mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-23 13:48:21 +03:00
Merge pull request #209692 from veehaitch/gh-runner-mkmerge
nixos/github-runners: use `mkMerge` for `serviceConfig`
This commit is contained in:
commit
4e798adb3d
@ -20,4 +20,6 @@ in
|
||||
config = mkIf cfg.enable {
|
||||
services.github-runners.${cfg.name} = cfg;
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ veehaitch newam ];
|
||||
}
|
||||
|
@ -127,10 +127,11 @@ with lib;
|
||||
serviceOverrides = mkOption {
|
||||
type = types.attrs;
|
||||
description = lib.mdDoc ''
|
||||
Overrides for the systemd service. Can be used to adjust the sandboxing options.
|
||||
Modify the systemd service. Can be used to, e.g., adjust the sandboxing options.
|
||||
'';
|
||||
example = {
|
||||
ProtectHome = false;
|
||||
RestrictAddressFamilies = [ "AF_PACKET" ];
|
||||
};
|
||||
default = {};
|
||||
};
|
||||
|
@ -45,7 +45,8 @@ in
|
||||
config.nix.package
|
||||
] ++ cfg.extraPackages;
|
||||
|
||||
serviceConfig = {
|
||||
serviceConfig = mkMerge [
|
||||
{
|
||||
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
|
||||
|
||||
# Does the following, sequentially:
|
||||
@ -76,7 +77,7 @@ in
|
||||
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg;
|
||||
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
|
||||
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
|
||||
newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
|
||||
newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
|
||||
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
|
||||
|
||||
runnerCredFiles = [
|
||||
@ -202,30 +203,30 @@ in
|
||||
# Hardening (may overlap with DynamicUser=)
|
||||
# The following options are only for optimizing:
|
||||
# systemd-analyze security github-runner
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
AmbientCapabilities = mkBefore [ "" ];
|
||||
CapabilityBoundingSet = mkBefore [ "" ];
|
||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||
DeviceAllow = "";
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0066";
|
||||
ProtectProc = "invisible";
|
||||
SystemCallFilter = [
|
||||
DeviceAllow = mkBefore [ "" ];
|
||||
NoNewPrivileges = mkDefault true;
|
||||
PrivateDevices = mkDefault true;
|
||||
PrivateMounts = mkDefault true;
|
||||
PrivateTmp = mkDefault true;
|
||||
PrivateUsers = mkDefault true;
|
||||
ProtectClock = mkDefault true;
|
||||
ProtectControlGroups = mkDefault true;
|
||||
ProtectHome = mkDefault true;
|
||||
ProtectHostname = mkDefault true;
|
||||
ProtectKernelLogs = mkDefault true;
|
||||
ProtectKernelModules = mkDefault true;
|
||||
ProtectKernelTunables = mkDefault true;
|
||||
ProtectSystem = mkDefault "strict";
|
||||
RemoveIPC = mkDefault true;
|
||||
RestrictNamespaces = mkDefault true;
|
||||
RestrictRealtime = mkDefault true;
|
||||
RestrictSUIDSGID = mkDefault true;
|
||||
UMask = mkDefault "0066";
|
||||
ProtectProc = mkDefault "invisible";
|
||||
SystemCallFilter = mkBefore [
|
||||
"~@clock"
|
||||
"~@cpu-emulation"
|
||||
"~@module"
|
||||
@ -237,30 +238,31 @@ in
|
||||
"~setdomainname"
|
||||
"~sethostname"
|
||||
];
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
|
||||
RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
|
||||
|
||||
BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
|
||||
|
||||
# Needs network access
|
||||
PrivateNetwork = false;
|
||||
PrivateNetwork = mkDefault false;
|
||||
# Cannot be true due to Node
|
||||
MemoryDenyWriteExecute = false;
|
||||
MemoryDenyWriteExecute = mkDefault false;
|
||||
|
||||
# The more restrictive "pid" option makes `nix` commands in CI emit
|
||||
# "GC Warning: Couldn't read /proc/stat"
|
||||
# You may want to set this to "pid" if not using `nix` commands
|
||||
ProcSubset = "all";
|
||||
ProcSubset = mkDefault "all";
|
||||
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
|
||||
# ASLR (address space layout randomization) which requires the
|
||||
# `personality` syscall
|
||||
# You may want to set this to `true` if not using coverage tooling on
|
||||
# compiled code
|
||||
LockPersonality = false;
|
||||
LockPersonality = mkDefault false;
|
||||
|
||||
# Note that this has some interactions with the User setting; so you may
|
||||
# want to consult the systemd docs if using both.
|
||||
DynamicUser = true;
|
||||
} // (
|
||||
lib.optionalAttrs (cfg.user != null) { User = cfg.user; }
|
||||
) // cfg.serviceOverrides;
|
||||
DynamicUser = mkDefault true;
|
||||
}
|
||||
(mkIf (cfg.user != null) { User = cfg.user; })
|
||||
cfg.serviceOverrides
|
||||
];
|
||||
}
|
||||
|
@ -53,4 +53,6 @@ in
|
||||
}))
|
||||
);
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ veehaitch newam ];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user