clearly separate configuration from runtime state
Description
On NixOS, we create gitlab-runner config (and the whole system) via Nix. In the end, the whole system is immutable. Usually, state accumulates in /var/lib/$application-name
, and the configuration file points to a read-only, immutable location. This maps 1:1 to systemd
's understanding of Runtime Directories: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RuntimeDirectory=
We have a NixOS module, which will generate gitlab's configuration .toml
according to the users system configuration.
However, Gitlab also likes to edit this configuration file by itself (to add the authentication token), which makes managing this file via configuration management harder, requiring manual hackery. This is even applicable outside NixOS, if the configuration files are managed via some configuration management system like Puppet, Chef etc.
On NixOS, config files are created in an immutable nix-store, so the more strict file-locking weakened in #5412 broke it entirely on NixOS.
Proposal
Clearly separate configuration from state and files only needed during runtime.
One way could be to consider /var/lib/gitlab-runner/…
as writeable state, and persist all state generated during runtime there.
I'd consider authentication tokens to be some of that state (as it's written by the runner during registration). On the other hand, registration tokens are config.