From fe99aa9699e7dd4ce6a81a8a623d010cedbe7eef Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Tue, 23 Jul 2024 10:48:48 +1000 Subject: github-runnners: fix workDir missing on reboot --- modules/services/github-runner/service.nix | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 53f2cdd..2fc133f 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -41,7 +41,7 @@ in in { launchd = mkIf cfg.enable { - text = mkBefore ('' + text = mkBefore '' echo >&2 "setting up GitHub Runner '${cfg.name}'..." ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkStateDir cfg)} @@ -49,10 +49,7 @@ in ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkLogDir cfg)} ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} - '' + optionalString (cfg.workDir == null) '' - ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkWorkDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} - ''); + ''; }; })); @@ -62,6 +59,9 @@ in stateDir = mkStateDir cfg; logDir = mkLogDir cfg; workDir = mkWorkDir cfg; + user = if (cfg.user != null) then cfg.user else "_github-runner"; + # If both user and group are null then we manage the group, otherwise if only group is null then there's no group + group = if (cfg.group != null) then group else if (cfg.user == null) then "_github-runner" else ""; in nameValuePair (mkSvcName name) @@ -116,6 +116,12 @@ in '' echo "Configuring GitHub Actions Runner" + ${optionalString (cfg.workDir == null) '' + # /var/run gets cleared every reboot so we need to create it before starting the service + ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg workDir} + ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg workDir} + ''} + # Always clean the working directory ${pkgs.findutils}/bin/find ${escapeShellArg workDir} -mindepth 1 -delete @@ -147,7 +153,7 @@ in StandardErrorPath = "${logDir}/launchd-stderr.log"; StandardOutPath = "${logDir}/launchd-stdout.log"; ThrottleInterval = 30; - UserName = if (cfg.user != null) then cfg.user else "_github-runner"; + UserName = user; WatchPaths = [ "/etc/resolv.conf" "/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist" -- cgit v1.2.3 From 5c8fb551822a137848a666472a17aeb651ee033d Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 27 Jul 2024 10:26:37 +1000 Subject: Revert "github-runnners: fix workDir missing on reboot" This reverts commit fe99aa9699e7dd4ce6a81a8a623d010cedbe7eef. --- modules/services/github-runner/service.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 2fc133f..53f2cdd 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -41,7 +41,7 @@ in in { launchd = mkIf cfg.enable { - text = mkBefore '' + text = mkBefore ('' echo >&2 "setting up GitHub Runner '${cfg.name}'..." ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkStateDir cfg)} @@ -49,7 +49,10 @@ in ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkLogDir cfg)} ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} - ''; + '' + optionalString (cfg.workDir == null) '' + ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkWorkDir cfg)} + ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ''); }; })); @@ -59,9 +62,6 @@ in stateDir = mkStateDir cfg; logDir = mkLogDir cfg; workDir = mkWorkDir cfg; - user = if (cfg.user != null) then cfg.user else "_github-runner"; - # If both user and group are null then we manage the group, otherwise if only group is null then there's no group - group = if (cfg.group != null) then group else if (cfg.user == null) then "_github-runner" else ""; in nameValuePair (mkSvcName name) @@ -116,12 +116,6 @@ in '' echo "Configuring GitHub Actions Runner" - ${optionalString (cfg.workDir == null) '' - # /var/run gets cleared every reboot so we need to create it before starting the service - ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg workDir} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg workDir} - ''} - # Always clean the working directory ${pkgs.findutils}/bin/find ${escapeShellArg workDir} -mindepth 1 -delete @@ -153,7 +147,7 @@ in StandardErrorPath = "${logDir}/launchd-stderr.log"; StandardOutPath = "${logDir}/launchd-stdout.log"; ThrottleInterval = 30; - UserName = user; + UserName = if (cfg.user != null) then cfg.user else "_github-runner"; WatchPaths = [ "/etc/resolv.conf" "/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist" -- cgit v1.2.3 From dc8e1f4839b735ffed17cb5368d9bd7f19577eb6 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 27 Jul 2024 10:41:18 +1000 Subject: github-runners: move `workDir` outside of `/run` As `/run` gets recreated every reboot and we can't specify dependencies for launchd, creating the `workDir` every reboot will require extra complexity with a separate daemon that runs as `root` otherwise it won't have sufficient privileges. As we clean the `workDir` when the service first starts anyway, it ends up being the same. --- modules/services/github-runner/service.