nixos/modules/services/continuous-integration/github-runner/service.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / continuous-integration / github-runner / service.nix
at master 14 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7{
  8  config.assertions = lib.flatten (
  9    lib.flip lib.mapAttrsToList config.services.github-runners (
 10      name: cfg:
 11      map (lib.mkIf cfg.enable) [
 12        {
 13          assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
 14          message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
 15        }
 16        {
 17          assertion = cfg.group == null || cfg.user != null;
 18          message = ''`services.github-runners.${name}`: Setting `group` while leaving `user` unset runs the service as `root`. If this is really what you want, set `user = "root"` explicitly'';
 19        }
 20      ]
 21    )
 22  );
 23
 24  config.systemd.services =
 25    let
 26      enabledRunners = lib.filterAttrs (_: cfg: cfg.enable) config.services.github-runners;
 27    in
 28    (lib.flip lib.mapAttrs' enabledRunners (
 29      name: cfg:
 30      let
 31        svcName = "github-runner-${name}";
 32        systemdDir = "github-runner/${name}";
 33
 34        # %t: Runtime directory root (usually /run); see systemd.unit(5)
 35        runtimeDir = "%t/${systemdDir}";
 36        # %S: State directory root (usually /var/lib); see systemd.unit(5)
 37        stateDir = "%S/${systemdDir}";
 38        # %L: Log directory root (usually /var/log); see systemd.unit(5)
 39        logsDir = "%L/${systemdDir}";
 40        # Name of file stored in service state directory
 41        currentConfigTokenFilename = ".current-token";
 42
 43        workDir = if cfg.workDir == null then runtimeDir else cfg.workDir;
 44      in
 45      lib.nameValuePair svcName {
 46        description = "GitHub Actions runner";
 47
 48        wantedBy = [ "multi-user.target" ];
 49        wants = [ "network-online.target" ];
 50        after = [
 51          "network.target"
 52          "network-online.target"
 53        ];
 54
 55        environment = {
 56          HOME = workDir;
 57          RUNNER_ROOT = stateDir;
 58        }
 59        // cfg.extraEnvironment;
 60
 61        path =
 62          (with pkgs; [
 63            bashInteractive
 64            coreutils
 65            git
 66            gnutar
 67            gzip
 68          ])
 69          ++ [
 70            config.nix.package
 71          ]
 72          ++ cfg.extraPackages;
 73
 74        serviceConfig = lib.mkMerge [
 75          {
 76            ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
 77
 78            # Does the following, sequentially:
 79            # - If the module configuration or the token has changed, purge the state directory,
 80            #   and create the current and the new token file with the contents of the configured
 81            #   token. While both files have the same content, only the later is accessible by
 82            #   the service user.
 83            # - Configure the runner using the new token file. When finished, delete it.
 84            # - Set up the directory structure by creating the necessary symlinks.
 85            ExecStartPre =
 86              let
 87                # Wrapper script which expects the full path of the state, working and logs
 88                # directory as arguments. Overrides the respective systemd variables to provide
 89                # unambiguous directory names. This becomes relevant, for example, if the
 90                # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
 91                # to contain more than one directory. This causes systemd to set the respective
 92                # environment variables with the path of all of the given directories, separated
 93                # by a colon.
