This commit is contained in:
Michael Thomas 2024-06-26 18:52:29 -04:00
commit caf74e5636
7 changed files with 221 additions and 84 deletions

View File

@ -9,6 +9,33 @@ with lib; let
inherit (config.my.server) domain proxyIP firewallInterface;
forgejoDomain = "git.${domain}";
forgejoUrl = "https://${forgejoDomain}";
# for nix actions runner
storeDeps = pkgs.runCommand "store-deps" {} ''
mkdir -p $out/bin
for dir in ${
toString [
pkgs.coreutils
pkgs.findutils
pkgs.gnugrep
pkgs.gawk
pkgs.git
pkgs.nix
pkgs.bash
pkgs.jq
pkgs.nodejs
pkgs.devenv
]
}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
in {
options.my.services.forgejo = {
enable = mkEnableOption "Forgejo";
@ -34,6 +61,11 @@ in {
config = mkMerge [
(mkIf cfg.enable {
age.secrets.forgejoSendgridKey = {
file = ../../../secrets/sendgrid-key.age;
owner = "forgejo";
group = "forgejo";
};
services.forgejo = {
enable = true;
package = pkgs.unstable.forgejo;
@ -56,36 +88,112 @@ in {
settings.oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
settings.mailer = {
ENABLED = true;
FROM = "forgejo@michaelt.xyz";
PROTOCOL = "starttls";
SMTP_ADDR = "smtp.sendgrid.net";
SMTP_PORT = 587;
USER = "apikey";
};
mailerPasswordFile = config.age.secrets.forgejoSendgridKey.path;
};
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
})
(mkIf cfg.actions.enable {
# build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
# everything here has no dependencies on the store
systemd.services.forgejo-runner-nix-image = {
wantedBy = ["multi-user.target"];
after = ["podman.service"];
requires = ["podman.service"];
path = [
config.virtualisation.podman.package
pkgs.gnutar
pkgs.shadow
pkgs.getent
];
# we also include etc here because the cleanup job also wants the nixuser to be present
script = ''
set -eux -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - forgejo-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "forgejo-runner-nix-image";
WorkingDirectory = "/run/forgejo-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
users.users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
isSystemUser = true;
};
users.groups.nixuser = {};
# configure the actions runner itself
age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
services.gitea-actions-runner = mkIf cfg.actions.enable {
package = pkgs.unstable.forgejo-runner;
instances.venus = {
enable = true;
name = "venus";
name = "venus-nix-runner";
url = forgejoUrl;
settings = {
# log = {
# level = "debug";
# };
options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
# options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
runner = {
capacity = 5;
capacity = 1;
timeout = "45m";
};
container = {
privileged = true;
valid_volumes = ["*"];
force_pull = false;
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# privileged = true;
valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
# force_pull = false;
network = "bridge";
};
};
labels = [
"debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
"nix:docker://forgejo-runner-nix"
];
tokenFile = config.age.secrets.forgejoActions.path;
};

