feat(services/forgejo): add nix label for forgejo actions
This commit is contained in:
parent
b746ec813f
commit
976942c353
@ -9,6 +9,33 @@ with lib; let
|
||||
inherit (config.my.server) domain proxyIP firewallInterface;
|
||||
forgejoDomain = "git.${domain}";
|
||||
forgejoUrl = "https://${forgejoDomain}";
|
||||
|
||||
# for nix actions runner
|
||||
storeDeps = pkgs.runCommand "store-deps" {} ''
|
||||
mkdir -p $out/bin
|
||||
for dir in ${
|
||||
toString [
|
||||
pkgs.coreutils
|
||||
pkgs.findutils
|
||||
pkgs.gnugrep
|
||||
pkgs.gawk
|
||||
pkgs.git
|
||||
pkgs.nix
|
||||
pkgs.bash
|
||||
pkgs.jq
|
||||
pkgs.nodejs
|
||||
pkgs.devenv
|
||||
]
|
||||
}; do
|
||||
for bin in "$dir"/bin/*; do
|
||||
ln -s "$bin" "$out/bin/$(basename "$bin")"
|
||||
done
|
||||
done
|
||||
|
||||
# Add SSL CA certs
|
||||
mkdir -p $out/etc/ssl/certs
|
||||
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
|
||||
'';
|
||||
in {
|
||||
options.my.services.forgejo = {
|
||||
enable = mkEnableOption "Forgejo";
|
||||
@ -59,33 +86,100 @@ in {
|
||||
};
|
||||
|
||||
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
|
||||
})
|
||||
(mkIf cfg.actions.enable {
|
||||
# build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
|
||||
# everything here has no dependencies on the store
|
||||
systemd.services.forgejo-runner-nix-image = {
|
||||
wantedBy = ["multi-user.target"];
|
||||
after = ["podman.service"];
|
||||
requires = ["podman.service"];
|
||||
path = [
|
||||
config.virtualisation.podman.package
|
||||
pkgs.gnutar
|
||||
pkgs.shadow
|
||||
pkgs.getent
|
||||
];
|
||||
# we also include etc here because the cleanup job also wants the nixuser to be present
|
||||
script = ''
|
||||
set -eux -o pipefail
|
||||
mkdir -p etc/nix
|
||||
|
||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||
touch etc/passwd etc/group
|
||||
groupid=$(cut -d: -f3 < <(getent group nixuser))
|
||||
userid=$(cut -d: -f3 < <(getent passwd nixuser))
|
||||
groupadd --prefix $(pwd) --gid "$groupid" nixuser
|
||||
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
|
||||
|
||||
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||
accept-flake-config = true
|
||||
experimental-features = nix-command flakes
|
||||
NIX_CONFIG
|
||||
|
||||
cat <<NSSWITCH > etc/nsswitch.conf
|
||||
passwd: files mymachines systemd
|
||||
group: files mymachines systemd
|
||||
shadow: files
|
||||
|
||||
hosts: files mymachines dns myhostname
|
||||
networks: files
|
||||
|
||||
ethers: files
|
||||
services: files
|
||||
protocols: files
|
||||
rpc: files
|
||||
NSSWITCH
|
||||
|
||||
# list the content as it will be imported into the container
|
||||
tar -cv . | tar -tvf -
|
||||
tar -cv . | podman import - forgejo-runner-nix
|
||||
'';
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "forgejo-runner-nix-image";
|
||||
WorkingDirectory = "/run/forgejo-runner-nix-image";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nixuser = {
|
||||
group = "nixuser";
|
||||
description = "Used for running nix ci jobs";
|
||||
home = "/var/empty";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nixuser = {};
|
||||
|
||||
# configure the actions runner itself
|
||||
age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
|
||||
services.gitea-actions-runner = mkIf cfg.actions.enable {
|
||||
package = pkgs.unstable.forgejo-runner;
|
||||
instances.venus = {
|
||||
enable = true;
|
||||
name = "venus";
|
||||
name = "venus-nix-runner";
|
||||
url = forgejoUrl;
|
||||
settings = {
|
||||
# log = {
|
||||
# level = "debug";
|
||||
# };
|
||||
options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
|
||||
# options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
|
||||
runner = {
|
||||
capacity = 5;
|
||||
timeout = "45m";
|
||||
};
|
||||
container = {
|
||||
privileged = true;
|
||||
valid_volumes = ["*"];
|
||||
force_pull = false;
|
||||
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
||||
# privileged = true;
|
||||
valid_volumes = [
|
||||
"/nix"
|
||||
"${storeDeps}/bin"
|
||||
"${storeDeps}/etc/ssl"
|
||||
];
|
||||
# force_pull = false;
|
||||
network = "bridge";
|
||||
};
|
||||
};
|
||||
labels = [
|
||||
"debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
|
||||
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
|
||||
"nix:docker://forgejo-runner-nix"
|
||||
];
|
||||
tokenFile = config.age.secrets.forgejoActions.path;
|
||||
};
|
||||
|
Loading…
x
Reference in New Issue
Block a user