From 5c8fb551822a137848a666472a17aeb651ee033d Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 27 Jul 2024 10:26:37 +1000 Subject: [PATCH 1/3] Revert "github-runnners: fix workDir missing on reboot" This reverts commit fe99aa9699e7dd4ce6a81a8a623d010cedbe7eef. --- modules/services/github-runner/service.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 2fc133f3..53f2cddb 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -41,7 +41,7 @@ in in { launchd = mkIf cfg.enable { - text = mkBefore '' + text = mkBefore ('' echo >&2 "setting up GitHub Runner '${cfg.name}'..." ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkStateDir cfg)} @@ -49,7 +49,10 @@ in ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkLogDir cfg)} ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} - ''; + '' + optionalString (cfg.workDir == null) '' + ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkWorkDir cfg)} + ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ''); }; })); @@ -59,9 +62,6 @@ in stateDir = mkStateDir cfg; logDir = mkLogDir cfg; workDir = mkWorkDir cfg; - user = if (cfg.user != null) then cfg.user else "_github-runner"; - # If both user and group are null then we manage the group, otherwise if only group is null then there's no group - group = if (cfg.group != null) then group else if (cfg.user == null) then "_github-runner" else ""; in nameValuePair (mkSvcName name) @@ -116,12 +116,6 @@ in '' echo "Configuring GitHub Actions Runner" - ${optionalString (cfg.workDir == null) '' - # /var/run gets cleared every reboot so we need to create it before starting the service - ${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg workDir} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg workDir} - ''} - # Always clean the working directory ${pkgs.findutils}/bin/find ${escapeShellArg workDir} -mindepth 1 -delete @@ -153,7 +147,7 @@ in StandardErrorPath = "${logDir}/launchd-stderr.log"; StandardOutPath = "${logDir}/launchd-stdout.log"; ThrottleInterval = 30; - UserName = user; + UserName = if (cfg.user != null) then cfg.user else "_github-runner"; WatchPaths = [ "/etc/resolv.conf" "/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist" From a6903cf7e3a451347160c92edb44ba288ebce747 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 27 Jul 2024 10:39:57 +1000 Subject: [PATCH 2/3] activation-scripts: add extra comment --- modules/system/activation-scripts.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 1495a7b2..83251998 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -101,6 +101,8 @@ in ${cfg.activationScripts.preUserActivation.text} + # This should be running at the system level, but as user activation runs first + # we run it here with sudo ${cfg.activationScripts.createRun.text} ${cfg.activationScripts.checks.text} ${cfg.activationScripts.etcChecks.text} From dc8e1f4839b735ffed17cb5368d9bd7f19577eb6 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 27 Jul 2024 10:41:18 +1000 Subject: [PATCH 3/3] github-runners: move `workDir` outside of `/run` As `/run` gets recreated every reboot and we can't specify dependencies for launchd, creating the `workDir` every reboot will require extra complexity with a separate daemon that runs as `root` otherwise it won't have sufficient privileges. As we clean the `workDir` when the service first starts anyway, it ends up being the same. --- modules/services/github-runner/options.nix | 6 +++--- modules/services/github-runner/service.nix | 6 +++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/services/github-runner/options.nix b/modules/services/github-runner/options.nix index 772eb783..8f98aa07 100644 --- a/modules/services/github-runner/options.nix +++ b/modules/services/github-runner/options.nix @@ -22,12 +22,12 @@ with lib; * `/var/lib/github-runners/`: State directory to store the runner registration credentials + * `/var/lib/github-runners/_work/`: + Working directory for workflow files. The runner only uses this + directory if `workDir` is `null` (see the `workDir` option for details). * `/var/log/github-runners/`: The launchd service writes the stdout and stderr streams to this directory. - * `/var/run/github-runners/`: - Working directory for workflow files. The runner only uses this - directory if `workDir` is `null` (see the `workDir` option for details). ''; example = { runner1 = { diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 53f2cddb..75d6442a 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -4,7 +4,7 @@ let mkSvcName = name: "github-runner-${name}"; mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}"; mkLogDir = cfg: "/var/log/github-runners/${cfg.name}"; - mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/run/github-runners/${cfg.name}"; + mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/lib/github-runners/_work/${cfg.name}"; in { config.assertions = flatten ( @@ -17,6 +17,10 @@ in assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]); message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set"; } + { + assertion = cfg.workDir == null || !(hasPrefix "/run/" cfg.workDir || hasPrefix "/var/run/" cfg.workDir || hasPrefix "/private/var/run/"); + message = "`services.github-runners.${name}`: `workDir` being inside /run is not supported"; + } ]) );