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 53f2cdd..75d6442 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -4,7 +4,7 @@ let mkSvcName = name: "github-runner-${name}"; mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}"; mkLogDir = cfg: "/var/log/github-runners/${cfg.name}"; - mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/run/github-runners/${cfg.name}"; + mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/lib/github-runners/_work/${cfg.name}"; in { config.assertions = flatten ( @@ -17,6 +17,10 @@ in assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]); message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set"; } + { + assertion = cfg.workDir == null || !(hasPrefix "/run/" cfg.workDir || hasPrefix "/var/run/" cfg.workDir || hasPrefix "/private/var/run/"); + message = "`services.github-runners.${name}`: `workDir` being inside /run is not supported"; + } ]) ); -- cgit v1.2.3 From c334175319949f6887dcab89afb32f1bb38e9f88 Mon Sep 17 00:00:00 2001 From: Sirio Balmelli Date: Tue, 3 Sep 2024 11:25:58 +0200 Subject: nixos/github-runner: quote comma separators so as to pass shellcheck Shellcheck complains: > args=( > ^-- SC2054 (warning): Use spaces, not commas, to separate array elements. Quote the --labels argument to resolve. Signed-off-by: Sirio Balmelli --- modules/services/github-runner/service.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 75d6442..175b22d 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -90,7 +90,7 @@ in let configure = pkgs.writeShellApplication { name = "configure-github-runner-${name}"; - text = '' + text = /*bash*/'' export RUNNER_ROOT args=( @@ -98,7 +98,7 @@ in --disableupdate --work ${escapeShellArg workDir} --url ${escapeShellArg cfg.url} - --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} + --labels "${escapeShellArg (concatStringsSep "," cfg.extraLabels)}" ${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"} ${optionalString cfg.replace "--replace"} ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} -- cgit v1.2.3 From 3b738c765de1bb4ecc4993fa092b27dd46d495ed Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sun, 3 Nov 2024 20:30:48 +1100 Subject: github-runner: replace `mkdir -p -m` with `umask` `mkdir -p -m` only applies the mode on the deepest directory which could be a security issue so we use umask to be more careful. --- modules/services/github-runner/service.nix | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 175b22d..c273f43 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -48,14 +48,20 @@ in text = mkBefore ('' echo >&2 "setting up GitHub Runner '${cfg.name}'..." - ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkStateDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)} - - ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkLogDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} - '' + optionalString (cfg.workDir == null) '' - ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkWorkDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ( + umask -S u=rwx,g=rx,o= + + ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkStateDir cfg)} + ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)} + + ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkLogDir cfg)} + ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} + + ${optionalString (cfg.workDir == null) '' + ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkWorkDir cfg)} + ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ''} + ) ''); }; })); -- cgit v1.2.3 From 110d49af637c3da025b6b42a0caa81c1d63b2aed Mon Sep 17 00:00:00 2001 From: Yuriy Taraday Date: Mon, 4 Nov 2024 18:31:38 +0100 Subject: github-runner: Fix labels for different nixpkgs versions Changes to escapeShellArg introduced in https://github.com/NixOS/nixpkgs/pull/333744 made different versions of nixpkgs behave differently. If current nix-darwin is used with nixpkgs before that change, labels end up having labels quoted twice (see https://github.com/LnL7/nix-darwin/issues/1085), but without changes from https://github.com/LnL7/nix-darwin/pull/1055, with new nixpkgs, labels end up not quoted at all, and ShellCheck ends up complaining that commas might have been used as array item separator (see https://www.shellcheck.net/wiki/SC2054). Use the old version of escapeShellArg to always escape the list of labels and make nix-darwin work with both old and new versions of nixpkgs. Fixes https://github.com/LnL7/nix-darwin/issues/1085 --- modules/services/github-runner/service.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index c273f43..5d73633 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -94,6 +94,10 @@ in script = let + # https://github.com/NixOS/nixpkgs/pull/333744 introduced an inconsistency with different + # versions of nixpkgs. Use the old version of escapeShellArg to make sure that labels + # are always escaped to avoid https://www.shellcheck.net/wiki/SC2054 + escapeShellArgAlways = string: "'${replaceStrings ["'"] ["'\\''"] (toString string)}'"; configure = pkgs.writeShellApplication { name = "configure-github-runner-${name}"; text = /*bash*/'' @@ -104,7 +108,7 @@ in --disableupdate --work ${escapeShellArg workDir} --url ${escapeShellArg cfg.url} - --labels "${escapeShellArg (concatStringsSep "," cfg.extraLabels)}" + --labels ${escapeShellArgAlways (concatStringsSep "," cfg.extraLabels)} ${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"} ${optionalString cfg.replace "--replace"} ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} -- cgit v1.2.3 From caa23e878f7f6fecb978bb91c1d208bf94a62c43 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Fri, 22 Nov 2024 11:18:17 +1100 Subject: github-runner: make `umask` quiet --- modules/services/github-runner/service.