nixos/github-runners: add a group
option to set the executing group
Similar to the `user` option, the added `group` option sets the group of the executing process. If not `null`, it also sets `DynamicUser=false`. In case `user` is set to `null` (the default), systemd would run the service as root implicitly. As this is dangerous and most certainly not what users want, we force them to set `user = "root"` explicitly if that's really their intention. That's achieved through an assertion.
This commit is contained in:
parent
35df23c07d
commit
6d8391a3ce
|
@ -209,12 +209,36 @@ with lib;
|
|||
user = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = mdDoc ''
|
||||
User under which to run the service. If null, will use a systemd dynamic user.
|
||||
User under which to run the service.
|
||||
|
||||
If this option and the `group` option is set to `null`,
|
||||
the service runs as a dynamically allocated user.
|
||||
|
||||
Also see the `group` option for an overview on the effects of the `user` and `group` settings.
|
||||
'';
|
||||
default = null;
|
||||
defaultText = literalExpression "username";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = mdDoc ''
|
||||
Group under which to run the service.
|
||||
|
||||
The effect of this option depends on the value of the `user` option:
|
||||
|
||||
- `group == null` and `user == null`:
|
||||
The service runs with a dynamically allocated user and group.
|
||||
- `group == null` and `user != null`:
|
||||
The service runs as the given user and its default group.
|
||||
- `group != null` and `user == null`:
|
||||
This configuration is invalid. In this case, the service would use the given group
|
||||
but run as root implicitly. If this is really what you want, set `user = "root"` explicitly.
|
||||
'';
|
||||
default = null;
|
||||
defaultText = literalExpression "groupname";
|
||||
};
|
||||
|
||||
workDir = mkOption {
|
||||
type = with types; nullOr str;
|
||||
description = mdDoc ''
|
||||
|
|
|
@ -12,6 +12,10 @@ with lib;
|
|||
assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
|
||||
message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
|
||||
}
|
||||
{
|
||||
assertion = cfg.group == null || cfg.user != null;
|
||||
message = ''`services.github-runners.${name}`: Setting `group` while leaving `user` unset runs the service as `root`. If this is really what you want, set `user = "root"` explicitly'';
|
||||
}
|
||||
])
|
||||
);
|
||||
|
||||
|
@ -284,6 +288,10 @@ with lib;
|
|||
DynamicUser = false;
|
||||
User = cfg.user;
|
||||
})
|
||||
(mkIf (cfg.group != null) {
|
||||
DynamicUser = false;
|
||||
Group = cfg.group;
|
||||
})
|
||||
cfg.serviceOverrides
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user