nixos/github-runners: add a group option to set the executing group

Similar to the `user` option, the added `group` option sets the group of the executing process. If not `null`, it also sets `DynamicUser=false`. In case `user` is set to `null` (the default), systemd would run the service as root implicitly. As this is dangerous and most certainly not what users want, we force them to set `user = "root"` explicitly if that's really their intention. That's achieved through an assertion.
2024-02-09 15:50:06 +01:00 · 2024-02-09 15:50:06 +01:00 · 6d8391a3ce
commit 6d8391a3ce
parent 35df23c07d
2 changed files with 33 additions and 1 deletions
--- a/nixos/modules/services/continuous-integration/github-runner/options.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/options.nix
@ -209,12 +209,36 @@ with lib;
        user = mkOption {
          type = types.nullOr types.str;
          description = mdDoc ''
-            User under which to run the service. If null, will use a systemd dynamic user.
+            User under which to run the service.
+
+            If this option and the `group` option is set to `null`,
+            the service runs as a dynamically allocated user.
+
+            Also see the `group` option for an overview on the effects of the `user` and `group` settings.
          '';
          default = null;
          defaultText = literalExpression "username";
        };

+        group = mkOption {
+          type = types.nullOr types.str;
+          description = mdDoc ''
+            Group under which to run the service.
+
+            The effect of this option depends on the value of the `user` option:
+
+            - `group == null` and `user == null`:
+              The service runs with a dynamically allocated user and group.
+            - `group == null` and `user != null`:
+              The service runs as the given user and its default group.
+            - `group != null` and `user == null`:
+              This configuration is invalid. In this case, the service would use the given group
+              but run as root implicitly. If this is really what you want, set `user = "root"` explicitly.
+          '';
+          default = null;
+          defaultText = literalExpression "groupname";
+        };
+
        workDir = mkOption {
          type = with types; nullOr str;
          description = mdDoc ''
--- a/nixos/modules/services/continuous-integration/github-runner/service.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/service.nix
@ -12,6 +12,10 @@ with lib;
        assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
        message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
      }
+      {
+        assertion = cfg.group == null || cfg.user != null;
+        message = ''`services.github-runners.${name}`: Setting `group` while leaving `user` unset runs the service as `root`. If this is really what you want, set `user = "root"` explicitly'';
+      }
    ])
  );

@ -284,6 +288,10 @@ with lib;
          DynamicUser = false;
          User = cfg.user;
        })
+        (mkIf (cfg.group != null) {
+          DynamicUser = false;
+          Group = cfg.group;
+        })
        cfg.serviceOverrides
      ];
    }