feat(services/forgejo): add nix label for forgejo actions

2024-06-18 16:33:37 -04:00 · 2024-06-18 16:33:37 -04:00 · 976942c353
commit 976942c353
parent b746ec813f
1 changed files with 104 additions and 10 deletions
--- a/modules/services/forgejo/default.nix
+++ b/modules/services/forgejo/default.nix
@ -9,6 +9,33 @@ with lib; let
  inherit (config.my.server) domain proxyIP firewallInterface;
  forgejoDomain = "git.${domain}";
  forgejoUrl = "https://${forgejoDomain}";
+
+  # for nix actions runner
+  storeDeps = pkgs.runCommand "store-deps" {} ''
+    mkdir -p $out/bin
+    for dir in ${
+      toString [
+        pkgs.coreutils
+        pkgs.findutils
+        pkgs.gnugrep
+        pkgs.gawk
+        pkgs.git
+        pkgs.nix
+        pkgs.bash
+        pkgs.jq
+        pkgs.nodejs
+        pkgs.devenv
+      ]
+    }; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
+
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
 in {
  options.my.services.forgejo = {
    enable = mkEnableOption "Forgejo";
@ -59,33 +86,100 @@ in {
      };

      networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+    })
+    (mkIf cfg.actions.enable {
+      # build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
+      # everything here has no dependencies on the store
+      systemd.services.forgejo-runner-nix-image = {
+        wantedBy = ["multi-user.target"];
+        after = ["podman.service"];
+        requires = ["podman.service"];
+        path = [
+          config.virtualisation.podman.package
+          pkgs.gnutar
+          pkgs.shadow
+          pkgs.getent
+        ];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix

+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - forgejo-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "forgejo-runner-nix-image";
+          WorkingDirectory = "/run/forgejo-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      users.users.nixuser = {
+        group = "nixuser";
+        description = "Used for running nix ci jobs";
+        home = "/var/empty";
+        isSystemUser = true;
+      };
+      users.groups.nixuser = {};
+
+      # configure the actions runner itself
      age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
      services.gitea-actions-runner = mkIf cfg.actions.enable {
        package = pkgs.unstable.forgejo-runner;
        instances.venus = {
          enable = true;
-          name = "venus";
+          name = "venus-nix-runner";
          url = forgejoUrl;
          settings = {
-            # log = {
-            #   level = "debug";
-            # };
-            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
+            # options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
            runner = {
              capacity = 5;
              timeout = "45m";
            };
            container = {
-              privileged = true;
-              valid_volumes = ["*"];
-              force_pull = false;
+              options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+              # privileged = true;
+              valid_volumes = [
+                "/nix"
+                "${storeDeps}/bin"
+                "${storeDeps}/etc/ssl"
+              ];
+              # force_pull = false;
              network = "bridge";
            };
          };
          labels = [
-            "debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
-            "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+            "nix:docker://forgejo-runner-nix"
          ];
          tokenFile = config.age.secrets.forgejoActions.path;
        };