feat(services/forgejo): add nix label for forgejo actions

This commit is contained in:
Michael Thomas 2024-06-18 16:33:37 -04:00
parent b746ec813f
commit 976942c353

View File

@ -9,6 +9,33 @@ with lib; let
inherit (config.my.server) domain proxyIP firewallInterface;
forgejoDomain = "git.${domain}";
forgejoUrl = "https://${forgejoDomain}";
# for nix actions runner
storeDeps = pkgs.runCommand "store-deps" {} ''
mkdir -p $out/bin
for dir in ${
toString [
pkgs.coreutils
pkgs.findutils
pkgs.gnugrep
pkgs.gawk
pkgs.git
pkgs.nix
pkgs.bash
pkgs.jq
pkgs.nodejs
pkgs.devenv
]
}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
in {
options.my.services.forgejo = {
enable = mkEnableOption "Forgejo";
@ -59,33 +86,100 @@ in {
};
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
})
(mkIf cfg.actions.enable {
# build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
# everything here has no dependencies on the store
systemd.services.forgejo-runner-nix-image = {
wantedBy = ["multi-user.target"];
after = ["podman.service"];
requires = ["podman.service"];
path = [
config.virtualisation.podman.package
pkgs.gnutar
pkgs.shadow
pkgs.getent
];
# we also include etc here because the cleanup job also wants the nixuser to be present
script = ''
set -eux -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - forgejo-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "forgejo-runner-nix-image";
WorkingDirectory = "/run/forgejo-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
users.users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
isSystemUser = true;
};
users.groups.nixuser = {};
# configure the actions runner itself
age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
services.gitea-actions-runner = mkIf cfg.actions.enable {
package = pkgs.unstable.forgejo-runner;
instances.venus = {
enable = true;
name = "venus";
name = "venus-nix-runner";
url = forgejoUrl;
settings = {
# log = {
# level = "debug";
# };
options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
# options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
runner = {
capacity = 5;
timeout = "45m";
};
container = {
privileged = true;
valid_volumes = ["*"];
force_pull = false;
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# privileged = true;
valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
# force_pull = false;
network = "bridge";
};
};
labels = [
"debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
"nix:docker://forgejo-runner-nix"
];
tokenFile = config.age.secrets.forgejoActions.path;
};