github-runners: init module

Adds a new module which allows to configure multiple GitHub self-hosted
runners on Darwin. The module is heavily inspired by the nixpkgs NixOS
module. Its implementation differs in some ways:

- There's currently no way to configure the user/group which runs the
  runner. All configured runners share the same user and group.
- No automatic cleanup.
- No advanced sandboxing apart from user/group isolation

1 files changed, 37 insertions, 0 deletions

diff --git a/modules/services/github-runner/default.nix b/modules/services/github-runner/default.nix
new file mode 100644
index 0000000..7937980
--- /dev/null
+++ b/modules/services/github-runner/default.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+let
+  anyEnabled = lib.any (cfg: cfg.enable) (lib.attrValues config.services.github-runners);
+in
+{
+  imports = [
+    ./options.nix
+    ./config.nix
+  ];
+
+  config.assertions = lib.mkIf anyEnabled [
+    {
+      assertion = lib.elem "github-runner" config.users.knownGroups;
+      message = "set `users.knownGroups` to enable `github-runner` group";
+    }
+    {
+      assertion = lib.elem "github-runner" config.users.knownUsers;
+      message = "set `users.knownUsers` to enable `github-runner` user";
+    }
+  ];
+
+  config.users = lib.mkIf anyEnabled {
+    users."github-runner" = {
+      createHome = true;
+      uid = lib.mkDefault 533;
+      gid = lib.mkDefault config.users.groups.github-runner.gid;
+      home = lib.mkDefault "/var/lib/github-runners";
+      shell = "/bin/bash";
+      description = "GitHub Runner service user";
+    };
+
+    groups."github-runner" = {
+      gid = lib.mkDefault 533;
+      description = "GitHub Runner service user group";
+    };
+  };
+}