From dc8e1f4839b735ffed17cb5368d9bd7f19577eb6 Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Sat, 27 Jul 2024 10:41:18 +1000
Subject: github-runners: move `workDir` outside of `/run`

As `/run` gets recreated every reboot and we can't specify dependencies
for launchd, creating the `workDir` every reboot will require extra
complexity with a separate daemon that runs as `root` otherwise it won't
have sufficient privileges.

As we clean the `workDir` when the service first starts anyway, it ends
up being the same.
---
 modules/services/github-runner/options.nix | 6 +++---
 modules/services/github-runner/service.nix | 6 +++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'modules/services/github-runner')

diff --git a/modules/services/github-runner/options.nix b/modules/services/github-runner/options.nix
index 772eb78..8f98aa0 100644
--- a/modules/services/github-runner/options.nix
+++ b/modules/services/github-runner/options.nix
@@ -22,12 +22,12 @@ with lib;
 
       * `/var/lib/github-runners/<name>`:
         State directory to store the runner registration credentials
+      * `/var/lib/github-runners/_work/<name>`:
+        Working directory for workflow files. The runner only uses this
+        directory if `workDir` is `null` (see the `workDir` option for details).
       * `/var/log/github-runners/<name>`:
         The launchd service writes the stdout and stderr streams to this
         directory.
-      * `/var/run/github-runners/<name>`:
-        Working directory for workflow files. The runner only uses this
-        directory if `workDir` is `null` (see the `workDir` option for details).
     '';
     example = {
       runner1 = {
diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix
index 53f2cdd..75d6442 100644
--- a/modules/services/github-runner/service.nix
+++ b/modules/services/github-runner/service.nix
@@ -4,7 +4,7 @@ let
   mkSvcName = name: "github-runner-${name}";
   mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}";
   mkLogDir = cfg: "/var/log/github-runners/${cfg.name}";
-  mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/run/github-runners/${cfg.name}";
+  mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/lib/github-runners/_work/${cfg.name}";
 in
 {
   config.assertions = flatten (
@@ -17,6 +17,10 @@ in
         assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
         message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
       }
+      {
+        assertion = cfg.workDir == null || !(hasPrefix "/run/" cfg.workDir || hasPrefix "/var/run/" cfg.workDir || hasPrefix "/private/var/run/");
+        message = "`services.github-runners.${name}`: `workDir` being inside /run is not supported";
+      }
     ])
   );
 
-- 
cgit v1.2.3