116 lines
3.5 KiB
Nix
116 lines
3.5 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
with lib;
|
|
with types;
|
|
let
|
|
runners = config.services.drone-exec-runner;
|
|
runnerOpts = {
|
|
options = {
|
|
enable = mkEnableOption "Enable an Drone CI/CD Exec Runner";
|
|
restartIfChanged = mkOption {
|
|
type = bool;
|
|
default = true;
|
|
description = ''Restart the runner if configuration changes.
|
|
Consider the scenario where the runner runs on the same machine where it gets deployed and
|
|
this runner is redeploying itself.
|
|
If restart if changed is true, the runner gets killed during the process, this is very bad.
|
|
To enable these scenarios, restart manually the runners once deployment is done.
|
|
'';
|
|
};
|
|
package = mkOption {
|
|
type = package;
|
|
default = pkgs.drone-runner-exec;
|
|
defaultText = "pkgs.drone-runner-exec";
|
|
};
|
|
env = mkOption {
|
|
type = listOf str;
|
|
description = "Environment strings (e.g. DRONE_RUNNER_CAPACITY, CLIENT_DRONE_RPC_HOST, etc.)";
|
|
example = [
|
|
"DRONE_RUNNER_CAPACITY=10"
|
|
"CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
|
|
];
|
|
};
|
|
envFile = mkOption {
|
|
type = str;
|
|
description = "Path to the environment file (may contains secrets, notably the shared RPC secret)";
|
|
};
|
|
user = mkOption {
|
|
type = str;
|
|
default = "drone-runner-exec";
|
|
};
|
|
group = mkOption {
|
|
type = str;
|
|
default = "drone-runner-exec";
|
|
};
|
|
allowedPackages = mkOption {
|
|
type = listOf package;
|
|
default = with pkgs; [
|
|
git
|
|
gnutar
|
|
bash
|
|
nix
|
|
gzip
|
|
];
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
options.services.drone-exec-runner = mkOption {
|
|
type = attrsOf (submodule runnerOpts);
|
|
default = {};
|
|
};
|
|
|
|
config = mkIf (any (cfg: cfg.enable) (attrValues runners)) {
|
|
systemd.services = mapAttrs' (runnerName: cfg: nameValuePair ("drone-exec-runner-${runnerName}") ({
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
inherit (cfg) restartIfChanged;
|
|
|
|
confinement.enable = true;
|
|
confinement.packages = cfg.allowedPackages;
|
|
path = cfg.allowedPackages;
|
|
|
|
serviceConfig = {
|
|
Environment = [
|
|
"NIX_REMOTE=daemon"
|
|
"PAGER=cat"
|
|
"DRONE_RUNNER_NAME=${runnerName}"
|
|
"NIX_PATH=nixpkgs=/var/nixpkgs"
|
|
] ++ cfg.env;
|
|
|
|
BindPaths = [
|
|
"/nix/var/nix/daemon-socket/socket"
|
|
"/run/nscd/socket"
|
|
];
|
|
|
|
BindReadOnlyPaths = [
|
|
"/etc/passwd:/etc/passwd"
|
|
"/etc/group:/etc/group"
|
|
"/nix/var/nix/profiles/system/etc/nix:/etc/nix"
|
|
"/nix/var/nix/profiles/per-user/root/channels/nixos:/var/nixpkgs"
|
|
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
|
|
"${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
|
|
"/etc/machine-id"
|
|
"/nix/"
|
|
];
|
|
|
|
TemporaryFileSystem = mkForce "/ /var:rw";
|
|
|
|
EnvironmentFile = [
|
|
cfg.envFile
|
|
];
|
|
|
|
ExecStart = "${cfg.package}/bin/drone-runner-exec";
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
};
|
|
})) runners;
|
|
|
|
users.users = mapAttrs' (_: cfg: nameValuePair cfg.user ({
|
|
isSystemUser = true;
|
|
inherit (cfg) group;
|
|
})) runners;
|
|
|
|
users.groups = mapAttrs' (_: cfg: nameValuePair cfg.group {}) runners;
|
|
};
|
|
}
|