 94                writeScript =
 95                  name: lines:
 96                  pkgs.writeShellScript "${svcName}-${name}.sh" ''
 97                    set -euo pipefail
 98
 99                    STATE_DIRECTORY="$1"
100                    WORK_DIRECTORY="$2"
101                    LOGS_DIRECTORY="$3"
102
103                    ${lines}
104                  '';
105                runnerRegistrationConfig = lib.getAttrs [
106                  "ephemeral"
107                  "extraLabels"
108                  "name"
109                  "noDefaultLabels"
110                  "runnerGroup"
111                  "tokenFile"
112                  "url"
113                  "workDir"
114                ] cfg;
115                newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
116                currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
117                newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
118                currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
119
120                runnerCredFiles = [
121                  ".credentials"
122                  ".credentials_rsaparams"
123                  ".runner"
124                ];
125                unconfigureRunner = writeScript "unconfigure" ''
126                  copy_tokens() {
127                    # Copy the configured token file to the state dir and allow the service user to read the file
128                    install --mode=666 ${lib.escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
129                    # Also copy current file to allow for a diff on the next start
130                    install --mode=600 ${lib.escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
131                  }
132                  clean_state() {
133                    find "$STATE_DIRECTORY/" -mindepth 1 -delete
134                    copy_tokens
135                  }
136                  diff_config() {
137                    changed=0
138                    # Check for module config changes
139                    [[ -f "${currentConfigPath}" ]] \
140                      && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
141                      || changed=1
142                    # Also check the content of the token file
143                    [[ -f "${currentConfigTokenPath}" ]] \
144                      && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${lib.escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
145                      || changed=1
146                    # If the config has changed, remove old state and copy tokens
147                    if [[ "$changed" -eq 1 ]]; then
148                      echo "Config has changed, removing old runner state."
149                      echo "The old runner will still appear in the GitHub Actions UI." \
150                           "You have to remove it manually."
151                      clean_state
152                    fi
153                  }
154                  if [[ "${lib.optionalString cfg.ephemeral "1"}" ]]; then
155                    # In ephemeral mode, we always want to start with a clean state
156                    clean_state
157                  elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
158                    # There are state files from a previous run; diff them to decide if we need a new registration
159                    diff_config
160                  else
161                    # The state directory is entirely empty which indicates a first start
162                    copy_tokens
163                  fi
164                  # Always clean workDir
165                  find -H "$WORK_DIRECTORY" -mindepth 1 -delete
166                '';
167                configureRunner =
168                  writeScript "configure" # bash
169                    ''
170                      if [[ -e "${newConfigTokenPath}" ]]; then
171                        echo "Configuring GitHub Actions Runner"
172                        # shellcheck disable=SC2054  # don't complain about commas in --labels
173                        args=(
174                          --unattended
175                          --disableupdate
176                          --work "$WORK_DIRECTORY"
177                          --url ${lib.escapeShellArg cfg.url}
178                          --labels ${lib.escapeShellArg (lib.concatStringsSep "," cfg.extraLabels)}
179                          ${lib.optionalString (cfg.name != null) "--name ${lib.escapeShellArg cfg.name}"}
180                          ${lib.optionalString cfg.replace "--replace"}
181                          ${lib.optionalString (
182                            cfg.runnerGroup != null
183                          ) "--runnergroup ${lib.escapeShellArg cfg.runnerGroup}"}
184                          ${lib.optionalString cfg.ephemeral "--ephemeral"}
185                          ${lib.optionalString cfg.noDefaultLabels "--no-default-labels"}
186                        )
187                        # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
188                        # if it is not a PAT, we assume it contains a registration token and use the --token option
189                        token=$(<"${newConfigTokenPath}")
190                        if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
191                          args+=(--pat "$token")
192                        else
193                          args+=(--token "$token")
194                        fi
195                        ${cfg.package}/bin/Runner.Listener configure "''${args[@]}"
196                        # Move the automatically created _diag dir to the logs dir
197                        mkdir -p  "$STATE_DIRECTORY/_diag"
198                        cp    -r  "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
199                        rm    -rf "$STATE_DIRECTORY/_diag/"
200                        # Cleanup token from config
201                        rm "${newConfigTokenPath}"
202                        # Symlink to new config
203                        ln -s '${newConfigPath}' "${currentConfigPath}"
204                      fi
205                    '';
206                setupWorkDir = writeScript "setup-work-dirs" ''
207                  # Link _diag dir
208                  ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"
209
210                  # Link the runner credentials to the work dir
211                  ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
212                '';
213              in
214              map
215                (
216                  x:
217                  "${x} ${
218                    lib.escapeShellArgs [
219                      stateDir
220                      workDir
221                      logsDir
222                    ]
223                  }"
224                )
225                [
226                  "+${unconfigureRunner}" # runs as root
227                  configureRunner
228                  setupWorkDir
229                ];
230
231            # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
232            # to trigger a fresh registration.
