vuls: init at 0.27.0

[NixPkgs.git] / nixos / modules / services / continuous-integration / github-runner / service.nix

{ config
, lib
, pkgs
, ...
}:

with lib;
{
  config.assertions = flatten (
    flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [
      {
        assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
        message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
      }
      {
        assertion = cfg.group == null || cfg.user != null;
        message = ''`services.github-runners.${name}`: Setting `group` while leaving `user` unset runs the service as `root`. If this is really what you want, set `user = "root"` explicitly'';
      }
    ])
  );

  config.systemd.services = flip mapAttrs' config.services.github-runners (name: cfg:
    let
      svcName = "github-runner-${name}";
      systemdDir = "github-runner/${name}";

      # %t: Runtime directory root (usually /run); see systemd.unit(5)
      runtimeDir = "%t/${systemdDir}";
      # %S: State directory root (usually /var/lib); see systemd.unit(5)
      stateDir = "%S/${systemdDir}";
      # %L: Log directory root (usually /var/log); see systemd.unit(5)
      logsDir = "%L/${systemdDir}";
      # Name of file stored in service state directory
      currentConfigTokenFilename = ".current-token";

      workDir = if cfg.workDir == null then runtimeDir else cfg.workDir;
      # Support old github-runner versions which don't have the `nodeRuntimes` arg yet.
      package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; });
    in
    nameValuePair svcName {
      description = "GitHub Actions runner";

      wantedBy = [ "multi-user.target" ];
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];

      environment = {
        HOME = workDir;
        RUNNER_ROOT = stateDir;
      } // cfg.extraEnvironment;

      path = (with pkgs; [
        bash
        coreutils
        git
        gnutar
        gzip
      ]) ++ [
        config.nix.package
      ] ++ cfg.extraPackages;

      serviceConfig = mkMerge [
        {
          ExecStart = "${package}/bin/Runner.Listener run --startuptype service";

          # Does the following, sequentially:
          # - If the module configuration or the token has changed, purge the state directory,
          #   and create the current and the new token file with the contents of the configured
          #   token. While both files have the same content, only the later is accessible by
          #   the service user.
          # - Configure the runner using the new token file. When finished, delete it.
          # - Set up the directory structure by creating the necessary symlinks.
          ExecStartPre =
            let
              # Wrapper script which expects the full path of the state, working and logs
              # directory as arguments. Overrides the respective systemd variables to provide
              # unambiguous directory names. This becomes relevant, for example, if the
              # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
              # to contain more than one directory. This causes systemd to set the respective
              # environment variables with the path of all of the given directories, separated
              # by a colon.
              writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
                set -euo pipefail

                STATE_DIRECTORY="$1"
                WORK_DIRECTORY="$2"
                LOGS_DIRECTORY="$3"

                ${lines}
              '';
              runnerRegistrationConfig = getAttrs [
                "ephemeral"
                "extraLabels"
                "name"
                "noDefaultLabels"
                "runnerGroup"
                "tokenFile"
                "url"
                "workDir"
              ]
                cfg;
              newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
              currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
              newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
              currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";

              runnerCredFiles = [
                ".credentials"
                ".credentials_rsaparams"
                ".runner"
              ];
              unconfigureRunner = writeScript "unconfigure" ''
                copy_tokens() {
                  # Copy the configured token file to the state dir and allow the service user to read the file
                  install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
                  # Also copy current file to allow for a diff on the next start
                  install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
                }
                clean_state() {
                  find "$STATE_DIRECTORY/" -mindepth 1 -delete
                  copy_tokens
                }
                diff_config() {
                  changed=0
                  # Check for module config changes
                  [[ -f "${currentConfigPath}" ]] \
                    && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
                    || changed=1
                  # Also check the content of the token file
                  [[ -f "${currentConfigTokenPath}" ]] \
                    && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
                    || changed=1
                  # If the config has changed, remove old state and copy tokens
                  if [[ "$changed" -eq 1 ]]; then
                    echo "Config has changed, removing old runner state."
                    echo "The old runner will still appear in the GitHub Actions UI." \
                         "You have to remove it manually."
                    clean_state
                  fi
                }
                if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
                  # In ephemeral mode, we always want to start with a clean state
                  clean_state
                elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
                  # There are state files from a previous run; diff them to decide if we need a new registration
                  diff_config
                else
                  # The state directory is entirely empty which indicates a first start
                  copy_tokens
                fi
                # Always clean workDir
                find -H "$WORK_DIRECTORY" -mindepth 1 -delete
              '';
              configureRunner = writeScript "configure" /*bash*/''
                if [[ -e "${newConfigTokenPath}" ]]; then
                  echo "Configuring GitHub Actions Runner"
                  # shellcheck disable=SC2054  # don't complain about commas in --labels
                  args=(
                    --unattended
                    --disableupdate
                    --work "$WORK_DIRECTORY"
                    --url ${escapeShellArg cfg.url}
                    --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
                    ${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"}
                    ${optionalString cfg.replace "--replace"}
                    ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
                    ${optionalString cfg.ephemeral "--ephemeral"}
                    ${optionalString cfg.noDefaultLabels "--no-default-labels"}
                  )
                  # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
                  # if it is not a PAT, we assume it contains a registration token and use the --token option
                  token=$(<"${newConfigTokenPath}")
                  if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
                    args+=(--pat "$token")
                  else
                    args+=(--token "$token")
                  fi
                  ${package}/bin/Runner.Listener configure "''${args[@]}"
                  # Move the automatically created _diag dir to the logs dir
                  mkdir -p  "$STATE_DIRECTORY/_diag"
                  cp    -r  "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
                  rm    -rf "$STATE_DIRECTORY/_diag/"
                  # Cleanup token from config
                  rm "${newConfigTokenPath}"
                  # Symlink to new config
                  ln -s '${newConfigPath}' "${currentConfigPath}"
                fi
              '';
              setupWorkDir = writeScript "setup-work-dirs" ''
                # Link _diag dir
                ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"

