{ lib, config, pkgs, self, ... }: with lib; let bootstrap = pkgs.writeScript "bootstrap.sh" '' #!/usr/bin/env bash set -e apt update apt install --yes curl git sudo xz-utils adduser --system --uid 999 build chown build /nix sudo -u build curl -L https://nixos.org/nix/install > install sudo -u build sh install echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile mkdir /etc/nix echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json" mkdir -p $(dirname \\$nix_user_config_file) echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file chown -R build /home/build/ curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz sudo install -t /usr/local/bin drone-runner-exec if [ ! -f /run/vars ]; then exit 1 fi cp -a /run/vars /run/runtime-vars env | grep "DRONE" >> /run/runtime-vars su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars" ''; psCfg = config.pub-solar; cfg = config.pub-solar.ci-runner; in { options.pub-solar.ci-runner = { enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user."; enableKvm = lib.mkOption { description = '' Enable kvm support. ''; default = true; type = types.bool; }; nixCacheLocation = lib.mkOption { description = '' Location of nix cache that is shared between builds ''; type = types.path; }; runnerEnvironment = lib.mkOption { description = '' Additional environment vars added to the vars file on container runtime ''; default = {}; }; runnerVarsFile = lib.mkOption { description = '' Location of vars file passed to drone runner ''; type = types.path; }; }; config = lib.mkIf cfg.enable { virtualisation = { docker = { enable = true; # sadly podman is not supported rightnow }; oci-containers = { backend = "docker"; containers."drone-exec-runner" = { image = "debian"; autoStart = true; entrypoint = "bash"; cmd = [ "/bootstrap.sh" ]; volumes = [ "${cfg.runnerVarsFile}:/run/vars" "${cfg.nixCacheLocation}:/nix" "${bootstrap}:/bootstrap.sh" ]; environment = cfg.runnerEnvironment; extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; }; }; }; }; }