From 0b229a771e846893e759cd4102172e60a541d439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sat, 13 Aug 2022 20:38:41 +0200 Subject: [PATCH 1/4] Barebones ci-runner module This adds a barebones CI-runner module with the following option: `pub-solar.ci-runner.enable` If enabled, this will start a systemd service on boot that runs `drone-runner-exec`. The configuration expects you to have a file called `secrets/drone-runner-exec-config` handled by agenix that gets put into `/run/agenix/drone-runner-exec-config` and is owned by root. This file should contain a configuration similar to the following: ``` CLIENT_DRONE_RPC_PROTO=https CLIENT_DRONE_RPC_HOST=drone.company.com CLIENT_DRONE_RPC_SECRET=super-duper-secret ``` --- modules/ci-runner/default.nix | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 modules/ci-runner/default.nix diff --git a/modules/ci-runner/default.nix b/modules/ci-runner/default.nix new file mode 100644 index 0000000..28325b1 --- /dev/null +++ b/modules/ci-runner/default.nix @@ -0,0 +1,35 @@ +{ lib, config, pkgs, self, ... }: +with lib; +let + psCfg = config.pub-solar; + cfg = config.pub-solar.ci-runner; +in +{ + options.pub-solar.ci-runner = { + enable = mkEnableOption "Enables a systemd service that runs drone-ci-runner"; + }; + + config = mkIf cfg.enable { + systemd.services.ci-runner = { + enable = true; + + description = "CI runner for the PubSolarOS repository that can run test VM instances with KVM."; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + }; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "libvirtd.service" ]; + + script = ''${pkgs.drone-runner-exec}/bin/drone-runner-exec daemon /run/agenix/drone-runner-exec-config''; + }; + + age.secrets."drone-runner-exec-config" = { + file = "${self}/secrets/drone-runner-exec-config"; + mode = "700"; + owner = "root"; + }; + }; +} From dc1e707925c25e96d4e1d83da9f4b86aa902f547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sat, 13 Aug 2022 22:31:30 +0200 Subject: [PATCH 2/4] Move ci-runner to user and add git, virsh and nix to path --- modules/ci-runner/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/ci-runner/default.nix b/modules/ci-runner/default.nix index 28325b1..4db4228 100644 --- a/modules/ci-runner/default.nix +++ b/modules/ci-runner/default.nix @@ -10,7 +10,7 @@ in }; config = mkIf cfg.enable { - systemd.services.ci-runner = { + systemd.user.services.ci-runner = { enable = true; description = "CI runner for the PubSolarOS repository that can run test VM instances with KVM."; @@ -20,6 +20,8 @@ in Restart = "always"; }; + path = "${pkgs.git}/bin:${pkgs.nix}/bin:${pkgs.libvirt}/bin"; + wantedBy = [ "multi-user.target" ]; after = [ "network.target" "libvirtd.service" ]; @@ -29,7 +31,7 @@ in age.secrets."drone-runner-exec-config" = { file = "${self}/secrets/drone-runner-exec-config"; mode = "700"; - owner = "root"; + owner = psCfg.user.name; }; }; } From 2ca921b4a3ada5c4eda5908da88ce3776cfe3292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 14 Aug 2022 20:24:50 +0200 Subject: [PATCH 3/4] Fix path in drone runner exec --- modules/ci-runner/default.nix | 6 +++++- pkgs/drone-docker-runner.nix | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/ci-runner/default.nix b/modules/ci-runner/default.nix index 4db4228..1460ab1 100644 --- a/modules/ci-runner/default.nix +++ b/modules/ci-runner/default.nix @@ -20,7 +20,11 @@ in Restart = "always"; }; - path = "${pkgs.git}/bin:${pkgs.nix}/bin:${pkgs.libvirt}/bin"; + path = [ + pkgs.git + pkgs.nix + pkgs.libvirt + ]; wantedBy = [ "multi-user.target" ]; after = [ "network.target" "libvirtd.service" ]; diff --git a/pkgs/drone-docker-runner.nix b/pkgs/drone-docker-runner.nix index cf6dc80..25de349 100644 --- a/pkgs/drone-docker-runner.nix +++ b/pkgs/drone-docker-runner.nix @@ -6,7 +6,7 @@ self: with self; '' --env=DRONE_RPC_PROTO=$DRONE_RPC_PROTO \ --env=DRONE_RPC_HOST=$DRONE_RPC_HOST \ --env=DRONE_RPC_SECRET=$(${self.libsecret}/bin/secret-tool lookup drone rpc-secret) \ - --env=DRONE_RUNNER_CAPACITY=4 \ + --env=DRONE_RUNNER_CAPACITY=8 \ --env=DRONE_RUNNER_NAME=$(${self.inetutils}/bin/hostname) \ --publish=30010:30010 \ --restart=always \ From 9f886ce51fa7237d3a774ae31594ff44bfc83874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 14 Aug 2022 20:25:12 +0200 Subject: [PATCH 4/4] Working drone-exec-runner --- hosts/chocolatebar/chocolatebar.nix | 1 + secrets/drone-runner-exec-config | Bin 0 -> 2535 bytes secrets/secrets.nix | 2 ++ users/ben/home.nix | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 secrets/drone-runner-exec-config diff --git a/hosts/chocolatebar/chocolatebar.nix b/hosts/chocolatebar/chocolatebar.nix index eb6efd7..a61e4c9 100644 --- a/hosts/chocolatebar/chocolatebar.nix +++ b/hosts/chocolatebar/chocolatebar.nix @@ -37,6 +37,7 @@ in owner = psCfg.user.name; }; pub-solar.sway.vnc.enable = true; + pub-solar.ci-runner.enable = true; home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf; diff --git a/secrets/drone-runner-exec-config b/secrets/drone-runner-exec-config new file mode 100644 index 0000000000000000000000000000000000000000..0b7e2e90f9870e3a7e0d2c45b6afe91bfe3c335e GIT binary patch literal 2535 zcmXw)NeCnd6^4ZvBb5->@sNX#9>h?NU29jBprO{TrMvc}t0HQ3cWvFZuicef2#6xV z1wD9B5fMBHA!uACn2=!1ArOtrB@kmYIT$dWjHnT34s&~#_x{8CKK?L?u0`d(z0`eH zm7l2EWHG|PwNGE|y7XGxg;!4kXF)U|>V_0J#;nnj92#qMSQUa&d0vTT@}~9rbs1My z5z_l3eUiZJm^)=kxGKE{k>x^FQs4+{aEM#M*|eLKhx`j!$0v0Xy5Q8Tt4SYQXV}T- zxTsqh-4h&mtfR!A)Nm0DQ@h>+3?Z-2J6@PIWCN01jA$ytod$bd5xd&o#M^U~pfkME zRdg(Bn!e!6Ehgb7C(7bJ;d`JFr~wvv@t96kgid&R#E&Fohf9{WRyj@+5W^f77F+O~ zm}jfNmjw10TJb2OWlHf&fPnXmj(F8L6oS4`g;Rt>rya&Q+Te42kFi7`PACMGXNbvF z`-G=mJ+J4*L5uPQg^9qzgik5Bw3SnqUSP=&Q70D$#4!^#q|mKK?N@F{=n8sL*^MaR z0xcc4Z8HY$4%+YK7GT_NJbB6Lh$zf}fDT55f=Br!IT59tq2kCiZOtnlVQw#iJu9W< z?{l&t?IK|DN=O0C)`W;u9D*qQ{j$8Vzc0I)y+9Z%(WRj9pm2g=t<*e zLUHn~sRFD!K^LgbH3Rc6Mmw-6*v~q%WM*jXm(h7=6dS8fHoZyl87OQirDr=zPyDmH z*JYmr;B+AtCr+oz^AMaD1BQoagH`A{cCsT+q(K&x-dt}h0lUR-z1%T1_E?KBsN>j3an!IpeKXwLRezQ z{BesYDUO3ZH!C=$`-G?hn7m|oP}N9?IT@IgYh&JE){vg$G|Vu))Xljt=)j6tLoSaj zLY)t`oa3izwXcJXJpnP-Y@omcK z>{N=jO1?qc3>az&p+)>s7!=<^zMVUEIbbbB*jR)4^8%Y?aLKOO!R zcQ^s8)C!oP(Aff|H(Is}s(NrVQf*B(CW17URS`X|(YcP3TO8lA24O=|Nv?|JC=_RO z7I`-|ms=LCje;*l2IUU1CArv0Vu#w(S10tQHIs(qi(#_(l@}mfvkIWp@Dx}j*O23F zBQ(*Y&9};Ta&g;vk6(9Jw*?35Ho%J9b$O<#}4oBTDu$Nc&bmN;roeEX62% z%HgKI&k&d9#yyGydDrh)cvqU4^<*q7vK+@$mA4(0mqQ40)u@7paTJk2 zF459h1w$d8b3lYpI}}z2Sp~r@oKMXf#B-`cyvqudgypgBm(gPOwxpfVdk5U8#72Yk zJzUB2Xp;^BL_t_}zAvxw5WaNY+AR2~(kV+w{Gg9w&C1XmI#I@O&N78}g|eociDjjE zHd<1Z96(B)2;RmL)^Wmepv56R>?f=}+i`j1T~o`7bcjN6kDr^@Yo~JE5CpH{eOB`WgmFvwkIF_{L4?heEY9nedE~=z5D%N zd-b8G?t7{G^4-L1SNgl!>(BiBmA`H8yYd0sJ$?TN)bOSy-|-dfXNQk|`w9HR?|kx= zJKuZd`5*nVedvYTZcoPU`R1P6o|vC^U24J*B<=X zz51;mzUQC+z4y7-{}BE9Ge7y% literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 65b6ed9..dbd43e3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -42,5 +42,7 @@ in "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys; "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys; + "drone-runner-exec-config".publicKeys = allKeys; + "mopidy.conf".publicKeys = allKeys; } diff --git a/users/ben/home.nix b/users/ben/home.nix index 0aff38a..2298431 100644 --- a/users/ben/home.nix +++ b/users/ben/home.nix @@ -97,7 +97,7 @@ in mode = "700"; owner = "mopidy"; }; - services.mopidy.extraConfigFiles = [ "/run/secrets/mopidy.conf" ]; + services.mopidy.extraConfigFiles = [ "/run/agenix/mopidy.conf" ]; programs.ssh.extraConfig = " PubkeyAcceptedKeyTypes +ssh-rsa