{ pkgs, lib, config, ... }: with lib; with types; let cfg = config.services.drone-exec-runner; in { options.services.drone-exec-runner = { enable = mkEnableOption "Enable an Drone CI/CD Exec Runner"; package = mkOption { type = package; default = pkgs.drone-runner-exec; defaultText = "pkgs.drone-runner-exec"; }; env = mkOption { type = listOf str; description = "Environment strings (e.g. DRONE_RUNNER_CAPACITY, CLIENT_DRONE_RPC_HOST, etc.)"; example = [ "DRONE_RUNNER_CAPACITY=10" "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030" ]; }; envFile = mkOption { type = str; description = "Path to the environment file (may contains secrets, notably the shared RPC secret)"; }; user = mkOption { type = str; default = "drone-runner-exec"; }; group = mkOption { type = str; default = "drone-runner-exec"; }; allowedPackages = mkOption { type = listOf package; default = with pkgs; [ git gnutar bash nixUnstable gzip ]; }; }; config = mkIf cfg.enable { systemd.services.drone-runner-exec = { wantedBy = [ "multi-user.target" ]; confinement.enable = true; confinement.packages = cfg.allowedPackages; path = cfg.allowedPackages; serviceConfig = { Environment = [ "NIX_REMOTE=daemon" "PAGER=cat" ] ++ cfg.env; BindPaths = [ "/nix/var/nix/daemon-socket/socket" "/run/nscd/socket" "/var/lib/drone" ]; BindReadOnlyPaths = [ "/etc/passwd:/etc/passwd" "/etc/group:/etc/group" "/nix/var/nix/profiles/system/etc/nix:/etc/nix" "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts" "/etc/machine-id" "/nix/" ]; EnvironmentFile = [ cfg.envFile ]; ExecStart = "${cfg.package}/bin/drone-runner-exec"; User = cfg.user; Group = cfg.group; }; }; users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; users.groups.${cfg.group} = {}; }; }