This commit updates the nix.conf validation logic to accommodate
different versions of Nix. It introduces a conditional assignment
of the `showCommand` variable, which determines the appropriate
command to use based on the Nix version. For versions at least
"2.20pre", it uses "config show"; otherwise, it falls back to
"show-config". This change ensures compatibility across various
Nix releases.
While #859 added basic support for configuring GitHub runners through
nix-darwin, it did not yet support all of the options the NixOS module
offers.
I am aware that this is a rather big overhaul. I think, however, that
it's worth it:
- Copies the `options.nix` from the [NixOS module] with only minor
adaptations. This should help to keep track of any changes to it.
- Respect the `workDir` config option. So far, the implementation didn't
even read the value of the option.
- Allow configuring a custom user and group.
If both are `null`, nix-darwin manages the `_github-runner` user
shared among all instances. Take care of creating your own users if
that's not what you want.
- Also creates the necessary directories for state, logs and the working
directory (unless `workDir != null`). It uses the following locations:
* state: `/var/lib/github-runners/${name}`
* logs: `/var/log/github-runners/${name}`
* work: The value of `workDir` or `/var/run/github-runners/${name}`
if (`workDir == null`).
We have to create the logs directory before starting the service since
launchd expects that the `Standard{Error,Out}Path` exist. We do this
by prepending to [`system.activationScripts.launchd.text`].
All directories belong to the configured `user` and `group`.
- Warn if a `tokenFile` points to the Nix store.
[NixOS module]: https://github.com/NixOS/nixpkgs/blob/3c30c56/nixos/modules/services/continuous-integration/github-runner/options.nix
[`system.activationScripts.launchd.text`]: https://github.com/LnL7/nix-darwin/blob/bbde06b/modules/system/launchd.nix#L99-L123
This commit adds a protocol option for the `linux-builder` and defaults
it to `ssh-ng`. I have observed it needing this with the following:
``` sh
$ nix store ping --store ssh://linux-builder
Store URL: ssh://linux-builder
$ nix store ping --store ssh-ng://linux-builder
Store URL: ssh-ng://linux-builder
Version: 2.18.1
Trusted: 0
```
This seems to make the difference on whether or not Nix picks up
`linux-builder` as an available builder.
enableScriptingAddition no longer triggers IFD
by using runCommand to generate sudoers.d/yabai,
instead of builtins.hashFile and interpolating the string in nix.
Adds a new module which allows to configure multiple GitHub self-hosted
runners on Darwin. The module is heavily inspired by the nixpkgs NixOS
module. Its implementation differs in some ways:
- There's currently no way to configure the user/group which runs the
runner. All configured runners share the same user and group.
- No automatic cleanup.
- No advanced sandboxing apart from user/group isolation
Properly detect the binary name (not just /nix/store/...-bash, but include the
.../bin/bash), and use the symlinked name which also appears in /etc/shells.
