2024-02-28 09:40:25 +01:00
{ config, lib, pkgs, ... }:
2024-12-07 12:53:16 +11:00
2024-02-28 09:40:25 +01:00
2024-12-07 12:53:16 +11:00
inherit (lib) any attrValues boolToString concatStringsSep escapeShellArg
2024-12-07 13:00:54 +11:00
flatten flip getExe getExe' hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore
2024-12-07 12:53:16 +11:00
mkDefault mkIf mkMerge nameValuePair optionalAttrs optionalString replaceStrings;
2024-02-28 09:40:25 +01:00
mkSvcName = name: "github-runner-${name}";
mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}";
mkLogDir = cfg: "/var/log/github-runners/${cfg.name}";
2024-07-27 10:41:18 +10:00
mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/lib/github-runners/_work/${cfg.name}";
2024-02-28 09:40:25 +01:00
config.assertions = flatten (
flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [
2025-02-10 19:51:42 +00:00
# TODO: Upstream this to NixOS.
assertion = config.nix.enable;
message = ''`services.github-runners.${name}.enable` requires `nix.enable`'';
2024-02-28 09:40:25 +01:00
assertion = (cfg.user == null && cfg.group == null) || (cfg.user != null);
message = "`services.github-runners.${name}`: Either set `user` and `group` to `null` to have nix-darwin manage them or set at least `user` explicitly";
assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
2024-07-27 10:41:18 +10:00
assertion = cfg.workDir == null || !(hasPrefix "/run/" cfg.workDir || hasPrefix "/var/run/" cfg.workDir || hasPrefix "/private/var/run/");
message = "`services.github-runners.${name}`: `workDir` being inside /run is not supported";
2024-02-28 09:40:25 +01:00
config.warnings = flatten (
flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [
mkIf (hasPrefix builtins.storeDir cfg.tokenFile)
"`services.github-runners.${name}`: `tokenFile` contains a secret but points to the world-readable Nix store."
# Create the necessary directories and make the service user/group their owner
# This has to happen *after* nix-darwin user creation and *before* any launchd service gets started.
config.system.activationScripts = mkMerge (flip mapAttrsToList config.services.github-runners (name: cfg:
user = config.launchd.daemons.${mkSvcName name}.serviceConfig.UserName;
group =
if config.launchd.daemons.${mkSvcName name}.serviceConfig.GroupName != null
then config.launchd.daemons.${mkSvcName name}.serviceConfig.GroupName
else "";
launchd = mkIf cfg.enable {
2024-07-27 10:26:37 +10:00
text = mkBefore (''
2024-02-28 09:40:25 +01:00
echo >&2 "setting up GitHub Runner '${cfg.name}'..."
2024-11-03 20:30:48 +11:00
2024-11-22 11:18:17 +11:00
umask -S u=rwx,g=rx,o= > /dev/null
2024-02-28 09:40:25 +01:00
2024-12-07 13:00:54 +11:00
${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkStateDir cfg)}
${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)}
2024-11-03 20:30:48 +11:00
2024-12-07 13:00:54 +11:00
${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkLogDir cfg)}
2024-12-07 13:06:10 +11:00
# launchd will fail to start the service if the outer direction doesn't have sufficient permissions
${getExe' pkgs.coreutils "chmod"} o+rx ${escapeShellArg (mkLogDir { name = ""; })}
2024-12-07 13:00:54 +11:00
${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)}
2024-11-03 20:30:48 +11:00
${optionalString (cfg.workDir == null) ''
2024-12-07 13:00:54 +11:00
${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkWorkDir cfg)}
${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkWorkDir cfg)}
