Skip to content

Commit

Permalink
gitlab-runner: add authenticationTokenConfigFile
Browse files Browse the repository at this point in the history
  • Loading branch information
dudeofawesome committed Nov 23, 2024
1 parent 61cee20 commit c39d873
Showing 1 changed file with 212 additions and 59 deletions.
271 changes: 212 additions & 59 deletions modules/services/gitlab-runner.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,42 @@
{ config, lib, pkgs, ... }:
with builtins;
with lib;
let
inherit (builtins)
hashString
map
substring
toJSON
toString
unsafeDiscardStringContext
;

inherit (lib)
any
assertMsg
attrValues
concatStringsSep
escapeShellArg
filterAttrs
hasPrefix
isStorePath
literalExpression
mapAttrs'
mapAttrsToList
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
mkRemovedOptionModule
mkRenamedOptionModule
nameValuePair
optional
optionalAttrs
optionals
teams
toShellVar
types
;

cfg = config.services.gitlab-runner;
hasDocker = config.virtualisation.docker.enable;
hashedServices = mapAttrs'
Expand Down Expand Up @@ -38,15 +73,20 @@ let
${concatStringsSep "\n" (mapAttrsToList (name: service: ''
if echo "$NEW_SERVICES" | grep -xq ${name}; then
bash -c ${escapeShellArg (concatStringsSep " \\\n " ([
"set -a && source ${service.registrationConfigFile} &&"
"set -a && source ${
if service.registrationConfigFile != null
then service.registrationConfigFile
else service.authenticationTokenConfigFile} &&"
"gitlab-runner register"
"--non-interactive"
"--name ${name}"
"--executor ${service.executor}"
"--limit ${toString service.limit}"
"--request-concurrency ${toString service.requestConcurrency}"
]
++ optional (service.authenticationTokenConfigFile == null)
"--maximum-timeout ${toString service.maximumTimeout}"
] ++ service.registrationFlags
++ service.registrationFlags
++ optional (service.buildsDir != null)
"--builds-dir ${service.buildsDir}"
++ optional (service.cloneUrl != null)
Expand All @@ -57,11 +97,11 @@ let
"--pre-build-script ${service.preBuildScript}"
++ optional (service.postBuildScript != null)
"--post-build-script ${service.postBuildScript}"
++ optional (service.tagList != [ ])
++ optional (service.authenticationTokenConfigFile == null && service.tagList != [ ])
"--tag-list ${concatStringsSep "," service.tagList}"
++ optional service.runUntagged
++ optional (service.authenticationTokenConfigFile == null && service.runUntagged)
"--run-untagged"
++ optional service.protected
++ optional (service.authenticationTokenConfigFile == null && service.protected)
"--access-level ref_protected"
++ optional service.debugTraceDisabled
"--debug-trace-disabled"
Expand Down Expand Up @@ -254,9 +294,14 @@ in
# nix store will be readable in runner, might be insecure
nix = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
# - `CI_SERVER_URL`
# - `REGISTRATION_TOKEN`
#
# NOTE: Support for runner registration tokens will be removed in GitLab 18.0.
# Please migrate to runner authentication tokens soon. For reference, the example
# runners below this one are configured with authentication tokens instead.
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
Expand Down Expand Up @@ -295,8 +340,9 @@ in
docker-images = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
# `CI_SERVER_TOKEN`
authenticationTokenConfigFile = "/run/secrets/gitlab-runner-docker-images-token-env";
dockerImage = "docker:stable";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
Expand All @@ -309,36 +355,68 @@ in
shell = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
# `CI_SERVER_TOKEN`
authenticationTokenConfigFile = "/run/secrets/gitlab-runner-shell-token-env";
