{ pkgs, lib, config, ... }: with lib; with types; let runners = config.services.drone-exec-runner; runnerOpts = { options = { enable = mkEnableOption "Enable an Drone CI/CD Exec Runner"; restartIfChanged = mkOption { type = bool; default = true; description = ''Restart the runner if configuration changes. Consider the scenario where the runner runs on the same machine where it gets deployed and this runner is redeploying itself. If restart if changed is true, the runner gets killed during the process, this is very bad. To enable these scenarios, restart manually the runners once deployment is done. ''; }; package = mkOption { type = package; default = pkgs.drone-runner-exec; defaultText = "pkgs.drone-runner-exec"; }; env = mkOption { type = listOf str; description = "Environment strings (e.g. DRONE_RUNNER_CAPACITY, CLIENT_DRONE_RPC_HOST, etc.)"; example = [ "DRONE_RUNNER_CAPACITY=10" "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030" ]; }; envFile = mkOption { type = str; description = "Path to the environment file (may contains secrets, notably the shared RPC secret)"; }; user = mkOption { type = str; default = "drone-runner-exec"; }; group = mkOption { type = str; default = "drone-runner-exec"; }; allowedPackages = mkOption { type = listOf package; default = with pkgs; [ git gnutar bash nix gzip ]; }; }; }; in { options.services.drone-exec-runner = mkOption { type = attrsOf (submodule runnerOpts); default = {}; }; config = mkIf (any (cfg: cfg.enable) (attrValues runners)) { systemd.services = mapAttrs' (runnerName: cfg: nameValuePair ("drone-exec-runner-${runnerName}") ({ wantedBy = [ "multi-user.target" ]; inherit (cfg) restartIfChanged; confinement.enable = true; confinement.packages = cfg.allowedPackages; path = cfg.allowedPackages; serviceConfig = { Environment = [ "NIX_REMOTE=daemon" "PAGER=cat" "DRONE_RUNNER_NAME=${runnerName}" "NIX_PATH=nixpkgs=/var/nixpkgs" ] ++ cfg.env; BindPaths = [ "/nix/var/nix/daemon-socket/socket" "/run/nscd/socket" ]; BindReadOnlyPaths = [ "/etc/passwd:/etc/passwd" "/etc/group:/etc/group" "/nix/var/nix/profiles/system/etc/nix:/etc/nix" "/nix/var/nix/profiles/per-user/root/channels/nixos:/var/nixpkgs" "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts" "/etc/machine-id" "/nix/" ]; EnvironmentFile = [ cfg.envFile ]; ExecStart = "${cfg.package}/bin/drone-runner-exec"; User = cfg.user; Group = cfg.group; }; })) runners; users.users = mapAttrs' (_: cfg: nameValuePair cfg.user ({ isSystemUser = true; inherit (cfg) group; })) runners; users.groups = mapAttrs' (_: cfg: nameValuePair cfg.group {}) runners; }; }