nixos-config/machines/fuuko/services/drone/runner-exec.nix

# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
{ config, lib, pkgs, ... }:
let
  user = "drone-runner-exec";
  group = "drone-runner-exec";

  availablePkgs = with pkgs; [
    bash
    git
    git-lfs
    gnutar
    gzip
    nix
  ];
in
{
  systemd.services.drone-runner-exec = {
    wantedBy = [ "multi-user.target" ];
    # might break deployment
    restartIfChanged = false;
    confinement = {
      enable = true;
      packages = availablePkgs;
    };
    path = availablePkgs;
    environment = {
      DRONE_RPC_HOST = "ci.sbruder.de";
      DRONE_RPC_PROTO = "https";
      DRONE_RUNNER_CAPACITY = "2";
      NIX_REMOTE = "daemon";
      PAGER = "cat";
    };
    serviceConfig = {
      EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path;
      BindPaths = [
        "/nix/var/nix/daemon-socket/socket"
        "/run/nscd/socket"
      ];
      BindReadOnlyPaths = [
        "/etc/group:/etc/group"
        "/etc/machine-id"
        "/etc/nix:/etc/nix"
        "/etc/passwd:/etc/passwd"
        "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
        "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
        "/nix"
      ];
      ExecStart = "${pkgs.unstable.drone-runner-exec}/bin/drone-runner-exec";
      User = user;
      Group = group;
    };
  };

  users.users."${user}" = {
    isSystemUser = true;
    inherit group;
  };
  users.groups."${group}" = { };
}
fuuko/drone: Init 2021-04-03 18:47:01 +02:00			`# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix`
			`{ config, lib, pkgs, ... }:`
			`let`
			`user = "drone-runner-exec";`
			`group = "drone-runner-exec";`

			`availablePkgs = with pkgs; [`
			`bash`
			`git`
			`git-lfs`
			`gnutar`
			`gzip`
			`nix`
			`];`
			`in`
			`{`
			`systemd.services.drone-runner-exec = {`
			`wantedBy = [ "multi-user.target" ];`
			`# might break deployment`
			`restartIfChanged = false;`
			`confinement = {`
			`enable = true;`
			`packages = availablePkgs;`
			`};`
			`path = availablePkgs;`
			`environment = {`
			`DRONE_RPC_HOST = "ci.sbruder.de";`
			`DRONE_RPC_PROTO = "https";`
			`DRONE_RUNNER_CAPACITY = "2";`
			`NIX_REMOTE = "daemon";`
			`PAGER = "cat";`
			`};`
			`serviceConfig = {`
			`EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path;`
			`BindPaths = [`
			`"/nix/var/nix/daemon-socket/socket"`
			`"/run/nscd/socket"`
			`];`
			`BindReadOnlyPaths = [`
			`"/etc/group:/etc/group"`
			`"/etc/machine-id"`
			`"/etc/nix:/etc/nix"`
			`"/etc/passwd:/etc/passwd"`
			`"/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"`
			`"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"`
			`"/nix"`
			`];`
			`ExecStart = "${pkgs.unstable.drone-runner-exec}/bin/drone-runner-exec";`
			`User = user;`
			`Group = group;`
			`};`
			`};`

			`users.users."${user}" = {`
			`isSystemUser = true;`
			`inherit group;`
			`};`
			`users.groups."${group}" = { };`
			`}`