nixos/github-runners: add a `group` option to set the executing group

Similar to the `user` option, the added `group` option sets the group of
the executing process. If not `null`, it also sets `DynamicUser=false`.
In case `user` is set to `null` (the default), systemd would run the
service as root implicitly. As this is dangerous and most certainly not
what users want, we force them to set `user = "root"` explicitly if
that's really their intention. That's achieved through an assertion.

2 files changed, 33 insertions, 1 deletions

diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix
index 6864aa2170d1..193261fc2a9f 100644
--- a/nixos/modules/services/continuous-integration/github-runner/options.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/options.nix
@@ -209,12 +209,36 @@ with lib;
         user = mkOption {
           type = types.nullOr types.str;
           description = mdDoc ''
-            User under which to run the service. If null, will use a systemd dynamic user.
+            User under which to run the service.
+
+            If this option and the `group` option is set to `null`,
+            the service runs as a dynamically allocated user.
+
+            Also see the `group` option for an overview on the effects of the `user` and `group` settings.
           '';
           default = null;
           defaultText = literalExpression "username";
         };
 
+        group = mkOption {
+          type = types.nullOr types.str;
+          description = mdDoc ''
+            Group under which to run the service.
+
+            The effect of this option depends on the value of the `user` option:
+
+            - `group == null` and `user == null`:
+              The service runs with a dynamically allocated user and group.
+            - `group == null` and `user != null`:
+              The service runs as the given user and its default group.
+            - `group != null` and `user == null`:
+              This configuration is invalid. In this case, the service would use the given group
+              but run as root implicitly. If this is really what you want, set `user = "root"` explicitly.
+          '';
+          default = null;
+          defaultText = literalExpression "groupname";
+        };
+
         workDir = mkOption {
           type = with types; nullOr str;
           description = mdDoc ''
diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix
index cbbf51d30b0b..fccdcc116a21 100644
--- a/nixos/modules/services/continuous-integration/github-runner/service.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/service.nix
@@ -12,6 +12,10 @@ with lib;
         assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]);
         message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set";
       }
+      {
+        assertion = cfg.group == null || cfg.user != null;
+        message = ''`services.github-runners.${name}`: Setting `group` while leaving `user` unset runs the service as `root`. If this is really what you want, set `user = "root"` explicitly'';
+      }
     ])
   );
 
@@ -284,6 +288,10 @@ with lib;
           DynamicUser = false;
           User = cfg.user;
         })
+        (mkIf (cfg.group != null) {
+          DynamicUser = false;
+          Group = cfg.group;
+        })
         cfg.serviceOverrides
       ];
     }