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 5d73633..21d908e 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -49,7 +49,7 @@ in echo >&2 "setting up GitHub Runner '${cfg.name}'..." ( - umask -S u=rwx,g=rx,o= + umask -S u=rwx,g=rx,o= > /dev/null ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkStateDir cfg)} ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)} -- cgit v1.2.3 From d8255f09da39e603e710149dc87a5f3eaa4ff049 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 12:53:16 +1100 Subject: github-runner: remove `with lib;` --- modules/services/github-runner/service.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 21d908e..7360a34 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -1,6 +1,10 @@ { config, lib, pkgs, ... }: -with lib; + let + inherit (lib) any attrValues boolToString concatStringsSep escapeShellArg + flatten flip getExe hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore + mkDefault mkIf mkMerge nameValuePair optionalAttrs optionalString replaceStrings; + mkSvcName = name: "github-runner-${name}"; mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}"; mkLogDir = cfg: "/var/log/github-runners/${cfg.name}"; -- cgit v1.2.3 From 06e1d770687a832a13aa23f37cdebeadc3af89b8 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 13:00:54 +1100 Subject: github-runner: use `lib.getExe{,'}` --- modules/services/github-runner/service.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 7360a34..2c2411d 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -2,7 +2,7 @@ let inherit (lib) any attrValues boolToString concatStringsSep escapeShellArg - flatten flip getExe hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore + flatten flip getExe getExe' hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore mkDefault mkIf mkMerge nameValuePair optionalAttrs optionalString replaceStrings; mkSvcName = name: "github-runner-${name}"; @@ -55,15 +55,15 @@ in ( umask -S u=rwx,g=rx,o= > /dev/null - ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkStateDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)} + ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkStateDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)} - ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkLogDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} + ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkLogDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)} ${optionalString (cfg.workDir == null) '' - ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkWorkDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkWorkDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} ''} ) ''); @@ -127,7 +127,7 @@ in else args+=(--token "$token") fi - ${package}/bin/config.sh "''${args[@]}" + ${getExe' package "config.sh"} "''${args[@]}" ''; }; in @@ -135,12 +135,12 @@ in echo "Configuring GitHub Actions Runner" # Always clean the working directory - ${pkgs.findutils}/bin/find ${escapeShellArg workDir} -mindepth 1 -delete + ${getExe pkgs.findutils} ${escapeShellArg workDir} -mindepth 1 -delete # Clean the $RUNNER_ROOT if we are in ephemeral mode if ${boolToString cfg.ephemeral}; then echo "Cleaning $RUNNER_ROOT" - ${pkgs.findutils}/bin/find "$RUNNER_ROOT" -mindepth 1 -delete + ${getExe pkgs.findutils} "$RUNNER_ROOT" -mindepth 1 -delete fi # If the `.runner` file does not exist, we assume the runner is not configured @@ -149,7 +149,7 @@ in fi # Start the service - ${package}/bin/Runner.Listener run --startuptype service + ${getExe' package "Runner.Listener"} run --startuptype service ''; serviceConfig = mkMerge [ -- cgit v1.2.3 From 22cde06f497b97cbab4186292f9fd82487bbfecc Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 13:06:10 +1100 Subject: github-runner: fix service not starting --- modules/services/github-runner/service.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'modules/services/github-runner/service.nix') diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 2c2411d..029f863 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -59,6 +59,8 @@ in ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)} ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkLogDir cfg)} + # launchd will fail to start the service if the outer direction doesn't have sufficient permissions + ${getExe' pkgs.coreutils "chmod"} o+rx ${escapeShellArg (mkLogDir { name = ""; })} ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)} ${optionalString (cfg.workDir == null) '' -- cgit v1.2.3