From 8dfcd01ce5c10da265fc701e62e3e2e31e6a803f Mon Sep 17 00:00:00 2001 From: RGBCube Date: Wed, 7 Feb 2024 12:46:48 +0300 Subject: [PATCH] Add forgejo runner --- hosts/cube/forgejo.nix | 53 +++++++++++++++++++++--- hosts/cube/podman.nix | 15 +++++++ lib/values.nix | 4 ++ secrets/cube/password.runner.forgejo.age | 5 +++ secrets/secrets.nix | 3 +- 5 files changed, 73 insertions(+), 7 deletions(-) create mode 100644 hosts/cube/podman.nix create mode 100644 secrets/cube/password.runner.forgejo.age diff --git a/hosts/cube/forgejo.nix b/hosts/cube/forgejo.nix index b7052d4..37d184e 100644 --- a/hosts/cube/forgejo.nix +++ b/hosts/cube/forgejo.nix @@ -1,11 +1,12 @@ -{ config, ulib, ... }: with ulib; +{ config, ulib, pkgs, ... }: with ulib; let inherit (config.networking) domain; fqdn = "git.${domain}"; in serverSystemConfiguration { - age.secrets."cube/password.mail.forgejo".owner = "forgejo"; + age.secrets."cube/password.mail.forgejo".owner = "forgejo"; + age.secrets."cube/password.runner.forgejo".owner = "forgejo"; services.postgresql = { ensureDatabases = [ "forgejo" ]; @@ -15,6 +16,46 @@ in serverSystemConfiguration { }]; }; + users.groups.gitea-runner = {}; + users.users.gitea-runner = systemUser { + extraGroups = [ "docker" ]; + group = "gitea-runner"; + home = "/var/lib/gitea-runner"; + }; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + + instances.runner-01 = enabled { + name = "runner-01"; + url = fqdn; + + labels = [ + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:18-bullseye" + "act:docker://ghcr.io/catthehacker/ubuntu:act-latest" + ]; + + tokenFile = config.age.secrets."cube/password.runner.forgejo".path; + + settings = { + cache.enabled = true; + capacity = 4; + container.network = "host"; + }; + + hostPackages = with pkgs; [ + bash + coreutils + curl + gitMinimal + sudo + wget + ]; + }; + }; + + services.forgejo = enabled { lfs = enabled {}; @@ -30,10 +71,10 @@ in serverSystemConfiguration { in { default.APP_NAME = description; - # actions = { - # ENABLED = true; - # DEFAULT_ACTIONS_URL = "https://${fqdn}"; - # }; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://${fqdn}"; + }; attachment.ALLOWED_TYPES = "*/*"; diff --git a/hosts/cube/podman.nix b/hosts/cube/podman.nix new file mode 100644 index 0000000..99a3ee6 --- /dev/null +++ b/hosts/cube/podman.nix @@ -0,0 +1,15 @@ +{ ulib, ... }: with ulib; + +serverSystemConfiguration { + virtualisation.podman = enabled { + dockerCompat = true; + dockerSocket = enabled {}; + + defaultNetwork.settings.dns_enabled = true; + + autoPrune = enabled { + dates = "daily"; + flags = [ "--all" ]; + }; + }; +} diff --git a/lib/values.nix b/lib/values.nix index f03336b..a2328e4 100644 --- a/lib/values.nix +++ b/lib/values.nix @@ -7,6 +7,10 @@ isNormalUser = true; }; + systemUser = attributes: attributes // { + isSystemUser = true; + }; + graphicalUser = attributes: attributes // { isNormalUser = true; extraGroups = [ "graphical" ] ++ attributes.extraGroups or []; diff --git a/secrets/cube/password.runner.forgejo.age b/secrets/cube/password.runner.forgejo.age new file mode 100644 index 0000000..bdc21c5 --- /dev/null +++ b/secrets/cube/password.runner.forgejo.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw rraoMjYwD6IIkmgyiDKlij2+bLqY5PNyMU5IPQ4mvjI +/yttaAf7neHJ69LYh6p33gRBXIZA4oxWS5DDMnfOhhM +--- o+/I/vPxFdL9orC3PsBTazOrwG6Le8uLMUYiHE4XMj8 + ]}W{[a'md AUԬ7z*Y9"|1dvQxcǓ"0pr: \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 03f5c6f..7c065b7 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,7 +15,8 @@ in with keys; { "cube/password.acme.age".publicKeys = key cube; - "cube/password.mail.forgejo.age".publicKeys = key cube; + "cube/password.mail.forgejo.age".publicKeys = key cube; + "cube/password.runner.forgejo.age".publicKeys = key cube; "cube/password.grafana.age".publicKeys = key cube; "cube/password.mail.grafana.age".publicKeys = key cube;