git: Setup runner on marabethia

.forgejo/workflows/cachix.yml

@@ -0,0 +1,36 @@
+name: Cachix
+
+on:
+  push:
+    branches: [ main ]
+
+env:
+  USER: root
+
+jobs:
+  build:
+    runs-on: docker
+    strategy:
+      matrix:
+        host:
+          - elendel
+          - kholinar
+          - lasting-integrity
+          - marabethia
+          - urithiru
+    steps:
+      - uses: actions/checkout@v4
+      - run: apt update && apt install -y sudo
+      - uses: https://github.com/cachix/install-nix-action@v30
+        with:
+          enable_kvm: false
+          github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}'
+      - name: Cachix
+        uses: https://github.com/cachix/cachix-action@v15
+        with:
+          name: chvp
+          extraPullNames: "nix-community,accentor"
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          skipPush: true
+      - run: nix build -L --no-link .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel
+      - run: nix eval --json ".#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.outPath" | sed 's/"\(.*\)"/\1/' | cachix push chvp

.forgejo/workflows/update.yaml

@@ -0,0 +1,69 @@
+name: Update
+
+on:
+  schedule:
+    - cron: '45 */2 * * *'
+  workflow_dispatch:
+
+env:
+  USER: root
+
+jobs:
+  flake-update:
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v3
+      - run: apt update && apt install -y sudo
+      - uses: cachix/install-nix-action@v30
+        with:
+          enable_kvm: false
+          github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}'
+      - run: nix flake update
+      - name: Upload changed flake.lock
+        uses: actions/upload-artifact@v3
+        with:
+          name: flake.lock
+          path: flake.lock
+  build:
+    runs-on: docker
+    needs: flake-update
+    strategy:
+      matrix:
+        host:
+          - elendel
+          - kholinar
+          - lasting-integrity
+          - marabethia
+          - urithiru
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download changed flake.lock
+        uses: actions/download-artifact@v3
+        with:
+          name: flake.lock
+      - run: apt update && apt install -y sudo
+      - uses: https://github.com/cachix/install-nix-action@v30
+        with:
+          enable_kvm: false
+          github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}'
+      - name: Cachix
+        uses: https://github.com/cachix/cachix-action@v15
+        with:
+          name: chvp
+          extraPullNames: "nix-community,accentor"
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          skipPush: true
+      - run: nix build -L --no-link .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel
+      - run: nix eval --json ".#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.outPath" | sed 's/"\(.*\)"/\1/' | cachix push chvp
+  commit:
+    runs-on: docker
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download changed flake.lock
+        uses: actions/download-artifact@v3
+        with:
+          name: flake.lock
+      - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5.0.1
+        with:
+          commit_message: "Update dependencies"

machines/elendel/default.nix

@@ -45,5 +45,6 @@
         rootPool = "zroot";
       };
     };
+    services.git.runner.enable = true;
   };
 }

machines/elendel/hardware.nix

@@ -59,6 +59,14 @@
       fsType = "vfat";
       options = [ "fmask=0022" "dmask=0022" ];
     };
+    "/var/lib/docker" = {
+      device = "zroot/local/services/docker";
+      fsType = "zfs";
+    };
+    "/var/lib/private/gitea-runner" = {
+      device = "zroot/local/services/gitea-runner";
+      fsType = "zfs";
+    };
   };
 
   swapDevices = [

modules/nixos/services/git/default.nix

@@ -6,6 +6,8 @@
     example = true;
   };
 
+  imports = [ ./runner.nix ];
+
   config = lib.mkIf config.chvp.services.git.enable {
     chvp.services.nginx.hosts = [
       {

modules/nixos/services/git/runner.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.git.runner.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.git.runner.enable {
+    networking.firewall.trustedInterfaces = [ "br-+" ];
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        url = "https://git.chvp.be";
+        labels = [];
+        name = config.networking.hostName;
+        tokenFile = config.age.secrets."passwords/services/git/token-file".path;
+        settings = {
+          container.enable_ipv6 = true;
+        };
+      };
+    };
+    virtualisation.docker = {
+      enable = true;
+      daemon.settings = {
+        fixed-cidr-v6 = "fd00::/80";
+        ipv6 = true;
+      };
+    };
+
+    age.secrets."passwords/services/git/token-file" = {
+      file = ../../../../secrets/passwords/services/git/token-file.age;
+    };
+  };
+}

secrets.nix

@@ -72,6 +72,7 @@ in
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
   "secrets/passwords/services/git/mail-password.age".publicKeys = [ marabethia ] ++ users;
+  "secrets/passwords/services/git/token-file.age".publicKeys = [ elendel ] ++ users;
 
   "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;

secrets/passwords/services/git/token-file.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 Lbmdyg t0Y6Phv/d31t0xlrpOI3fGzI5SySzayxMiGnn9rC+BY
+8OPwz5qNdQmpaLjmKkNs6npr8yfN9QEApEnmNrb1K/c
+-> ssh-ed25519 s9rb8g lMOySsdwx1dxku5Jfb4H9Qrxn1tvyNiSnCQLc1ZKFHQ
+bSVCQGU0pYyJJsD0tzEO+JxvmD841TqHBBswlMTDaqs
+-> ssh-ed25519 +xxExQ h2+o4Esbe6nDGJeDoulxZEaTaathd/cRk5PthmRhU3E
+Ift9BChOKmeCUyOHLFLekZvElNm0FoepzLY00JHzx70
+--- wj9B7rScFFQJDytVHBqy/0v4HtkoArEu9/pnDH4K5eU
+yÒ<EFBFBD>NH»Š5Ã?C;~<7E>]Óÿ³µÈ±i9¦4\nÝzgÂ{=Óã7¶³ƒr+Äš,aî‘‚ø›6æý/ö]bl…U%<25>´W:Zäd