                # Link the runner credentials to the work dir
                ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
              '';
            in
            map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [
              "+${unconfigureRunner}" # runs as root
              configureRunner
              setupWorkDir
            ];

          # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
          # to trigger a fresh registration.
          Restart = if cfg.ephemeral then "on-success" else "no";
          # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
          # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
          RestartForceExitStatus = [ 2 ];

          # Contains _diag
          LogsDirectory = [ systemdDir ];
          # Default RUNNER_ROOT which contains ephemeral Runner data
          RuntimeDirectory = [ systemdDir ];
          # Home of persistent runner data, e.g., credentials
          StateDirectory = [ systemdDir ];
          StateDirectoryMode = "0700";
          WorkingDirectory = workDir;

          InaccessiblePaths = [
            # Token file path given in the configuration, if visible to the service
            "-${cfg.tokenFile}"
            # Token file in the state directory
            "${stateDir}/${currentConfigTokenFilename}"
          ];

          KillSignal = "SIGINT";

          # Hardening (may overlap with DynamicUser=)
          # The following options are only for optimizing:
          # systemd-analyze security github-runner
          AmbientCapabilities = mkBefore [ "" ];
          CapabilityBoundingSet = mkBefore [ "" ];
          # ProtectClock= adds DeviceAllow=char-rtc r
          DeviceAllow = mkBefore [ "" ];
          NoNewPrivileges = mkDefault true;
          PrivateDevices = mkDefault true;
          PrivateMounts = mkDefault true;
          PrivateTmp = mkDefault true;
          PrivateUsers = mkDefault true;
          ProtectClock = mkDefault true;
          ProtectControlGroups = mkDefault true;
          ProtectHome = mkDefault true;
          ProtectHostname = mkDefault true;
          ProtectKernelLogs = mkDefault true;
          ProtectKernelModules = mkDefault true;
          ProtectKernelTunables = mkDefault true;
          ProtectSystem = mkDefault "strict";
          RemoveIPC = mkDefault true;
          RestrictNamespaces = mkDefault true;
          RestrictRealtime = mkDefault true;
          RestrictSUIDSGID = mkDefault true;
          UMask = mkDefault "0066";
          ProtectProc = mkDefault "invisible";
          SystemCallFilter = mkBefore [
            "~@clock"
            "~@cpu-emulation"
            "~@module"
            "~@mount"
            "~@obsolete"
            "~@raw-io"
            "~@reboot"
            "~capset"
            "~setdomainname"
            "~sethostname"
          ];
          RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];

          BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];

          # Needs network access
          PrivateNetwork = mkDefault false;
          # Cannot be true due to Node
          MemoryDenyWriteExecute = mkDefault false;

          # The more restrictive "pid" option makes `nix` commands in CI emit
          # "GC Warning: Couldn't read /proc/stat"
          # You may want to set this to "pid" if not using `nix` commands
          ProcSubset = mkDefault "all";
          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
          # ASLR (address space layout randomization) which requires the
          # `personality` syscall
          # You may want to set this to `true` if not using coverage tooling on
          # compiled code
          LockPersonality = mkDefault false;

          DynamicUser = mkDefault true;
        }
        (mkIf (cfg.user != null) {
          DynamicUser = false;
          User = cfg.user;
        })
        (mkIf (cfg.group != null) {
          DynamicUser = false;
          Group = cfg.group;
        })
        cfg.serviceOverrides
      ];
    }
  );
}