diff options
author | makefu <github@syntax-fehler.de> | 2017-08-15 14:28:25 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2017-08-15 16:06:55 +0200 |
commit | e6785422ae213dffe19bc2a2bb6b2dd275799be0 (patch) | |
tree | 158a16da457481da3aeb724234f3a14987a9c738 /nixos/modules/services/continuous-integration | |
parent | cfda60042d9ecab8809e3dc0694908c6c39099c2 (diff) | |
download | nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.tar nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.tar.gz nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.tar.bz2 nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.tar.lz nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.tar.xz nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.tar.zst nixlib-e6785422ae213dffe19bc2a2bb6b2dd275799be0.zip |
module gitlab-runner: introduce configOptions and configFile
Also removes configText, functionality is now provided more conveniently by configOptions. Keep in mind that this breaks compatibility with previous configurations, configFile provides a means to protect the CI token from being written into the nix store.
Diffstat (limited to 'nixos/modules/services/continuous-integration')
-rw-r--r-- | nixos/modules/services/continuous-integration/gitlab-runner.nix | 56 |
1 files changed, 53 insertions, 3 deletions
diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index b11bc031b3ff..ce0583dad54d 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -4,15 +4,65 @@ with lib; let cfg = config.services.gitlab-runner; - configFile = pkgs.writeText "config.toml" cfg.configText; + configFile = + if (cfg.configFile == null) then + (pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.remarshal ]; + } '' + remarshal -if json -of toml \ + < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \ + > $out + '') + else + cfg.configFile; hasDocker = config.virtualisation.docker.enable; in { options.services.gitlab-runner = { enable = mkEnableOption "Gitlab Runner"; - configText = mkOption { - description = "Verbatim config.toml to use"; + configFile = mkOption { + default = null; + description = '' + Configuration file for gitlab-runner. + Use this option in favor of configOptions to avoid placing CI tokens in the nix store. + + <option>configFile</option> takes precedence over <option>configOptions</option>. + + Warning: Not using <option>configFile</option> will potentially result in secrets + leaking into the WORLD-READABLE nix store. + ''; + type = types.nullOr types.path; + }; + + configOptions = mkOption { + description = '' + Configuration for gitlab-runner + <option>configFile</option> will take precedence over this option. + + Warning: all Configuration, especially CI token, will be stored in a + WORLD-READABLE file in the Nix Store. + + If you want to protect your CI token use <option>configFile</option> instead. + ''; + type = types.attrs; + example = { + concurrent = 2; + runners = [{ + name = "docker-nix-1.11"; + url = "https://CI/"; + token = "TOKEN"; + executor = "docker"; + builds_dir = ""; + docker = { + host = ""; + image = "nixos/nix:1.11"; + privileged = true; + disable_cache = true; + cache_dir = ""; + }; + }]; + }; }; gracefulTermination = mkOption { |