diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 0034e9ef..09688329 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -24,26 +24,48 @@ jobs: echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT - name: Restore and cache Nix store - uses: https://github.com/nix-community/cache-nix-action@v5 + uses: https://github.com/nix-community/cache-nix-action@v4.0.3 id: nix-store-cache with: - primary-key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }} - restore-prefixes-first-match: | + key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }} + restore-keys: | cache-${{ runner.os }}-nix-store- gc-linux: true gc-max-store-size-linux: 10000000000 - purge: true - purge-prefixes: cache-${{ runner.os }}-nix-store- - purge-created: 42 + purge-caches: true + purge-key: cache-${{ runner.os }}-nix-store- + purge-created: true + purge-created-max-age: 42 - name: Prepare cachix uses: https://github.com/cachix/cachix-action@v14 with: name: pub-solar authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + useDaemon: false - name: Run flake checks run: | + # Prevent cache garbage collection by creating GC roots + for target in $(nix flake show --json --all-systems | jq ' + .["nixosConfigurations"] | + to_entries[] | + .key + ' | tr -d '"' + ); do + nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \ + build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel" + done + nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check + + # Add GC roots for flake inputs, too + # https://github.com/NixOS/nix/issues/4250#issuecomment-1146878407 + mkdir --parents "$NIX_USER_PROFILE_DIR" + gc_root_prefix="$NIX_USER_PROFILE_DIR"/infra-flake- + echo "Adding gcroots flake inputs with prefix $gc_root_prefix ..." + nix flake archive --json 2>/dev/null | jq --raw-output '.inputs | to_entries[] | "ln --force --symbolic --no-target-directory "+.value.path+" \"'"$gc_root_prefix"'"+.key+"\""' | while read -r line; do + eval "$line" + done diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix index d3f6aeb7..045f0c24 100644 --- a/hosts/flora-6/apps/forgejo-actions-runner.nix +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -13,16 +13,43 @@ # Needed for the docker runner to communicate with the act_runner cache networking.firewall.trustedInterfaces = [ "br-+" ]; + users.users.gitea-runner = { + home = "/var/lib/gitea-runner/flora-6"; + useDefaultShell = true; + group = "gitea-runner"; + isSystemUser = true; + }; + + users.groups.gitea-runner = {}; + + systemd.services."gitea-runner-flora\\x2d6".serviceConfig = { + DynamicUser = lib.mkForce false; + }; + + systemd.tmpfiles.rules = [ + "d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -" + "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" + ]; + # forgejo actions runner # https://forgejo.org/docs/latest/admin/actions/ # https://docs.gitea.com/usage/actions/quickstart services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances."flora-6" = { enable = true; name = config.networking.hostName; url = "https://git.pub.solar"; tokenFile = config.age.secrets.forgejo-actions-runner-token.path; + settings = { + cache = { + enabled = true; + dir = "/data/gitea-actions-runner/actcache"; + host = ""; + port = 0; + external_server = ""; + }; + }; labels = [ # provide a debian 12 bookworm base with Node.js for actions "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm" diff --git a/overlays/default.nix b/overlays/default.nix index 6b81e38d..74cf4094 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -13,6 +13,7 @@ }; in { + forgejo-runner = unstable.forgejo-runner; element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; }) ];