diff options
Diffstat (limited to 'nixos')
4 files changed, 23 insertions, 11 deletions
diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index ae89d3a3bfb6c..796b5a7f1175f 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -42,13 +42,14 @@ with lib; type = types.path; description = lib.mdDoc '' The full path to a file which contains either a runner registration token or a - personal access token (PAT). + (fine-grained) personal access token (PAT). The file should contain exactly one line with the token without any newline. If a registration token is given, it can be used to re-register a runner of the same name but is time-limited. If the file contains a PAT, the service creates a new registration token on startup as needed. Make sure the PAT has a scope of `admin:org` for organization-wide registrations or a scope of - `repo` for a single repository. + `repo` for a single repository. Fine-grained PATs need read and write permission + to the "Adminstration" resources. Changing this option or the file's content triggers a new runner registration. ''; diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix index 4dc8445495a60..49195410bb423 100644 --- a/nixos/modules/services/continuous-integration/github-runner/service.nix +++ b/nixos/modules/services/continuous-integration/github-runner/service.nix @@ -134,10 +134,10 @@ with lib; ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} ${optionalString cfg.ephemeral "--ephemeral"} ) - # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, + # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, # if it is not a PAT, we assume it contains a registration token and use the --token option token=$(<"${newConfigTokenPath}") - if [[ "$token" =~ ^ghp_* ]]; then + if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then args+=(--pat "$token") else args+=(--token "$token") diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index 0682f9da4003a..ed33c72f644f3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -35,7 +35,7 @@ in { ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ --address ${cfg.listenAddress} \ --port ${toString cfg.port} \ - ${concatStringsSep " \\n" cfg.controlSocketPaths} + ${concatStringsSep " " cfg.controlSocketPaths} ''; SupplementaryGroups = [ "kea" ]; RestrictAddressFamilies = [ diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 596a4eafcd642..a8737eb504d98 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -374,25 +374,34 @@ let }; kea = let - controlSocketPath = "/run/kea/dhcp6.sock"; + controlSocketPathV4 = "/run/kea/dhcp4.sock"; + controlSocketPathV6 = "/run/kea/dhcp6.sock"; in { exporterConfig = { enable = true; controlSocketPaths = [ - controlSocketPath + controlSocketPathV4 + controlSocketPathV6 ]; }; metricProvider = { - systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6-server.service" ]; - services.kea = { + dhcp4 = { + enable = true; + settings = { + control-socket = { + socket-type = "unix"; + socket-name = controlSocketPathV4; + }; + }; + }; dhcp6 = { enable = true; settings = { control-socket = { socket-type = "unix"; - socket-name = controlSocketPath; + socket-name = controlSocketPathV6; }; }; }; @@ -400,8 +409,10 @@ let }; exporterTest = '' + wait_for_unit("kea-dhcp4-server.service") wait_for_unit("kea-dhcp6-server.service") - wait_for_file("${controlSocketPath}") + wait_for_file("${controlSocketPathV4}") + wait_for_file("${controlSocketPathV6}") wait_for_unit("prometheus-kea-exporter.service") wait_for_open_port(9547) succeed( |