pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / continuous-integration / github-runner / service.nix
at 23.11-pre 11 kB view raw
1{ config 2, lib 3, pkgs 4 5, cfg ? config.services.github-runner 6, svcName 7 8, systemdDir ? "${svcName}/${cfg.name}" 9 # %t: Runtime directory root (usually /run); see systemd.unit(5) 10, runtimeDir ? "%t/${systemdDir}" 11 # %S: State directory root (usually /var/lib); see systemd.unit(5) 12, stateDir ? "%S/${systemdDir}" 13 # %L: Log directory root (usually /var/log); see systemd.unit(5) 14, logsDir ? "%L/${systemdDir}" 15 # Name of file stored in service state directory 16, currentConfigTokenFilename ? ".current-token" 17 18, ... 19}: 20 21with lib; 22 23let 24 workDir = if cfg.workDir == null then runtimeDir else cfg.workDir; 25in 26{ 27 description = "GitHub Actions runner"; 28 29 wantedBy = [ "multi-user.target" ]; 30 wants = [ "network-online.target" ]; 31 after = [ "network.target" "network-online.target" ]; 32 33 environment = { 34 HOME = workDir; 35 RUNNER_ROOT = stateDir; 36 } // cfg.extraEnvironment; 37 38 path = (with pkgs; [ 39 bash 40 coreutils 41 git 42 gnutar 43 gzip 44 ]) ++ [ 45 config.nix.package 46 ] ++ cfg.extraPackages; 47 48 serviceConfig = mkMerge [ 49 { 50 ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service"; 51 52 # Does the following, sequentially: 53 # - If the module configuration or the token has changed, purge the state directory, 54 # and create the current and the new token file with the contents of the configured 55 # token. While both files have the same content, only the later is accessible by 56 # the service user. 57 # - Configure the runner using the new token file. When finished, delete it. 58 # - Set up the directory structure by creating the necessary symlinks. 59 ExecStartPre = 60 let 61 # Wrapper script which expects the full path of the state, working and logs 62 # directory as arguments. Overrides the respective systemd variables to provide 63 # unambiguous directory names. This becomes relevant, for example, if the 64 # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= 65 # to contain more than one directory. This causes systemd to set the respective 66 # environment variables with the path of all of the given directories, separated 67 # by a colon. 68 writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" '' 69 set -euo pipefail 70 71 STATE_DIRECTORY="$1" 72 WORK_DIRECTORY="$2" 73 LOGS_DIRECTORY="$3" 74 75 ${lines} 76 ''; 77 runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg; 78 newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); 79 currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; 80 newConfigTokenPath = "$STATE_DIRECTORY/.new-token"; 81 currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}"; 82 83 runnerCredFiles = [ 84 ".credentials" 85 ".credentials_rsaparams" 86 ".runner" 87 ]; 88 unconfigureRunner = writeScript "unconfigure" '' 89 copy_tokens() { 90 # Copy the configured token file to the state dir and allow the service user to read the file 91 install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" 92 # Also copy current file to allow for a diff on the next start 93 install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" 94 } 95 clean_state() { 96 find "$STATE_DIRECTORY/" -mindepth 1 -delete 97 copy_tokens 98 } 99 diff_config() { 100 changed=0 101 # Check for module config changes 102 [[ -f "${currentConfigPath}" ]] \ 103 && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \ 104 || changed=1 105 # Also check the content of the token file 106 [[ -f "${currentConfigTokenPath}" ]] \ 107 && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ 108 || changed=1 109 # If the config has changed, remove old state and copy tokens 110 if [[ "$changed" -eq 1 ]]; then 111 echo "Config has changed, removing old runner state." 112 echo "The old runner will still appear in the GitHub Actions UI." \ 113 "You have to remove it manually." 114 clean_state 115 fi 116 } 117 if [[ "${optionalString cfg.ephemeral "1"}" ]]; then 118 # In ephemeral mode, we always want to start with a clean state 119 clean_state 120 elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then 121 # There are state files from a previous run; diff them to decide if we need a new registration 122 diff_config 123 else 124 # The state directory is entirely empty which indicates a first start 125 copy_tokens 126 fi 127 # Always clean workDir 128 find -H "$WORK_DIRECTORY" -mindepth 1 -delete 129 ''; 130 configureRunner = writeScript "configure" '' 131 if [[ -e "${newConfigTokenPath}" ]]; then 132 echo "Configuring GitHub Actions Runner" 133 args=( 134 --unattended 135 --disableupdate 136 --work "$WORK_DIRECTORY" 137 --url ${escapeShellArg cfg.url} 138 --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} 139 --name ${escapeShellArg cfg.name} 140 ${optionalString cfg.replace "--replace"} 141 ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} 142 ${optionalString cfg.ephemeral "--ephemeral"} 143 ) 144 # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, 145 # if it is not a PAT, we assume it contains a registration token and use the --token option 146 token=$(<"${newConfigTokenPath}") 147 if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then 148 args+=(--pat "$token") 149 else 150 args+=(--token "$token") 151 fi 152 ${cfg.package}/bin/Runner.Listener configure "''${args[@]}" 153 # Move the automatically created _diag dir to the logs dir 154 mkdir -p "$STATE_DIRECTORY/_diag" 155 cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/" 156 rm -rf "$STATE_DIRECTORY/_diag/" 157 # Cleanup token from config 158 rm "${newConfigTokenPath}" 159 # Symlink to new config 160 ln -s '${newConfigPath}' "${currentConfigPath}" 161 fi 162 ''; 163 setupWorkDir = writeScript "setup-work-dirs" '' 164 # Link _diag dir 165 ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag" 166 167 # Link the runner credentials to the work dir 168 ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/" 169 ''; 170 in 171 map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [ 172 "+${unconfigureRunner}" # runs as root 173 configureRunner 174 setupWorkDir 175 ]; 176 177 # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner) 178 # to trigger a fresh registration. 179 Restart = if cfg.ephemeral then "on-success" else "no"; 180 # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service: 181 # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146 182 RestartForceExitStatus = [ 2 ]; 183 184 # Contains _diag 185 LogsDirectory = [ systemdDir ]; 186 # Default RUNNER_ROOT which contains ephemeral Runner data 187 RuntimeDirectory = [ systemdDir ]; 188 # Home of persistent runner data, e.g., credentials 189 StateDirectory = [ systemdDir ]; 190 StateDirectoryMode = "0700"; 191 WorkingDirectory = workDir; 192 193 InaccessiblePaths = [ 194 # Token file path given in the configuration, if visible to the service 195 "-${cfg.tokenFile}" 196 # Token file in the state directory 197 "${stateDir}/${currentConfigTokenFilename}" 198 ]; 199 200 KillSignal = "SIGINT"; 201 202 # Hardening (may overlap with DynamicUser=) 203 # The following options are only for optimizing: 204 # systemd-analyze security github-runner 205 AmbientCapabilities = mkBefore [ "" ]; 206 CapabilityBoundingSet = mkBefore [ "" ]; 207 # ProtectClock= adds DeviceAllow=char-rtc r 208 DeviceAllow = mkBefore [ "" ]; 209 NoNewPrivileges = mkDefault true; 210 PrivateDevices = mkDefault true; 211 PrivateMounts = mkDefault true; 212 PrivateTmp = mkDefault true; 213 PrivateUsers = mkDefault true; 214 ProtectClock = mkDefault true; 215 ProtectControlGroups = mkDefault true; 216 ProtectHome = mkDefault true; 217 ProtectHostname = mkDefault true; 218 ProtectKernelLogs = mkDefault true; 219 ProtectKernelModules = mkDefault true; 220 ProtectKernelTunables = mkDefault true; 221 ProtectSystem = mkDefault "strict"; 222 RemoveIPC = mkDefault true; 223 RestrictNamespaces = mkDefault true; 224 RestrictRealtime = mkDefault true; 225 RestrictSUIDSGID = mkDefault true; 226 UMask = mkDefault "0066"; 227 ProtectProc = mkDefault "invisible"; 228 SystemCallFilter = mkBefore [ 229 "~@clock" 230 "~@cpu-emulation" 231 "~@module" 232 "~@mount" 233 "~@obsolete" 234 "~@raw-io" 235 "~@reboot" 236 "~capset" 237 "~setdomainname" 238 "~sethostname" 239 ]; 240 RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; 241 242 BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; 243 244 # Needs network access 245 PrivateNetwork = mkDefault false; 246 # Cannot be true due to Node 247 MemoryDenyWriteExecute = mkDefault false; 248 249 # The more restrictive "pid" option makes `nix` commands in CI emit 250 # "GC Warning: Couldn't read /proc/stat" 251 # You may want to set this to "pid" if not using `nix` commands 252 ProcSubset = mkDefault "all"; 253 # Coverage programs for compiled code such as `cargo-tarpaulin` disable 254 # ASLR (address space layout randomization) which requires the 255 # `personality` syscall 256 # You may want to set this to `true` if not using coverage tooling on 257 # compiled code 258 LockPersonality = mkDefault false; 259 260 # Note that this has some interactions with the User setting; so you may 261 # want to consult the systemd docs if using both. 262 DynamicUser = mkDefault true; 263 } 264 (mkIf (cfg.user != null) { User = cfg.user; }) 265 cfg.serviceOverrides 266 ]; 267}