Merge pull request #209692 from veehaitch/gh-runner-mkmerge

nixos/github-runners: use `mkMerge` for `serviceConfig`

nixos/modules/services/continuous-integration/github-runner.nix

@@ -20,4 +20,6 @@ in
   config = mkIf cfg.enable {
     services.github-runners.${cfg.name} = cfg;
   };
+
+  meta.maintainers = with maintainers; [ veehaitch newam ];
 }

nixos/modules/services/continuous-integration/github-runner/options.nix

@@ -127,10 +127,11 @@ with lib;
   serviceOverrides = mkOption {
     type = types.attrs;
     description = lib.mdDoc ''
-      Overrides for the systemd service. Can be used to adjust the sandboxing options.
+      Modify the systemd service. Can be used to, e.g., adjust the sandboxing options.
     '';
     example = {
       ProtectHome = false;
+      RestrictAddressFamilies = [ "AF_PACKET" ];
     };
     default = {};
   };

nixos/modules/services/continuous-integration/github-runner/service.nix

@@ -45,7 +45,8 @@ in
     config.nix.package
   ] ++ cfg.extraPackages;
 
-  serviceConfig = {
+  serviceConfig = mkMerge [
+    {
       ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
 
       # Does the following, sequentially:
@@ -76,7 +77,7 @@ in
           runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg;
           newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
           currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
-        newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
+          newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
           currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
 
           runnerCredFiles = [
@@ -202,30 +203,30 @@ in
       # Hardening (may overlap with DynamicUser=)
       # The following options are only for optimizing:
       # systemd-analyze security github-runner
-    AmbientCapabilities = "";
-    CapabilityBoundingSet = "";
+      AmbientCapabilities = mkBefore [ "" ];
+      CapabilityBoundingSet = mkBefore [ "" ];
       # ProtectClock= adds DeviceAllow=char-rtc r
-    DeviceAllow = "";
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateMounts = true;
-    PrivateTmp = true;
-    PrivateUsers = true;
-    ProtectClock = true;
-    ProtectControlGroups = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectSystem = "strict";
-    RemoveIPC = true;
-    RestrictNamespaces = true;
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    UMask = "0066";
-    ProtectProc = "invisible";
-    SystemCallFilter = [
+      DeviceAllow = mkBefore [ "" ];
+      NoNewPrivileges = mkDefault true;
+      PrivateDevices = mkDefault true;
+      PrivateMounts = mkDefault true;
+      PrivateTmp = mkDefault true;
+      PrivateUsers = mkDefault true;
+      ProtectClock = mkDefault true;
+      ProtectControlGroups = mkDefault true;
+      ProtectHome = mkDefault true;
+      ProtectHostname = mkDefault true;
+      ProtectKernelLogs = mkDefault true;
+      ProtectKernelModules = mkDefault true;
+      ProtectKernelTunables = mkDefault true;
+      ProtectSystem = mkDefault "strict";
+      RemoveIPC = mkDefault true;
+      RestrictNamespaces = mkDefault true;
+      RestrictRealtime = mkDefault true;
+      RestrictSUIDSGID = mkDefault true;
+      UMask = mkDefault "0066";
+      ProtectProc = mkDefault "invisible";
+      SystemCallFilter = mkBefore [
         "~@clock"
         "~@cpu-emulation"
         "~@module"
@@ -237,30 +238,31 @@ in
         "~setdomainname"
         "~sethostname"
       ];
-    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+      RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
 
       BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
 
       # Needs network access
-    PrivateNetwork = false;
+      PrivateNetwork = mkDefault false;
       # Cannot be true due to Node
-    MemoryDenyWriteExecute = false;
+      MemoryDenyWriteExecute = mkDefault false;
 
       # The more restrictive "pid" option makes `nix` commands in CI emit
       # "GC Warning: Couldn't read /proc/stat"
       # You may want to set this to "pid" if not using `nix` commands
-    ProcSubset = "all";
+      ProcSubset = mkDefault "all";
       # Coverage programs for compiled code such as `cargo-tarpaulin` disable
       # ASLR (address space layout randomization) which requires the
       # `personality` syscall
       # You may want to set this to `true` if not using coverage tooling on
       # compiled code
-    LockPersonality = false;
+      LockPersonality = mkDefault false;
 
       # Note that this has some interactions with the User setting; so you may
       # want to consult the systemd docs if using both.
-    DynamicUser = true;
-  } // (
-    lib.optionalAttrs (cfg.user != null) { User = cfg.user; }
-  ) // cfg.serviceOverrides;
+      DynamicUser = mkDefault true;
+    }
+    (mkIf (cfg.user != null) { User = cfg.user; })
+    cfg.serviceOverrides
+  ];
 }

nixos/modules/services/continuous-integration/github-runners.nix

@@ -53,4 +53,6 @@ in
         }))
     );
   };
+
+  meta.maintainers = with maintainers; [ veehaitch newam ];
 }