View File

@ -1,6 +1,6 @@
{
plugins.neo-tree = {
enable = false;
enable = true;
enableDiagnostics = true;
enableGitStatus = true;
enableModifiedMarkers = true;
@ -9,9 +9,7 @@
popupBorderStyle = "rounded"; # Type: null or one of “NC”, “double”, “none”, “rounded”, “shadow”, “single”, “solid” or raw lua code
buffers = {
bindToCwd = false;
followCurrentFile = {
enabled = true;
};
followCurrentFile.enabled = true;
};
window = {
width = 40;
@ -21,44 +19,63 @@
"<space>" = "none";
};
};
filesystem = {
bindToCwd = false;
followCurrentFile.enabled = true;
useLibuvFileWatcher = true;
};
defaultComponentConfigs = {
indent = {
withExpanders = true; # if nil and file nesting is enabled, will enable expanders
expanderCollapsed = "";
expanderExpanded = "";
expanderHighlight = "NeoTreeExpander";
};
gitStatus = {
symbols = {
unstaged = "󰄱";
staged = "󰱒";
};
};
};
};
# keymaps = [
# {
# mode = "n";
# key = "<leader>e";
# action = ":Neotree toggle reveal_force_cwd<cr>";
# options = {
# silent = true;
# desc = "Explorer NeoTree (root dir)";
# };
# }
# {
# mode = "n";
# key = "<leader>E";
# action = "<cmd>Neotree toggle<CR>";
# options = {
# silent = true;
# desc = "Explorer NeoTree (cwd)";
# };
# }
# {
# mode = "n";
# key = "<leader>be";
# action = ":Neotree buffers<CR>";
# options = {
# silent = true;
# desc = "Buffer explorer";
# };
# }
# {
# mode = "n";
# key = "<leader>ge";
# action = ":Neotree git_status<CR>";
# options = {
# silent = true;
# desc = "Git explorer";
# };
# }
# ];
keymaps = [
{
mode = "n";
key = "<leader>e";
action = ":Neotree toggle reveal_force_cwd<cr>";
options = {
silent = true;
desc = "Explorer NeoTree (root dir)";
};
}
{
mode = "n";
key = "<leader>E";
action = "<cmd>Neotree toggle<CR>";
options = {
silent = true;
desc = "Explorer NeoTree (cwd)";
};
}
{
mode = "n";
key = "<leader>be";
action = ":Neotree buffers<CR>";
options = {
silent = true;
desc = "Buffer explorer";
};
}
{
mode = "n";
key = "<leader>ge";
action = ":Neotree git_status<CR>";
options = {
silent = true;
desc = "Git explorer";
};
}
];
}

View File

@ -7,6 +7,7 @@ in {
"wireguard-thinkcentre.age".publicKeys = [venus];
"keycloak-db.age".publicKeys = [venus];
"forgejo-actions.age".publicKeys = [venus];
"sendgrid-key.age".publicKeys = [venus];
# Oracle
"wireguard-oracle.age".publicKeys = [oracle];

BIN
secrets/sendgrid-key.age Normal file

Binary file not shown.

