Merge pull request 'NixOS module for a drone ci runner in docker' (#147) from feature/add-module-to-run-kvm-capable-drone-runner-in-docker into main

Reviewed-on: pub-solar/os#147 Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-01-30 01:09:23 +01:00 · 2023-01-30 01:09:23 +01:00 · a18a883500
parent 8422868ede 25ad234f2a
commit a18a883500
1 changed files with 106 additions and 0 deletions
--- a/modules/docker-ci-runner/default.nix
+++ b/modules/docker-ci-runner/default.nix
@ -0,0 +1,106 @@
+{ lib, config, pkgs, self, ... }:
+
+with lib;
+let
+  bootstrap = pkgs.writeScript "bootstrap.sh" ''
+    #!/usr/bin/env bash
+
+    set -e
+
+    apt update
+    apt install --yes curl git sudo xz-utils
+
+    adduser --system --uid 999 build
+    chown build /nix
+
+    sudo -u build curl -L https://nixos.org/nix/install > install
+    sudo -u build sh install
+
+    echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile
+
+    mkdir /etc/nix
+    echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
+
+    export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json"
+    mkdir -p $(dirname \\$nix_user_config_file)
+    echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org  https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file
+    chown -R build /home/build/
+
+    curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz
+    sudo install -t /usr/local/bin drone-runner-exec
+
+    if [ ! -f /run/vars ]; then
+      exit 1
+    fi
+
+    cp -a /run/vars /run/runtime-vars
+    env | grep "DRONE" >> /run/runtime-vars
+
+    su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars"
+  '';
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.docker-ci-runner;
+in
+{
+  options.pub-solar.docker-ci-runner = {
+    enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user.";
+
+    enableKvm = lib.mkOption {
+      description = ''
+        Enable kvm support.
+      '';
+      default = true;
+      type = types.bool;
+    };
+
+    nixCacheLocation = lib.mkOption {
+      description = ''
+        Location of nix cache that is shared between builds
+      '';
+      default = "/var/lib/docker-ci-runner";
+      type = types.path;
+    };
+
+    runnerEnvironment = lib.mkOption {
+      description = ''
+        Additional environment vars added to the vars file on container runtime
+      '';
+      default = {};
+    };
+
+    runnerVarsFile = lib.mkOption {
+      description = ''
+        Location of vars file passed to drone runner
+      '';
+      type = types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation = {
+      docker = {
+        enable = true; # sadly podman is not supported rightnow
+      };
+
+      oci-containers = {
+        backend = "docker";
+        containers."drone-exec-runner" = {
+          image = "debian";
+          autoStart = true;
+          entrypoint = "bash";
+          cmd = [ "/bootstrap.sh" ];
+
+          volumes = [
+            "${cfg.runnerVarsFile}:/run/vars"
+            "${cfg.nixCacheLocation}:/nix"
+            "${bootstrap}:/bootstrap.sh"
+          ];
+
+          environment = cfg.runnerEnvironment;
+
+          extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ];
+        };
+      };
+    };
+  };
+}