chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

git: Setup runner on marabethia
All checks were successful
Cachix / build (elendel) (push) Successful in 1m2s
Details
Cachix / build (kholinar) (push) Successful in 1m55s
Details
Cachix / build (lasting-integrity) (push) Successful in 1m41s
Details
Cachix / build (marabethia) (push) Successful in 1m8s
Details
Cachix / build (urithiru) (push) Successful in 1m20s
Details

Browse source
This commit is contained in:
Charlotte Van Petegem 2024-11-11 01:05:47 +01:00
parent 49bf851188
commit df01f9cd93
No known key found for this signature in database
GPG key ID: 019E764B7184435A
8 changed files with 162 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
.forgejo/workflows/cachix.yml Normal file
View file

@ -0,0 +1,36 @@
name: Cachix
on:
push:
branches: [ main ]
env:
USER: root
jobs:
build:
runs-on: docker
strategy:
matrix:
host:
- elendel
- kholinar
- lasting-integrity
- marabethia
- urithiru
steps:
- uses: actions/checkout@v4
- run: apt update && apt install -y sudo
- uses: https://github.com/cachix/install-nix-action@v30
with:
enable_kvm: false
github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}'
- name: Cachix
uses: https://github.com/cachix/cachix-action@v15
with:
name: chvp
extraPullNames: "nix-community,accentor"
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
skipPush: true
- run: nix build -L --no-link .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel
- run: nix eval --json ".#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.outPath" | sed 's/"\(.*\)"/\1/' | cachix push chvp

69
.forgejo/workflows/update.yaml Normal file
View file

@ -0,0 +1,69 @@
name: Update
on:
schedule:
- cron: '45 */2 * * *'
workflow_dispatch:
env:
USER: root
jobs:
flake-update:
runs-on: docker
steps:
- uses: actions/checkout@v3
- run: apt update && apt install -y sudo
- uses: cachix/install-nix-action@v30
with:
enable_kvm: false
github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}'
- run: nix flake update
- name: Upload changed flake.lock
uses: actions/upload-artifact@v3
with:
name: flake.lock
path: flake.lock
build:
runs-on: docker
needs: flake-update
strategy:
matrix:
host:
- elendel
- kholinar
- lasting-integrity
- marabethia
- urithiru
steps:
- uses: actions/checkout@v4
- name: Download changed flake.lock
uses: actions/download-artifact@v3
with:
name: flake.lock
- run: apt update && apt install -y sudo
- uses: https://github.com/cachix/install-nix-action@v30
with:
enable_kvm: false
github_access_token: '${{ secrets.ACCESS_TOKEN_GITHUB }}'
- name: Cachix
uses: https://github.com/cachix/cachix-action@v15
with:
name: chvp
extraPullNames: "nix-community,accentor"
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
skipPush: true
- run: nix build -L --no-link .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel
- run: nix eval --json ".#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.outPath" | sed 's/"\(.*\)"/\1/' | cachix push chvp
commit:
runs-on: docker
needs: build
steps:
- uses: actions/checkout@v4
- name: Download changed flake.lock
uses: actions/download-artifact@v3
with:
name: flake.lock
- uses: https://github.com/stefanzweifel/git-auto-commit-action@v5.0.1
with:
commit_message: "Update dependencies"

1
machines/elendel/default.nix
View file

@ -45,5 +45,6 @@
rootPool = "zroot";
};
};
services.git.runner.enable = true;
};
}

8
machines/elendel/hardware.nix
View file

@ -59,6 +59,14 @@
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
"/var/lib/docker" = {
device = "zroot/local/services/docker";
fsType = "zfs";
};
"/var/lib/private/gitea-runner" = {
device = "zroot/local/services/gitea-runner";
fsType = "zfs";
};
};
swapDevices = [

2
modules/nixos/services/git/default.nix
View file

@ -6,6 +6,8 @@
example = true;
};
imports = [ ./runner.nix ];
config = lib.mkIf config.chvp.services.git.enable {
chvp.services.nginx.hosts = [
{

36
modules/nixos/services/git/runner.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
{
options.chvp.services.git.runner.enable = lib.mkOption {
default = false;
example = true;
};
config = lib.mkIf config.chvp.services.git.runner.enable {
networking.firewall.trustedInterfaces = [ "br-+" ];
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
url = "https://git.chvp.be";
labels = [];
name = config.networking.hostName;
tokenFile = config.age.secrets."passwords/services/git/token-file".path;
settings = {
container.enable_ipv6 = true;
};
};
};
virtualisation.docker = {
enable = true;
daemon.settings = {
fixed-cidr-v6 = "fd00::/80";
ipv6 = true;
};
};
age.secrets."passwords/services/git/token-file" = {
file = ../../../../secrets/passwords/services/git/token-file.age;
};
};
}

1
secrets.nix
View file

@ -72,6 +72,7 @@ in
"secrets/passwords/services/acme.age".publicKeys = servers ++ users;
"secrets/passwords/services/git/mail-password.age".publicKeys = [ marabethia ] ++ users;
"secrets/passwords/services/git/token-file.age".publicKeys = [ elendel ] ++ users;
"secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
"secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;

9
secrets/passwords/services/git/token-file.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 Lbmdyg t0Y6Phv/d31t0xlrpOI3fGzI5SySzayxMiGnn9rC+BY
8OPwz5qNdQmpaLjmKkNs6npr8yfN9QEApEnmNrb1K/c
-> ssh-ed25519 s9rb8g lMOySsdwx1dxku5Jfb4H9Qrxn1tvyNiSnCQLc1ZKFHQ
bSVCQGU0pYyJJsD0tzEO+JxvmD841TqHBBswlMTDaqs
-> ssh-ed25519 +xxExQ h2+o4Esbe6nDGJeDoulxZEaTaathd/cRk5PthmRhU3E
Ift9BChOKmeCUyOHLFLekZvElNm0FoepzLY00JHzx70
--- wj9B7rScFFQJDytVHBqy/0v4HtkoArEu9/pnDH4K5eU
<EFBFBD>NH»Š5Ã?C;~<7E>]Óÿ³µÈ±i9¦4\nÝzgÂ{=Óã7¶³ƒr+Äš,aî‚ø6æý/ö]bl…U%<25>´W:Zäd