executor = "shell";
tagList = [ "shell" ];
};
# runner for everything else
default = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
# `CI_SERVER_TOKEN`
authenticationTokenConfigFile = "/run/secrets/gitlab-runner-default-token-env";
dockerImage = "debian:stable";
};
}
'';
type = types.attrsOf (types.submodule {
options = {
authenticationTokenConfigFile = mkOption {
type = with types; nullOr path;
default = null;
description = ''
Absolute path to a file containing environment variables used for
gitlab-runner registrations with *runner authentication tokens*.
They replace the deprecated *runner registration tokens*, as
outlined in the [GitLab documentation].
A list of all supported environment variables can be found with
`gitlab-runner register --help`.
The ones you probably want to set are:
- `CI_SERVER_URL=<CI server URL>`
- `CI_SERVER_TOKEN=<runner authentication token secret>`
::: {.warning}
Make sure to use a quoted absolute path,
or it is going to be copied to Nix Store.
:::
[GitLab documentation]: https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes
'';
};
registrationConfigFile = mkOption {
type = types.path;
type = with types; nullOr path;
default = null;
description = ''
Absolute path to a file with environment variables
used for gitlab-runner registration.
used for gitlab-runner registration with *runner registration
tokens*.
A list of all supported environment variables can be found in
`gitlab-runner register --help`.
Ones that you probably want to set is
The ones you probably want to set are:
- `CI_SERVER_URL=<CI server URL>`
- `REGISTRATION_TOKEN=<registration secret>`
`CI_SERVER_URL=<CI server URL>`
Support for *runner registration tokens* is deprecated since
GitLab 16.0, has been disabled by default in GitLab 17.0 and
will be removed in GitLab 18.0, as outlined in the
[GitLab documentation]. Please consider migrating to
[runner authentication tokens] and check the documentation on
{option}`services.gitlab-runner.services.<name>.authenticationTokenConfigFile`.
`REGISTRATION_TOKEN=<registration secret>`
[GitLab documentation]: https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes
[runner authentication tokens]: https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#the-new-runner-registration-workflow
'';
};
registrationFlags = mkOption {
Expand Down Expand Up @@ -469,6 +547,9 @@ in
default = [ ];
description = ''
Tag list.
This option has no effect for runners registered with an runner
authentication tokens and will be ignored.
'';
};
runUntagged = mkOption {
Expand All @@ -477,6 +558,9 @@ in
description = ''
Register to run untagged builds; defaults to
`true` when {option}`tagList` is empty.
This option has no effect for runners registered with an runner
authentication tokens and will be ignored.
'';
};
limit = mkOption {
Expand All @@ -500,6 +584,9 @@ in
description = ''
What is the maximum timeout (in seconds) that will be set for
job when using this Runner. 0 (default) simply means don't limit.
This option has no effect for runners registered with an runner
authentication tokens and will be ignored.
'';
};
protected = mkOption {
Expand All @@ -508,6 +595,9 @@ in
description = ''
When set to true Runner will only run on pipelines
triggered on protected branches.
This option has no effect for runners registered with an runner
authentication tokens and will be ignored.
'';
};
debugTraceDisabled = mkOption {
Expand Down Expand Up @@ -544,53 +634,116 @@ in
# chown ${toString user.uid}:${toString user.gid} '${user.home}'
#'';

