···
+
config.assertions = flatten (
+
flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [
+
assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
+
message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
+
config.systemd.services = flip mapAttrs' config.services.github-runners (name: cfg:
+
svcName = "github-runner-${name}";
+
systemdDir = "github-runner/${name}";
+
# %t: Runtime directory root (usually /run); see systemd.unit(5)
+
runtimeDir = "%t/${systemdDir}";
+
# %S: State directory root (usually /var/lib); see systemd.unit(5)
+
stateDir = "%S/${systemdDir}";
+
# %L: Log directory root (usually /var/log); see systemd.unit(5)
+
logsDir = "%L/${systemdDir}";
+
# Name of file stored in service state directory
+
currentConfigTokenFilename = ".current-token";
+
workDir = if cfg.workDir == null then runtimeDir else cfg.workDir;
+
# Support old github-runner versions which don't have the `nodeRuntimes` arg yet.
+
package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; });
+
nameValuePair svcName {
+
description = "GitHub Actions runner";
+
wantedBy = [ "multi-user.target" ];
+
wants = [ "network-online.target" ];
+
after = [ "network.target" "network-online.target" ];
+
RUNNER_ROOT = stateDir;
+
} // cfg.extraEnvironment;
+
] ++ cfg.extraPackages;
+
serviceConfig = mkMerge [
+
ExecStart = "${package}/bin/Runner.Listener run --startuptype service";
+
# Does the following, sequentially:
+
# - If the module configuration or the token has changed, purge the state directory,
+
# and create the current and the new token file with the contents of the configured
+
# token. While both files have the same content, only the later is accessible by
+
# - Configure the runner using the new token file. When finished, delete it.
+
# - Set up the directory structure by creating the necessary symlinks.
+
# Wrapper script which expects the full path of the state, working and logs
+
# directory as arguments. Overrides the respective systemd variables to provide
+
# unambiguous directory names. This becomes relevant, for example, if the
+
# caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
+
# to contain more than one directory. This causes systemd to set the respective
+
# environment variables with the path of all of the given directories, separated
+
writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
+
runnerRegistrationConfig = getAttrs [
+
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
+
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
+
newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
+
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
+
".credentials_rsaparams"
+
unconfigureRunner = writeScript "unconfigure" ''
+
# Copy the configured token file to the state dir and allow the service user to read the file
+
install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
+
# Also copy current file to allow for a diff on the next start
+
install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
+
find "$STATE_DIRECTORY/" -mindepth 1 -delete
+
# Check for module config changes
+
[[ -f "${currentConfigPath}" ]] \
+
&& ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
+
# Also check the content of the token file
+
[[ -f "${currentConfigTokenPath}" ]] \
+
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
+
# If the config has changed, remove old state and copy tokens
+
if [[ "$changed" -eq 1 ]]; then
+
echo "Config has changed, removing old runner state."
+
echo "The old runner will still appear in the GitHub Actions UI." \
+
"You have to remove it manually."
+
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
+
# In ephemeral mode, we always want to start with a clean state
+
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
+
# There are state files from a previous run; diff them to decide if we need a new registration
+
# The state directory is entirely empty which indicates a first start
+
find -H "$WORK_DIRECTORY" -mindepth 1 -delete
+
configureRunner = writeScript "configure" ''
+
if [[ -e "${newConfigTokenPath}" ]]; then
+
echo "Configuring GitHub Actions Runner"
+
--work "$WORK_DIRECTORY"
+
--url ${escapeShellArg cfg.url}
+
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
+
${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"}
+
${optionalString cfg.replace "--replace"}
+
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
+
${optionalString cfg.ephemeral "--ephemeral"}
+
${optionalString cfg.noDefaultLabels "--no-default-labels"}
+
# If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
+
# if it is not a PAT, we assume it contains a registration token and use the --token option
+
token=$(<"${newConfigTokenPath}")
+
if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
+
args+=(--token "$token")
+
${package}/bin/Runner.Listener configure "''${args[@]}"
+
# Move the automatically created _diag dir to the logs dir
+
mkdir -p "$STATE_DIRECTORY/_diag"
+
cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
+
rm -rf "$STATE_DIRECTORY/_diag/"
+
# Cleanup token from config
+
rm "${newConfigTokenPath}"
+
# Symlink to new config
+
ln -s '${newConfigPath}' "${currentConfigPath}"
+
setupWorkDir = writeScript "setup-work-dirs" ''
+
ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"
+
# Link the runner credentials to the work dir
+
ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
+
map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [
+
"+${unconfigureRunner}" # runs as root
+
# If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
+
# to trigger a fresh registration.
+
Restart = if cfg.ephemeral then "on-success" else "no";
+
# If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
+
# https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
+
RestartForceExitStatus = [ 2 ];
+
LogsDirectory = [ systemdDir ];
+
# Default RUNNER_ROOT which contains ephemeral Runner data
+
RuntimeDirectory = [ systemdDir ];
+
# Home of persistent runner data, e.g., credentials
+
StateDirectory = [ systemdDir ];
+
StateDirectoryMode = "0700";
+
WorkingDirectory = workDir;
+
# Token file path given in the configuration, if visible to the service
+
# Token file in the state directory
+
"${stateDir}/${currentConfigTokenFilename}"
+
# Hardening (may overlap with DynamicUser=)
+
# The following options are only for optimizing:
+
# systemd-analyze security github-runner
+
AmbientCapabilities = mkBefore [ "" ];
+
CapabilityBoundingSet = mkBefore [ "" ];
+
# ProtectClock= adds DeviceAllow=char-rtc r
+
DeviceAllow = mkBefore [ "" ];
+
NoNewPrivileges = mkDefault true;
+
PrivateDevices = mkDefault true;
+
PrivateMounts = mkDefault true;
+
PrivateTmp = mkDefault true;
+
PrivateUsers = mkDefault true;
+
ProtectClock = mkDefault true;
+
ProtectControlGroups = mkDefault true;
+
ProtectHome = mkDefault true;
+
ProtectHostname = mkDefault true;
+
ProtectKernelLogs = mkDefault true;
+
ProtectKernelModules = mkDefault true;
+
ProtectKernelTunables = mkDefault true;
+
ProtectSystem = mkDefault "strict";
+
RemoveIPC = mkDefault true;
+
RestrictNamespaces = mkDefault true;
+
RestrictRealtime = mkDefault true;
+
RestrictSUIDSGID = mkDefault true;
+
UMask = mkDefault "0066";
+
ProtectProc = mkDefault "invisible";
+
SystemCallFilter = mkBefore [
+
RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+
BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
+
PrivateNetwork = mkDefault false;
+
# Cannot be true due to Node
+
MemoryDenyWriteExecute = mkDefault false;
+
# The more restrictive "pid" option makes `nix` commands in CI emit
+
# "GC Warning: Couldn't read /proc/stat"
+
# You may want to set this to "pid" if not using `nix` commands
+
ProcSubset = mkDefault "all";
+
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
+
# ASLR (address space layout randomization) which requires the
+
# `personality` syscall
+
# You may want to set this to `true` if not using coverage tooling on
+
LockPersonality = mkDefault false;
+
# Note that this has some interactions with the User setting; so you may
+
# want to consult the systemd docs if using both.
+
DynamicUser = mkDefault true;
+
(mkIf (cfg.user != null) { User = cfg.user; })
pyrox.dev