ];
-    # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
+      # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
-    # to trigger a fresh registration.
+      # to trigger a fresh registration.
-    Restart = if cfg.ephemeral then "on-success" else "no";
+      Restart = if cfg.ephemeral then "on-success" else "no";
-    # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
+      # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
-    # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
+      # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
-    RestartForceExitStatus = [ 2 ];
+      RestartForceExitStatus = [ 2 ];
-    # Contains _diag
+      # Contains _diag
-    LogsDirectory = [ systemdDir ];
+      LogsDirectory = [ systemdDir ];
-    # Default RUNNER_ROOT which contains ephemeral Runner data
+      # Default RUNNER_ROOT which contains ephemeral Runner data
-    RuntimeDirectory = [ systemdDir ];
+      RuntimeDirectory = [ systemdDir ];
-    # Home of persistent runner data, e.g., credentials
+      # Home of persistent runner data, e.g., credentials
-    StateDirectory = [ systemdDir ];
+      StateDirectory = [ systemdDir ];
-    StateDirectoryMode = "0700";
+      StateDirectoryMode = "0700";
-    WorkingDirectory = workDir;
+      WorkingDirectory = workDir;
-    InaccessiblePaths = [
+      InaccessiblePaths = [
-      # Token file path given in the configuration, if visible to the service
+        # Token file path given in the configuration, if visible to the service
-      "-${cfg.tokenFile}"
+        "-${cfg.tokenFile}"
-      # Token file in the state directory
+        # Token file in the state directory
-      "${stateDir}/${currentConfigTokenFilename}"
+        "${stateDir}/${currentConfigTokenFilename}"
-    ];
+      ];
-    KillSignal = "SIGINT";
+      KillSignal = "SIGINT";
-    # Hardening (may overlap with DynamicUser=)
+      # Hardening (may overlap with DynamicUser=)
-    # The following options are only for optimizing:
+      # The following options are only for optimizing:
-    # systemd-analyze security github-runner
+      # systemd-analyze security github-runner
-    AmbientCapabilities = mkBefore [ "" ];
+      AmbientCapabilities = mkBefore [ "" ];
-    CapabilityBoundingSet = mkBefore [ "" ];
+      CapabilityBoundingSet = mkBefore [ "" ];
-    # ProtectClock= adds DeviceAllow=char-rtc r
+      # ProtectClock= adds DeviceAllow=char-rtc r
-    DeviceAllow = mkBefore [ "" ];
+      DeviceAllow = mkBefore [ "" ];
-    NoNewPrivileges = mkDefault true;
+      NoNewPrivileges = mkDefault true;
-    PrivateDevices = mkDefault true;
+      PrivateDevices = mkDefault true;
-    PrivateMounts = mkDefault true;
+      PrivateMounts = mkDefault true;
-    PrivateTmp = mkDefault true;
+      PrivateTmp = mkDefault true;
-    PrivateUsers = mkDefault true;
+      PrivateUsers = mkDefault true;
-    ProtectClock = mkDefault true;
+      ProtectClock = mkDefault true;
-    ProtectControlGroups = mkDefault true;
+      ProtectControlGroups = mkDefault true;
-    ProtectHome = mkDefault true;
+      ProtectHome = mkDefault true;
-    ProtectHostname = mkDefault true;
+      ProtectHostname = mkDefault true;
-    ProtectKernelLogs = mkDefault true;
+      ProtectKernelLogs = mkDefault true;
-    ProtectKernelModules = mkDefault true;
+      ProtectKernelModules = mkDefault true;
-    ProtectKernelTunables = mkDefault true;
+      ProtectKernelTunables = mkDefault true;
-    ProtectSystem = mkDefault "strict";
+      ProtectSystem = mkDefault "strict";
-    RemoveIPC = mkDefault true;
+      RemoveIPC = mkDefault true;
-    RestrictNamespaces = mkDefault true;
+      RestrictNamespaces = mkDefault true;
-    RestrictRealtime = mkDefault true;
+      RestrictRealtime = mkDefault true;
-    RestrictSUIDSGID = mkDefault true;
+      RestrictSUIDSGID = mkDefault true;
-    UMask = mkDefault "0066";
+      UMask = mkDefault "0066";
-    ProtectProc = mkDefault "invisible";
+      ProtectProc = mkDefault "invisible";
-    SystemCallFilter = mkBefore [
+      SystemCallFilter = mkBefore [
-      "~@clock"
+        "~@clock"
-      "~@cpu-emulation"
+        "~@cpu-emulation"
-      "~@module"
+        "~@module"
-      "~@mount"
+        "~@mount"
-      "~@obsolete"
+        "~@obsolete"
-      "~@raw-io"
+        "~@raw-io"
-      "~@reboot"
+        "~@reboot"
-      "~capset"
+        "~capset"
-      "~setdomainname"
+        "~setdomainname"
-      "~sethostname"
+        "~sethostname"
-    ];
+      ];
-    RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+      RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
-    BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
+      BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
-    # Needs network access
+      # Needs network access
-    PrivateNetwork = mkDefault false;
+      PrivateNetwork = mkDefault false;
-    # Cannot be true due to Node
+      # Cannot be true due to Node
-    MemoryDenyWriteExecute = mkDefault false;
+      MemoryDenyWriteExecute = mkDefault false;
-    # The more restrictive "pid" option makes `nix` commands in CI emit
+      # The more restrictive "pid" option makes `nix` commands in CI emit
-    # "GC Warning: Couldn't read /proc/stat"
+      # "GC Warning: Couldn't read /proc/stat"
-    # You may want to set this to "pid" if not using `nix` commands
+      # You may want to set this to "pid" if not using `nix` commands
-    ProcSubset = mkDefault "all";
+      ProcSubset = mkDefault "all";
-    # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+      # Coverage programs for compiled code such as `cargo-tarpaulin` disable
-    # ASLR (address space layout randomization) which requires the
+      # ASLR (address space layout randomization) which requires the
-    # `personality` syscall
+      # `personality` syscall
-    # You may want to set this to `true` if not using coverage tooling on
+      # You may want to set this to `true` if not using coverage tooling on
-    # compiled code
+      # compiled code
-    LockPersonality = mkDefault false;
+      LockPersonality = mkDefault false;
-    # Note that this has some interactions with the User setting; so you may
+      # Note that this has some interactions with the User setting; so you may
-    # want to consult the systemd docs if using both.
+      # want to consult the systemd docs if using both.
-    DynamicUser = mkDefault true;
+      DynamicUser = mkDefault true;
-  }
+    }
    (mkIf (cfg.user != null) { User = cfg.user; })
-    cfg.serviceOverrides];
+    cfg.serviceOverrides
  ];
 }