Skip to content

Commit 4c4eb93

Browse files
committed
nixos/forgejo.runner: remove systemd escaping, assert on username length
1 parent 2b41024 commit 4c4eb93

2 files changed

Lines changed: 39 additions & 24 deletions

File tree

nixos/modules/services/continuous-integration/forgejo-runner.nix

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@
22
config,
33
lib,
44
pkgs,
5-
utils,
65
...
76
}:
87

@@ -26,10 +25,6 @@ let
2625
types
2726
;
2827

29-
inherit (utils)
30-
escapeSystemdPath
31-
;
32-
3328
cfg = config.services.forgejo.runner;
3429

3530
settingsFormat = pkgs.formats.yaml { };
@@ -92,7 +87,7 @@ in
9287
'';
9388
type = attrsOf (
9489
submodule (
95-
{ name, ... }:
90+
{ config, name, ... }:
9691
{
9792
options = {
9893
labels = labelsOption;
@@ -109,6 +104,13 @@ in
109104

110105
url = urlOption;
111106

107+
user = mkOption {
108+
type = types.str;
109+
description = "The dynamic username of the runner service.";
110+
default = "forgejo-runner-${config.name}";
111+
defaultText = literalExpression "forgejo-runner-\${name}";
112+
};
113+
112114
registrationTokenFile = mkOption {
113115
type = types.nullOr (types.either types.str types.path);
114116
default = null;
@@ -233,6 +235,9 @@ in
233235
config = mkIf (cfg.instances != { }) {
234236
assertions = lib.foldlAttrs (
235237
acc_inst: _: instance:
238+
let
239+
userNameLength = builtins.stringLength instance.user;
240+
in
236241
(lib.foldlAttrs (
237242
acc_conn: name: connection:
238243
acc_conn
@@ -270,6 +275,10 @@ in
270275
assertion = hasDockerScheme (instanceLabels instance) -> hasDocker || hasPodman;
271276
message = "forgejo.runner.instances.${instance.name} label configuration requires either docker or podman.";
272277
}
278+
{
279+
assertion = userNameLength <= 31;
280+
message = ''forgejo.runner.instances.${instance.name}.user = "${instance.user}" has a length of ${toString userNameLength} which exceeds 31 character limit from systemd+glibc. Shorten instance name or explicitly define `instances.<name>.user`.'';
281+
}
273282
]
274283
) [ ] cfg.instances;
275284

@@ -279,14 +288,13 @@ in
279288
_: instance:
280289
let
281290
allLabels = instanceLabels instance;
282-
escapedName = escapeSystemdPath instance.name;
283291
wantsContainer = hasDockerScheme allLabels;
284292
wantsHost = hasHostScheme allLabels;
285293
wantsDocker = wantsContainer && hasDocker;
286294
wantsPodman = wantsContainer && hasPodman;
287-
configFile = settingsFormat.generate "forgejo-runner-${escapedName}.yaml" instance.settings;
295+
configFile = settingsFormat.generate "forgejo-runner-${instance.name}.yaml" instance.settings;
288296
in
289-
nameValuePair "forgejo-runner@${escapedName}" {
297+
nameValuePair "forgejo-runner@${instance.name}" {
290298
overrideStrategy = "asDropin";
291299
inherit (instance) enable;
292300
wants = [
@@ -308,6 +316,7 @@ in
308316
path = [ pkgs.coreutils ] ++ lib.optionals wantsHost instance.hostPackages;
309317

310318
serviceConfig = {
319+
User = instance.user;
311320
MemoryDenyWriteExecute = !wantsHost;
312321

313322
LoadCredential =
@@ -317,12 +326,12 @@ in
317326
++ lib.mapAttrsToList (name: value: "${name}:${value}") instance.credentials;
318327

319328
SupplementaryGroups = optionals wantsDocker [ "docker" ] ++ optionals wantsPodman [ "podman" ];
320-
ExecPaths = lib.optionals wantsHost [ "/var/lib/forgejo-runner/${escapedName}" ];
329+
ExecPaths = lib.optionals wantsHost [ "/var/lib/forgejo-runner/${instance.name}" ];
321330

322331
ExecStartPre = lib.optionals (instance.registrationTokenFile != null) [
323332
(lib.getExe (
324333
pkgs.writeShellApplication {
325-
name = "forgejo-register-runner-${escapedName}";
334+
name = "forgejo-register-runner-${instance.name}";
326335
text = ''
327336
INSTANCE_DIR="$STATE_DIRECTORY"
328337
mkdir -vp "$INSTANCE_DIR"

nixos/tests/forgejo.nix

Lines changed: 19 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -63,16 +63,22 @@ let
6363
specialisation = {
6464
runner = {
6565
inheritParentConfig = true;
66-
configuration.services.forgejo.runner = {
67-
package = pkgs.forgejo-runner;
68-
instances."test" = {
69-
enable = true;
70-
url = "http://localhost:3000";
71-
labels = [
72-
# type ":host" does not depend on docker/podman/lxc
73-
"native:host"
74-
];
75-
registrationTokenFile = "/var/lib/forgejo/runner_token";
66+
configuration = {
67+
services.forgejo.runner = {
68+
package = pkgs.forgejo-runner;
69+
70+
instances = {
71+
legacy-registration = {
72+
enable = true;
73+
url = "http://localhost:3000";
74+
user = "runner-legacy";
75+
labels = [
76+
# type ":host" does not depend on docker/podman/lxc
77+
"native:host"
78+
];
79+
registrationTokenFile = "/var/lib/forgejo/runner_token";
80+
};
81+
};
7682
};
7783
};
7884
};
@@ -81,7 +87,7 @@ let
8187
inheritParentConfig = true;
8288
configuration.services.gitea-actions-runner = {
8389
package = pkgs.forgejo-runner;
84-
instances."test" = {
90+
instances.test = {
8591
enable = true;
8692
name = "ci";
8793
url = "http://localhost:3000";
@@ -269,8 +275,8 @@ let
269275
)
270276
271277
server.succeed("${serverSystem}/specialisation/runner/bin/switch-to-configuration test")
272-
server.wait_for_unit("forgejo-runner@test.service")
273-
server.succeed("journalctl -o cat -u forgejo-runner@test.service | grep -q 'Runner registered successfully'")
278+
server.wait_for_unit("forgejo-runner@legacy-registration.service", timeout=10)
279+
server.succeed("journalctl -o cat -u forgejo-runner@legacy-registration.service | grep -q 'Runner registered successfully'")
274280
275281
# enable actions feature for this repository, defaults to disabled
276282
server.succeed(

0 commit comments

Comments
 (0)