diff --git a/modules/ci-runner/default.nix b/modules/ci-runner/default.nix index 1460ab16..b9fbb105 100644 --- a/modules/ci-runner/default.nix +++ b/modules/ci-runner/default.nix @@ -1,41 +1,105 @@ { lib, config, pkgs, self, ... }: + with lib; let + bootstrap = pkgs.writeScript "bootstrap.sh" '' + #!/usr/bin/env bash + + set -e + + apt update + apt install --yes curl git sudo xz-utils + + adduser --system --uid 999 build + chown build /nix + + sudo -u build curl -L https://nixos.org/nix/install > install + sudo -u build sh install + + echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile + + mkdir /etc/nix + echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf + + export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json" + mkdir -p $(dirname \\$nix_user_config_file) + echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file + chown -R build /home/build/ + + curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz + sudo install -t /usr/local/bin drone-runner-exec + + if [ ! -f /run/vars ]; then + exit 1 + fi + + cp -a /run/vars /run/runtime-vars + env | grep "DRONE" >> /run/runtime-vars + + su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars" + ''; psCfg = config.pub-solar; cfg = config.pub-solar.ci-runner; in { options.pub-solar.ci-runner = { - enable = mkEnableOption "Enables a systemd service that runs drone-ci-runner"; - }; + enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user."; - config = mkIf cfg.enable { - systemd.user.services.ci-runner = { - enable = true; - - description = "CI runner for the PubSolarOS repository that can run test VM instances with KVM."; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - }; - - path = [ - pkgs.git - pkgs.nix - pkgs.libvirt - ]; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "libvirtd.service" ]; - - script = ''${pkgs.drone-runner-exec}/bin/drone-runner-exec daemon /run/agenix/drone-runner-exec-config''; + enableKvm = lib.mkOption { + description = '' + Enable kvm support. + ''; + default = true; + type = types.bool; }; - age.secrets."drone-runner-exec-config" = { - file = "${self}/secrets/drone-runner-exec-config"; - mode = "700"; - owner = psCfg.user.name; + nixCacheLocation = lib.mkOption { + description = '' + Location of nix cache that is shared between builds + ''; + type = types.path; + }; + + runnerEnvironment = lib.mkOption { + description = '' + Additional environment vars added to the vars file on container runtime + ''; + default = {}; + }; + + runnerVarsFile = lib.mkOption { + description = '' + Location of vars file passed to drone runner + ''; + type = types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + }; + + oci-containers = { + backend = "docker"; + containers."drone-exec-runner" = { + image = "debian"; + autoStart = true; + entrypoint = "bash"; + cmd = [ "/bootstrap.sh" ]; + + volumes = [ + "${cfg.runnerVarsFile}:/run/vars" + "${cfg.nixCacheLocation}:/nix" + "${bootstrap}:/bootstrap.sh" + ]; + + environment = cfg.runnerEnvironment; + + extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; + }; + }; }; }; } diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix deleted file mode 100644 index be7ecc47..00000000 --- a/modules/docker-ci-runner/default.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ lib, config, pkgs, self, ... }: - -with lib; -let - bootstrap = pkgs.writeScript "bootstrap.sh" '' - #!/usr/bin/env bash - - set -e - - apt update - apt install --yes curl git sudo xz-utils - - adduser --system --uid 999 build - chown build /nix - - sudo -u build curl -L https://nixos.org/nix/install > install - sudo -u build sh install - - echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile - - mkdir /etc/nix - echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf - - export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json" - mkdir -p $(dirname \\$nix_user_config_file) - echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file - chown -R build /home/build/ - - curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz - sudo install -t /usr/local/bin drone-runner-exec - - if [ ! -f /run/vars ]; then - exit 1 - fi - - cp -a /run/vars /run/runtime-vars - env | grep "DRONE" >> /run/runtime-vars - - su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars" - ''; - psCfg = config.pub-solar; - cfg = config.pub-solar.docker-ci-runner; -in -{ - options.pub-solar.docker-ci-runner = { - enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user."; - - enableKvm = lib.mkOption { - description = '' - Enable kvm support. - ''; - default = true; - type = types.bool; - }; - - nixCacheLocation = lib.mkOption { - description = '' - Location of nix cache that is shared between builds - ''; - type = types.path; - }; - - runnerEnvironment = lib.mkOption { - description = '' - Additional environment vars added to the vars file on container runtime - ''; - default = {}; - }; - - runnerVarsFile = lib.mkOption { - description = '' - Location of vars file passed to drone runner - ''; - type = types.path; - }; - }; - - config = lib.mkIf cfg.enable { - virtualisation = { - docker = { - enable = true; # sadly podman is not supported rightnow - }; - - oci-containers = { - backend = "docker"; - containers."drone-exec-runner" = { - image = "debian"; - autoStart = true; - entrypoint = "bash"; - cmd = [ "/bootstrap.sh" ]; - - volumes = [ - "${cfg.runnerVarsFile}:/run/vars" - "${cfg.nixCacheLocation}:/nix" - "${bootstrap}:/bootstrap.sh" - ]; - - environment = cfg.runnerEnvironment; - - extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; - }; - }; - }; - }; -}