nixos-config/machines/fuuko/services/drone/runner-exec.nix

62 lines
1.5 KiB
Nix

# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
{ config, lib, pkgs, ... }:
let
user = "drone-runner-exec";
group = "drone-runner-exec";
availablePkgs = with pkgs; [
bash
git
git-lfs
gnutar
gzip
nixUnstable
];
in
{
systemd.services.drone-runner-exec = {
wantedBy = [ "multi-user.target" ];
# might break deployment
restartIfChanged = false;
confinement = {
enable = true;
packages = availablePkgs;
};
path = availablePkgs;
environment = {
DRONE_HTTP_BIND = ":3002";
DRONE_RPC_HOST = "ci.sbruder.de";
DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2";
NIX_REMOTE = "daemon";
PAGER = "cat";
};
serviceConfig = {
EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
BindPaths = [
"/nix/var/nix/daemon-socket/socket"
"/run/nscd/socket"
];
BindReadOnlyPaths = [
"/etc/group:/etc/group"
"/etc/machine-id"
"/etc/nix:/etc/nix"
"/etc/passwd:/etc/passwd"
"/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
"/etc/static"
"/nix"
];
ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
User = user;
Group = group;
};
};
users.users."${user}" = {
isSystemUser = true;
inherit group;
};
users.groups."${group}" = { };
}