2024-11-03 20:30:48 +11:00
2024-07-27 10:26:37 +10:00
2024-02-28 09:40:25 +01:00
config.launchd.daemons = flip mapAttrs' config.services.github-runners (name: cfg:
package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; });
stateDir = mkStateDir cfg;
logDir = mkLogDir cfg;
workDir = mkWorkDir cfg;
(mkSvcName name)
(mkIf cfg.enable {
environment = {
HOME = stateDir;
RUNNER_ROOT = stateDir;
} // cfg.extraEnvironment;
# Minimal package set for `actions/checkout`
path = (with pkgs; [
]) ++ [
] ++ cfg.extraPackages;
script =
2024-11-04 18:31:38 +01:00
# https://github.com/NixOS/nixpkgs/pull/333744 introduced an inconsistency with different
# versions of nixpkgs. Use the old version of escapeShellArg to make sure that labels
# are always escaped to avoid https://www.shellcheck.net/wiki/SC2054
escapeShellArgAlways = string: "'${replaceStrings ["'"] ["'\\''"] (toString string)}'";
2024-02-28 09:40:25 +01:00
configure = pkgs.writeShellApplication {
name = "configure-github-runner-${name}";
2024-09-03 11:25:58 +02:00
text = /*bash*/''
2024-02-28 09:40:25 +01:00
--work ${escapeShellArg workDir}
--url ${escapeShellArg cfg.url}
2024-11-04 18:31:38 +01:00
--labels ${escapeShellArgAlways (concatStringsSep "," cfg.extraLabels)}
2024-02-28 09:40:25 +01:00
${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
${optionalString cfg.noDefaultLabels "--no-default-labels"}
# If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
args+=(--pat "$token")
args+=(--token "$token")
2024-12-07 13:00:54 +11:00
${getExe' package "config.sh"} "''${args[@]}"
2024-02-28 09:40:25 +01:00
echo "Configuring GitHub Actions Runner"
# Always clean the working directory
2024-12-07 13:00:54 +11:00
${getExe pkgs.findutils} ${escapeShellArg workDir} -mindepth 1 -delete
2024-02-28 09:40:25 +01:00
# Clean the $RUNNER_ROOT if we are in ephemeral mode
if ${boolToString cfg.ephemeral}; then
echo "Cleaning $RUNNER_ROOT"
2024-12-07 13:00:54 +11:00
${getExe pkgs.findutils} "$RUNNER_ROOT" -mindepth 1 -delete
2024-02-28 09:40:25 +01:00
# If the `.runner` file does not exist, we assume the runner is not configured
if [[ ! -f "$RUNNER_ROOT/.runner" ]]; then
${getExe configure}
# Start the service
2024-12-07 13:00:54 +11:00
${getExe' package "Runner.Listener"} run --startuptype service
2024-02-28 09:40:25 +01:00
serviceConfig = mkMerge [
GroupName = cfg.group;
KeepAlive = {
Crashed = false;
} // mkIf cfg.ephemeral {
SuccessfulExit = true;
ProcessType = "Interactive";
RunAtLoad = true;
StandardErrorPath = "${logDir}/launchd-stderr.log";
StandardOutPath = "${logDir}/launchd-stdout.log";
ThrottleInterval = 30;
2024-07-27 10:26:37 +10:00
UserName = if (cfg.user != null) then cfg.user else "_github-runner";
2024-02-28 09:40:25 +01:00
WatchPaths = [
WorkingDirectory = stateDir;
# If any GitHub runner configuration has set both `user` and `group` set to `null`,
# manage the user and group `_github-runner` through nix-darwin.
config.users = mkIf (any (cfg: cfg.enable && cfg.user == null && cfg.group == null) (attrValues config.services.github-runners)) {
users."_github-runner" = {
createHome = false;
description = "GitHub Runner service user";
gid = config.users.groups."_github-runner".gid;
home = "/var/lib/github-runners";
shell = "/bin/bash";
uid = mkDefault 533;
knownUsers = [ "_github-runner" ];
groups."_github-runner" = {
gid = mkDefault 533;
description = "GitHub Runner service user group";
knownGroups = [ "_github-runner" ];