233            Restart = if cfg.ephemeral then "on-success" else "no";
234            # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
235            # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
236            RestartForceExitStatus = [ 2 ];
237
238            # Contains _diag
239            LogsDirectory = [ systemdDir ];
240            # Default RUNNER_ROOT which contains ephemeral Runner data
241            RuntimeDirectory = [ systemdDir ];
242            # Home of persistent runner data, e.g., credentials
243            StateDirectory = [ systemdDir ];
244            StateDirectoryMode = "0700";
245            WorkingDirectory = workDir;
246
247            InaccessiblePaths = [
248              # Token file path given in the configuration, if visible to the service
249              "-${cfg.tokenFile}"
250              # Token file in the state directory
251              "${stateDir}/${currentConfigTokenFilename}"
252            ];
253
254            KillSignal = "SIGINT";
255
256            # Hardening (may overlap with DynamicUser=)
257            # The following options are only for optimizing:
258            # systemd-analyze security github-runner
259            AmbientCapabilities = lib.mkBefore [ "" ];
260            CapabilityBoundingSet = lib.mkBefore [ "" ];
261            # ProtectClock= adds DeviceAllow=char-rtc r
262            DeviceAllow = lib.mkBefore [ "" ];
263            NoNewPrivileges = lib.mkDefault true;
264            PrivateDevices = lib.mkDefault true;
265            PrivateMounts = lib.mkDefault true;
266            PrivateTmp = lib.mkDefault true;
267            PrivateUsers = lib.mkDefault true;
268            ProtectClock = lib.mkDefault true;
269            ProtectControlGroups = lib.mkDefault true;
270            ProtectHome = lib.mkDefault true;
271            ProtectHostname = lib.mkDefault true;
272            ProtectKernelLogs = lib.mkDefault true;
273            ProtectKernelModules = lib.mkDefault true;
274            ProtectKernelTunables = lib.mkDefault true;
275            ProtectSystem = lib.mkDefault "strict";
276            RemoveIPC = lib.mkDefault true;
277            RestrictNamespaces = lib.mkDefault true;
278            RestrictRealtime = lib.mkDefault true;
279            RestrictSUIDSGID = lib.mkDefault true;
280            UMask = lib.mkDefault "0066";
281            ProtectProc = lib.mkDefault "invisible";
282            SystemCallFilter = lib.mkBefore [
283              "~@clock"
284              "~@cpu-emulation"
285              "~@module"
286              "~@mount"
287              "~@obsolete"
288              "~@raw-io"
289              "~@reboot"
290              "~capset"
291              "~setdomainname"
292              "~sethostname"
293            ];
294            RestrictAddressFamilies = lib.mkBefore [
295              "AF_INET"
296              "AF_INET6"
297              "AF_UNIX"
298              "AF_NETLINK"
299            ];
300
301            BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
302
303            # Needs network access
304            PrivateNetwork = lib.mkDefault false;
305            # Cannot be true due to Node
306            MemoryDenyWriteExecute = lib.mkDefault false;
307
308            # The more restrictive "pid" option makes `nix` commands in CI emit
309            # "GC Warning: Couldn't read /proc/stat"
310            # You may want to set this to "pid" if not using `nix` commands
311            ProcSubset = lib.mkDefault "all";
312            # Coverage programs for compiled code such as `cargo-tarpaulin` disable
313            # ASLR (address space layout randomization) which requires the
314            # `personality` syscall
315            # You may want to set this to `true` if not using coverage tooling on
316            # compiled code
317            LockPersonality = lib.mkDefault false;
318
319            DynamicUser = lib.mkDefault true;
320          }
321          (lib.mkIf (cfg.user != null) {
322            DynamicUser = false;
323            User = cfg.user;
324          })
325          (lib.mkIf (cfg.group != null) {
326            DynamicUser = false;
327            Group = cfg.group;
328          })
329          cfg.serviceOverrides
330        ];
331      }
332    ));
333}