assertions =
mapAttrsToList (name: serviceConfig: {
assertion = serviceConfig.registrationConfigFile == null || serviceConfig.authenticationTokenConfigFile == null;
message = "`services.gitlab-runner.${name}.registrationConfigFile` and `services.gitlab-runner.services.${name}.authenticationTokenConfigFile` are mutually exclusive.";
}) cfg.services;

warnings =
mapAttrsToList
(name: serviceConfig: "services.gitlab-runner.services.${name}.`registrationConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.")
(filterAttrs (name: serviceConfig: isStorePath serviceConfig.registrationConfigFile) cfg.services)
++ mapAttrsToList
(name: serviceConfig: "services.gitlab-runner.services.${name}.`authenticationTokenConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.")
(filterAttrs (name: serviceConfig: isStorePath serviceConfig.authenticationTokenConfigFile) cfg.services)
++ mapAttrsToList
(name: serviceConfig: ''
Runner registration tokens have been deprecated and disabled by default in GitLab >= 17.0.
Consider migrating to runner authentication tokens by setting `services.gitlab-runner.services.${name}.authenticationTokenConfigFile`.
https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html''
)
(
filterAttrs (name: serviceConfig:
serviceConfig.authenticationTokenConfigFile == null
) cfg.services
)
++ mapAttrsToList
(name: serviceConfig: ''
`services.gitlab-runner.services.${name}.protected` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.''
)
(
filterAttrs (name: serviceConfig:
serviceConfig.authenticationTokenConfigFile != null && serviceConfig.protected == true
) cfg.services
)
++ mapAttrsToList
(name: serviceConfig: ''
`services.gitlab-runner.services.${name}.runUntagged` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.''
)
(
filterAttrs (name: serviceConfig:
serviceConfig.authenticationTokenConfigFile != null && serviceConfig.runUntagged == true
) cfg.services
)
++ mapAttrsToList
(name: v: ''
`services.gitlab-runner.services.${name}.maximumTimeout` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.''
)
(
filterAttrs (name: serviceConfig:
serviceConfig.authenticationTokenConfigFile != null && serviceConfig.maximumTimeout != 0
) cfg.services
)
++ mapAttrsToList
(name: v: ''
`services.gitlab-runner.services.${name}.tagList` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.''
)
(
filterAttrs (serviceName: serviceConfig:
serviceConfig.authenticationTokenConfigFile != null && serviceConfig.tagList != [ ]
) cfg.services
)
;

warnings = optional (cfg.configFile != null) "services.gitlab-runner.`configFile` is deprecated, please use services.gitlab-runner.`services`.";
environment.systemPackages = [ cfg.package ];

launchd.daemons.gitlab-runner = {
environment = { #config.networking.proxy.envVars // {
HOME = "${config.users.users.gitlab-runner.home}";
NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
} // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {});
path = with pkgs; [
bash
gawk
jq
moreutils
remarshal
# util-linux
cfg.package
coreutils
gnugrep
gnused
] ++ cfg.extraPackages;

script = ''
${configureScript}/bin/gitlab-runner-configure && ${startScript}/bin/gitlab-runner-start
'';

serviceConfig = {
ProcessType = "Interactive";
ThrottleInterval = 30;

# StandardOutPath = "/var/lib/gitlab-runner/out.log";
# StandardErrorPath = "/var/lib/gitlab-runner/err.log";
# The combination of KeepAlive.NetworkState and WatchPaths
# will ensure that buildkite-agent is started on boot, but
# after networking is available (so the hostname is
# correct).
RunAtLoad = true;
} // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else { });

path =
(with pkgs; [
bash
gawk
jq
moreutils
remarshal
# util-linux
coreutils
gnugrep
gnused
])
++ [ cfg.package ]
++ cfg.extraPackages;

script = ''
${configureScript}/bin/gitlab-runner-configure && ${startScript}/bin/gitlab-runner-start
'';

serviceConfig = {
ProcessType = "Interactive";
ThrottleInterval = 30;

# StandardOutPath = "/var/lib/gitlab-runner/out.log";
# StandardErrorPath = "/var/lib/gitlab-runner/err.log";
# The combination of KeepAlive.NetworkState and WatchPaths
# will ensure that buildkite-agent is started on boot, but
# after networking is available (so the hostname is
# correct).
RunAtLoad = true;
# KeepAlive.NetworkState = true;
WatchPaths = [
"/etc/resolv.conf"
"/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist"
];

GroupName = "gitlab-runner";
UserName = "gitlab-runner";
WorkingDirectory = config.users.users.gitlab-runner.home;
};
WatchPaths = [
"/etc/resolv.conf"
"/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist"
];

GroupName = "gitlab-runner";
UserName = "gitlab-runner";
WorkingDirectory = config.users.users.gitlab-runner.home;
};

};
# systemd.services.gitlab-runner = {
Expand Down

0 comments on commit c39d873

Please sign in to comment.