From df01f9cd93b4659f611eaa3293b512fc73c5b7d7 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Mon, 11 Nov 2024 01:05:47 +0100 Subject: [PATCH] git: Setup runner on marabethia --- .forgejo/workflows/cachix.yml | 36 ++++++++++ .forgejo/workflows/update.yaml | 69 +++++++++++++++++++ machines/elendel/default.nix | 1 + machines/elendel/hardware.nix | 8 +++ modules/nixos/services/git/default.nix | 2 + modules/nixos/services/git/runner.nix | 36 ++++++++++ secrets.nix | 1 + secrets/passwords/services/git/token-file.age | 9 +++ 8 files changed, 162 insertions(+) create mode 100644 .forgejo/workflows/cachix.yml create mode 100644 .forgejo/workflows/update.yaml create mode 100644 modules/nixos/services/git/runner.nix create mode 100644 secrets/passwords/services/git/token-file.age diff --git a/.forgejo/workflows/cachix.yml b/.forgejo/workflows/cachix.yml new file mode 100644 index 00000000..af118d64 --- /dev/null +++ b/.forgejo/workflows/cachix.yml @@ -0,0 +1,36 @@ +name: Cachix + +on: + push: + branches: [ main ] + +env: + USER: root + +jobs: + build: + runs-on: docker + strategy: + matrix: + host: + - elendel + - kholinar + - lasting-integrity + - marabethia + - urithiru + steps: + - uses: actions/checkout@v4 + - run: apt update && apt install -y sudo + - uses: https://github.com/cachix/install-nix-action@v30 + with: + enable_kvm: false + github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}' + - name: Cachix + uses: https://github.com/cachix/cachix-action@v15 + with: + name: chvp + extraPullNames: "nix-community,accentor" + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + skipPush: true + - run: nix build -L --no-link .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel + - run: nix eval --json ".#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.outPath" | sed 's/"\(.*\)"/\1/' | cachix push chvp diff --git a/.forgejo/workflows/update.yaml b/.forgejo/workflows/update.yaml new file mode 100644 index 00000000..c90b7e3c --- /dev/null +++ b/.forgejo/workflows/update.yaml @@ -0,0 +1,69 @@ +name: Update + +on: + schedule: + - cron: '45 */2 * * *' + workflow_dispatch: + +env: + USER: root + +jobs: + flake-update: + runs-on: docker + steps: + - uses: actions/checkout@v3 + - run: apt update && apt install -y sudo + - uses: cachix/install-nix-action@v30 + with: + enable_kvm: false + github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}' + - run: nix flake update + - name: Upload changed flake.lock + uses: actions/upload-artifact@v3 + with: + name: flake.lock + path: flake.lock + build: + runs-on: docker + needs: flake-update + strategy: + matrix: + host: + - elendel + - kholinar + - lasting-integrity + - marabethia + - urithiru + steps: + - uses: actions/checkout@v4 + - name: Download changed flake.lock + uses: actions/download-artifact@v3 + with: + name: flake.lock + - run: apt update && apt install -y sudo + - uses: https://github.com/cachix/install-nix-action@v30 + with: + enable_kvm: false + github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}' + - name: Cachix + uses: https://github.com/cachix/cachix-action@v15 + with: + name: chvp + extraPullNames: "nix-community,accentor" + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + skipPush: true + - run: nix build -L --no-link .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel + - run: nix eval --json ".#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.outPath" | sed 's/"\(.*\)"/\1/' | cachix push chvp + commit: + runs-on: docker + needs: build + steps: + - uses: actions/checkout@v4 + - name: Download changed flake.lock + uses: actions/download-artifact@v3 + with: + name: flake.lock + - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5.0.1 + with: + commit_message: "Update dependencies" diff --git a/machines/elendel/default.nix b/machines/elendel/default.nix index cc19c703..7251e426 100644 --- a/machines/elendel/default.nix +++ b/machines/elendel/default.nix @@ -45,5 +45,6 @@ rootPool = "zroot"; }; }; + services.git.runner.enable = true; }; } diff --git a/machines/elendel/hardware.nix b/machines/elendel/hardware.nix index 02adf4bc..6ccacd22 100644 --- a/machines/elendel/hardware.nix +++ b/machines/elendel/hardware.nix @@ -59,6 +59,14 @@ fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" ]; }; + "/var/lib/docker" = { + device = "zroot/local/services/docker"; + fsType = "zfs"; + }; + "/var/lib/private/gitea-runner" = { + device = "zroot/local/services/gitea-runner"; + fsType = "zfs"; + }; }; swapDevices = [ diff --git a/modules/nixos/services/git/default.nix b/modules/nixos/services/git/default.nix index ff20e98a..120a2de3 100644 --- a/modules/nixos/services/git/default.nix +++ b/modules/nixos/services/git/default.nix @@ -6,6 +6,8 @@ example = true; }; + imports = [ ./runner.nix ]; + config = lib.mkIf config.chvp.services.git.enable { chvp.services.nginx.hosts = [ { diff --git a/modules/nixos/services/git/runner.nix b/modules/nixos/services/git/runner.nix new file mode 100644 index 00000000..8a98a1e6 --- /dev/null +++ b/modules/nixos/services/git/runner.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.services.git.runner.enable = lib.mkOption { + default = false; + example = true; + }; + + config = lib.mkIf config.chvp.services.git.runner.enable { + networking.firewall.trustedInterfaces = [ "br-+" ]; + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + url = "https://git.chvp.be"; + labels = []; + name = config.networking.hostName; + tokenFile = config.age.secrets."passwords/services/git/token-file".path; + settings = { + container.enable_ipv6 = true; + }; + }; + }; + virtualisation.docker = { + enable = true; + daemon.settings = { + fixed-cidr-v6 = "fd00::/80"; + ipv6 = true; + }; + }; + + age.secrets."passwords/services/git/token-file" = { + file = ../../../../secrets/passwords/services/git/token-file.age; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index 78a2d9f8..58b5ef78 100644 --- a/secrets.nix +++ b/secrets.nix @@ -72,6 +72,7 @@ in "secrets/passwords/services/acme.age".publicKeys = servers ++ users; "secrets/passwords/services/git/mail-password.age".publicKeys = [ marabethia ] ++ users; + "secrets/passwords/services/git/token-file.age".publicKeys = [ elendel ] ++ users; "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users; diff --git a/secrets/passwords/services/git/token-file.age b/secrets/passwords/services/git/token-file.age new file mode 100644 index 00000000..9d952111 --- /dev/null +++ b/secrets/passwords/services/git/token-file.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 Lbmdyg t0Y6Phv/d31t0xlrpOI3fGzI5SySzayxMiGnn9rC+BY +8OPwz5qNdQmpaLjmKkNs6npr8yfN9QEApEnmNrb1K/c +-> ssh-ed25519 s9rb8g lMOySsdwx1dxku5Jfb4H9Qrxn1tvyNiSnCQLc1ZKFHQ +bSVCQGU0pYyJJsD0tzEO+JxvmD841TqHBBswlMTDaqs +-> ssh-ed25519 +xxExQ h2+o4Esbe6nDGJeDoulxZEaTaathd/cRk5PthmRhU3E +Ift9BChOKmeCUyOHLFLekZvElNm0FoepzLY00JHzx70 +--- wj9B7rScFFQJDytVHBqy/0v4HtkoArEu9/pnDH4K5eU +yҍNH5?C;~]ȱi94\nzg{=7r+Ě,a6/]blU%W:Zd \ No newline at end of file