View File

@ -1,43 +1,44 @@
{
"LazyVim": { "branch": "main", "commit": "a5f8af912de4b334cb900a9f383b6e317568f27f" },
"bufferline.nvim": { "branch": "main", "commit": "99337f63f0a3c3ab9519f3d1da7618ca4f91cffe" },
"catppuccin": { "branch": "main", "commit": "5215ea59df6d0a7e27da9a5cd1165e06d1b04cbe" },
"LazyVim": { "branch": "main", "commit": "53f4595b4e7ee980e9446a9248862a40701959c1" },
"bufferline.nvim": { "branch": "main", "commit": "81820cac7c85e51e4cf179f8a66d13dbf7b032d9" },
"catppuccin": { "branch": "main", "commit": "894efb557728e532aa98b98029d16907a214ec05" },
"cmp-buffer": { "branch": "main", "commit": "3022dbc9166796b644a841a02de8dd1cc1d311fa" },
"cmp-nvim-lsp": { "branch": "main", "commit": "39e2eda76828d88b773cc27a3f61d2ad782c922d" },
"cmp-path": { "branch": "main", "commit": "91ff86cd9c29299a64f968ebb45846c485725f23" },
"conform.nvim": { "branch": "master", "commit": "069e971295a34a810484b7b2ef54b3c735214181" },
"dashboard-nvim": { "branch": "master", "commit": "5346d023afc4bfc7ff63d05c70bcdb0784bb657a" },
"dressing.nvim": { "branch": "master", "commit": "e3714c8049b2243e792492c4149e4cc395c68eb9" },
"conform.nvim": { "branch": "master", "commit": "c26dadf8a47a547768d1048a0d698ecec33494ce" },
"dashboard-nvim": { "branch": "master", "commit": "69a4c935cc43d3d725ed0600c6d00593bc23d132" },
"flash.nvim": { "branch": "main", "commit": "43f67935d388fbb540f8b40e8cbfd80de54f978a" },
"friendly-snippets": { "branch": "main", "commit": "e11b09bf10706bb74e16e4c3d11b2274d62e687f" },
"gitsigns.nvim": { "branch": "main", "commit": "4a143f13e122ab91abdc88f89eefbe70a4858a56" },
"friendly-snippets": { "branch": "main", "commit": "682157939e57bd6a2c86277dfd4d6fbfce63dbac" },
"gitsigns.nvim": { "branch": "main", "commit": "fa42613096ebfa5fee1ea87d70f8625ab9685d01" },
"gruvbox.nvim": { "branch": "main", "commit": "d4cde3853a172485961b515c36d51d757728d6e6" },
"indent-blankline.nvim": { "branch": "master", "commit": "d98f537c3492e87b6dc6c2e3f66ac517528f406f" },
"lazy.nvim": { "branch": "main", "commit": "fafe1f7c640aed75e70a10e6649612cd96f39149" },
"indent-blankline.nvim": { "branch": "master", "commit": "4288ce8128a52650e401dda42fd7651a6038f262" },
"kdl.vim": { "branch": "main", "commit": "b84d7d3a15d8d30da016cf9e98e2cfbe35cddee5" },
"lazy.nvim": { "branch": "main", "commit": "20af3fcc4ef2fef0cb4021543c70410567fcf9aa" },
"lualine.nvim": { "branch": "master", "commit": "0a5a66803c7407767b799067986b4dc3036e1983" },
"mason-lspconfig.nvim": { "branch": "main", "commit": "8db12610bcb7ce67013cfdfaba4dd47a23c6e851" },
"mason-lspconfig.nvim": { "branch": "main", "commit": "37a336b653f8594df75c827ed589f1c91d91ff6c" },
"mason.nvim": { "branch": "main", "commit": "0950b15060067f752fde13a779a994f59516ce3d" },
"mini.ai": { "branch": "main", "commit": "7859b6344f5cee567a94f173859d25e20ba1a77e" },
"mini.pairs": { "branch": "main", "commit": "40261dfcec7623cd57be3c3beb50fa73f2650cdf" },
"mini.ai": { "branch": "main", "commit": "ebf806de0292ef89b2756cfb0b55040901d1c441" },
"mini.pairs": { "branch": "main", "commit": "18a2d9d7106d08d3560d07c03dcbf5680c8675cc" },
"neo-tree.nvim": { "branch": "v3.x", "commit": "29f7c215332ba95e470811c380ddbce2cebe2af4" },
"no-neck-pain.nvim": { "branch": "main", "commit": "741ad26c4acc45f2164a3933f7825b0e555b724d" },
"noice.nvim": { "branch": "main", "commit": "e5cb20c6e14305d24025ecb77d7d4dd9d61f1a64" },
"nui.nvim": { "branch": "main", "commit": "322978c734866996274467de084a95e4f9b5e0b1" },
"nvim-cmp": { "branch": "main", "commit": "5260e5e8ecadaf13e6b82cf867a909f54e15fd07" },
