dotfiles/nixos-config
1
0
Fork 0
mirror of https://github.com/srid/nixos-config.git synced 2026-01-06 15:44:58 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

gh-runner: simplify: one user is okay

Browse source
This commit is contained in:
Sridhar Ratnakumar 2024-02-01 03:24:54 -05:00
parent aa0843b5cf
commit a0306b9431
1 changed files with 16 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

43
nixos/github-runner.nix
View file

@ -40,15 +40,6 @@ in
default =
(builtins.head (builtins.head (lib.attrValues config.networking.interfaces)).ipv4.addresses).address;
};
runnerUid = lib.mkOption {
type = types.int;
default = 1234;
description = ''
Shared UID between host and containers.
This allows the guest nix processes to access /nix/store of the host.
'';
};
owner = lib.mkOption {
type = types.str;
default = "srid";
@ -93,8 +84,18 @@ in
config =
let
cfg = config.services.personal-github-runners;
user = "github-runner";
userModule = {
users.users.${user} = {
uid = 1099;
isSystemUser = true;
group = user;
};
users.groups.${user} = {};
};
in
{
userModule // {
sops.secrets = lib.mapAttrs'
(name: _: lib.nameValuePair "${cfg.sopsPrefix}/${name}" {
mode = "0440";
@ -115,36 +116,24 @@ in
};
config = { config, pkgs, ... }: {
system.stateVersion = "23.11";
users.users."github-runner-${name}" = {
uid = cfg.runnerUid;
isSystemUser = true;
group = "github-runner-${name}";
};
users.groups."github-runner-${name}" = { };
imports = [ userModule ];
nix.settings = {
trusted-users = [ "github-runner-${name}" ]; # for cachix
trusted-users = [ user ]; # for cachix
experimental-features = "nix-command flakes repl-flake";
max-jobs = "auto";
};
services.github-runners."${name}" = cfg.runnerConfig // {
enable = true;
inherit tokenFile;
inherit user tokenFile;
url = "https://github.com/${cfg.owner}/${name}";
};
};
})
cfg.repositories;
users.users."github-runner" = {
uid = cfg.runnerUid;
isSystemUser = true;
group = "github-runner";
};
users.groups.github-runner = { };
nix.settings = {
trusted-users = [ "github-runner" ];
allowed-users = [ "github-runner" ];
trusted-users = [ user ];
allowed-users = [ user ];
};
};
}