"nvim-lint": { "branch": "master", "commit": "941fa1220a61797a51f3af9ec6b7d74c8c7367ce" },
"nvim-lspconfig": { "branch": "master", "commit": "92166b89ab4b3d60f24e58170cac53b7141fd032" },
"noice.nvim": { "branch": "main", "commit": "cade1f972ba226e7753a7a113f3f1a942908e73c" },
"nui.nvim": { "branch": "main", "commit": "61574ce6e60c815b0a0c4b5655b8486ba58089a1" },
"nvim-cmp": { "branch": "main", "commit": "a110e12d0b58eefcf5b771f533fc2cf3050680ac" },
"nvim-lint": { "branch": "master", "commit": "efc6fc83f0772283e064c53a8f9fb5645bde0bc0" },
"nvim-lspconfig": { "branch": "master", "commit": "9c9eb07fecc578e25e28db8dc9002b43fff2ed79" },
"nvim-notify": { "branch": "master", "commit": "d333b6f167900f6d9d42a59005d82919830626bf" },
"nvim-spectre": { "branch": "master", "commit": "4d22fe03554056de4325762add3e546c77e3a275" },
"nvim-treesitter": { "branch": "master", "commit": "c5cbd3ec74f6f5ddbac939e6f24b99fe78262b4c" },
"nvim-spectre": { "branch": "master", "commit": "49fae98ef2bfa8342522b337892992e3495065d5" },
"nvim-treesitter": { "branch": "master", "commit": "53b32a6aa3e1de224e82f88cbdc08584c753adb7" },
"nvim-treesitter-textobjects": { "branch": "master", "commit": "34867c69838078df7d6919b130c0541c0b400c47" },
"nvim-ts-autotag": { "branch": "main", "commit": "6eb4120a1aadef07ac312f1c4bc6456712220007" },
"nvim-web-devicons": { "branch": "master", "commit": "b4b302d6ae229f67df7a87ef69fa79473fe788a9" },
"persistence.nvim": { "branch": "main", "commit": "5fe077056c821aab41f87650bd6e1c48cd7dd047" },
"nvim-ts-autotag": { "branch": "main", "commit": "ddfccbf0df1b9349c2b9e9b17f4afa8f9b6c1ed1" },
"nvim-web-devicons": { "branch": "master", "commit": "c0cfc1738361b5da1cd0a962dd6f774cc444f856" },
"persistence.nvim": { "branch": "main", "commit": "95d03ad5450389ad7dc2a0fab14ebb3d46bc2c96" },
"plenary.nvim": { "branch": "master", "commit": "a3e3bc82a3f95c5ed0d7201546d5d2c19b20d683" },
"telescope-fzf-native.nvim": { "branch": "main", "commit": "9ef21b2e6bb6ebeaf349a0781745549bbb870d27" },
"telescope.nvim": { "branch": "master", "commit": "3a743491e5c6be0ed0aa8c31c6905df8f66179ba" },
"todo-comments.nvim": { "branch": "main", "commit": "70a93ce66083699571adc361166504b03cc39c2b" },
"tokyonight.nvim": { "branch": "main", "commit": "02e9028fe3560f38363c2d38f1c87e45eb04fdb3" },
"rustaceanvim": { "branch": "master", "commit": "d6d7620b66d74b3b16defcf85cbef7b3582795b3" },
"todo-comments.nvim": { "branch": "main", "commit": "51e10f838e84b4756c16311d0b1ef0972c6482d2" },
"tokyonight.nvim": { "branch": "main", "commit": "30d7be361a7fbf187a881f17e574e9213d5108ea" },
"tree-sitter-asm": { "branch": "main", "commit": "b0306e9bb2ebe01c6562f1aef265cc42ccc53070" },
"trouble.nvim": { "branch": "main", "commit": "806c50491078b66daf13c408042f2e74da46d0ff" },
"trouble.nvim": { "branch": "main", "commit": "88c3be40c061ce053ab326ce4fdcb973a1f785ff" },
"vim-freemarker": { "branch": "master", "commit": "993bda23e72e4c074659970c1e777cb19d8cf93e" },
"which-key.nvim": { "branch": "main", "commit": "0099511294f16b81c696004fa6a403b0ae61f7a0" }
}

View File

@ -1,9 +1,10 @@
{
"extras": [
"lazyvim.plugins.extras.dap.core",
"lazyvim.plugins.extras.lang.rust"
],
"news": {
"NEWS.md": "3314"
"NEWS.md": "5950"
},
"version": 3
"version": 6
}

View File

@ -73,6 +73,7 @@ return {
json = { { "prettierd", "prettier" } },
yaml = { { "prettierd", "prettier" } },
css = { { "prettierd", "prettier" } },
markdown = { { "prettierd", "prettier" } },
},
},
},
@ -85,4 +86,12 @@ return {
{
"andreshazard/vim-freemarker",
},
{
"mrcjkb/rustaceanvim",
opts = {
server = {
load_vscode_settings = true,
},
},
},
}