From e71cbfc461be25732f0f32fd5aa724753303b478 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 29 May 2024 17:45:23 +0200 Subject: [PATCH] ci: add self-hosted forgejo-actions-runner wip: add git.pub.solar to /etc/hosts ci: add devshell with Node.js for forgejo actions ci: add PATH ci: add HOME --- .forgejo/workflows/check.yml | 38 +++------------- flake.nix | 5 +++ hosts/tankstelle/configuration.nix | 2 + hosts/tankstelle/default.nix | 1 + hosts/tankstelle/forgejo-actions-runner.nix | 33 ++++++++++++++ modules/core/networking.nix | 1 + secrets/secrets.nix | 4 ++ ...ankstelle-forgejo-actions-runner-token.age | 43 +++++++++++++++++++ 8 files changed, 96 insertions(+), 31 deletions(-) create mode 100644 hosts/tankstelle/forgejo-actions-runner.nix create mode 100644 secrets/tankstelle-forgejo-actions-runner-token.age diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index fc6ec376..e4dcbb1a 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -1,44 +1,20 @@ name: Flake checks on: [pull_request] env: - USER: ci + PATH: /run/current-system/sw/bin + HOME: /var/lib/gitea-runner/tankstelle jobs: Check: - runs-on: ubuntu-latest + runs-on: self-hosted steps: + - name: Enter ci devshell + run: | + nix --accept-flake-config --access-tokens '' develop .#ci + - name: Check out repository code uses: https://code.forgejo.org/actions/checkout@v4 - - uses: https://github.com/nixbuild/nix-quick-install-action@v27 - with: - load_nixConfig: false - nix_conf: | - substituters = https://cache.nixos.org/ https://nix-community.cachix.org - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= - keep-outputs = true - - - name: Calculate flake.lock hash - id: flake-lock-hash - run: | - echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT - - - name: Restore and cache Nix store - uses: https://github.com/nix-community/cache-nix-action@v4.0.3 - id: nix-store-cache - with: - key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }} - restore-keys: | - cache-${{ runner.os }}-nix-store- - - gc-linux: true - gc-max-store-size-linux: 10000000000 - - purge-caches: true - purge-key: cache-${{ runner.os }}-nix-store- - purge-created: true - purge-created-max-age: 42 - - name: Prepare cachix uses: https://github.com/cachix/cachix-action@v14 with: diff --git a/flake.nix b/flake.nix index 0f6d830c..44b34740 100644 --- a/flake.nix +++ b/flake.nix @@ -91,6 +91,11 @@ jq ]; }; + devShells.ci = pkgs.mkShell { + buildInputs = with pkgs; [ + nodejs + ]; + }; }; flake = diff --git a/hosts/tankstelle/configuration.nix b/hosts/tankstelle/configuration.nix index 73f3b907..c207fdb9 100644 --- a/hosts/tankstelle/configuration.nix +++ b/hosts/tankstelle/configuration.nix @@ -13,5 +13,7 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + system.stateVersion = "23.11"; } diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix index 845d466c..724a1fc4 100644 --- a/hosts/tankstelle/default.nix +++ b/hosts/tankstelle/default.nix @@ -6,6 +6,7 @@ ./configuration.nix ./networking.nix + ./forgejo-actions-runner.nix #./wireguard.nix #./backups.nix ]; diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix new file mode 100644 index 00000000..501e42a7 --- /dev/null +++ b/hosts/tankstelle/forgejo-actions-runner.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + age.secrets.tankstelle-forgejo-actions-runner-token = { + file = "${flake.self}/secrets/tankstelle-forgejo-actions-runner-token.age"; + mode = "440"; + }; + + # Trust docker bridge interface traffic + # Needed for the docker runner to communicate with the act_runner cache + networking.firewall.trustedInterfaces = [ "br-+" ]; + + # forgejo actions runner + # https://forgejo.org/docs/latest/admin/actions/ + # https://docs.gitea.com/usage/actions/quickstart + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances."tankstelle" = { + enable = true; + name = config.networking.hostName; + url = "https://git.pub.solar"; + tokenFile = config.age.secrets.tankstelle-forgejo-actions-runner-token.path; + labels = [ + "self-hosted:host://-self-hosted" + ]; + }; + }; +} diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 765fdd43..73548970 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -28,6 +28,7 @@ networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.hosts = { + "138.201.80.102" = [ "git.${config.pub-solar-os.networking.domain}" ]; "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 36202b56..6ed622dd 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; + tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle"; adminKeys = builtins.foldl' ( keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys) @@ -10,6 +11,8 @@ let nachtigallKeys = [ nachtigall-host ]; + tankstelleKeys = [ tankstelle-host ]; + flora6Keys = [ flora-6-host ]; in { @@ -29,6 +32,7 @@ in "keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys; + "tankstelle-forgejo-actions-runner-token.age".publicKeys = tankstelleKeys ++ adminKeys; "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; diff --git a/secrets/tankstelle-forgejo-actions-runner-token.age b/secrets/tankstelle-forgejo-actions-runner-token.age new file mode 100644 index 00000000..915b0d73 --- /dev/null +++ b/secrets/tankstelle-forgejo-actions-runner-token.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 1X0eLA g7MuhjaILdtN30lT0abiBuT2i2SxE4wzwHffPMbPaxA +5iZOxlFLUaKUhqvGSiyyVy7jrbGcN8Q4DX4xXImDDZM +-> ssh-ed25519 uYcDNw NUtdv3ykepvWklorbni0lMPb31hpHDhVktV6AkqY0Fs +anEK08Yr7WY6xmovVJjxXqy/Z47CU6sUFs/1tZHqHos +-> ssh-rsa f5THog +nCjbVlM7V+AT20HSV7Z9miLlFzVRruxIrPavIrDNLRLnjDn8dkgu2ZnymnXHf9El +GA/tmjF86OKCCOS7AjdSZ0RZIjgOfU/EseWdmaaS5iR6PjDJmuJuGtCwDKloddwO +wS2VeU3tQzF6ayGPFirWYQVOwMCVahe6DB3d+ataXSprhb9DtMxAb7FQ07zl3rrO +VXE82wA4qnwWyLAvZ96XdXYGBpO2vzxEgYzXa1gbHEY38BMUgELyhJJX0c2hEVwv +jT7h4ex4NUK3f3t2JXw/Waz5hHpRYFuzF7u4rZjXZbiW0sgcXHZKF11AEUxASsUl +yul5EEaPI34ISnwpWWuPAuDBskQzgJooeKGi9bQDed8otLy33NxyYgtR1Av4x1cC +PjtkDxuvIooGp1uKgMFdoyWMB+pyd5MOeyqKXl0drTzILBET1quLBDuyAntvGriS +c8Cj05YpLEh/gmPZ3KzLyGaKcELL8YYco+NkUwr1LNe/OEMbHcLc9q5fVfsN5BYz +w1hQ24c8JGW1/1DFG+R0+MfcF4jFVyiqk9ctRlKqoA8dnFmkMDlK6ETj191y8baZ +DtMNPTOeLDmxFc3O0vjAWFV3Is5X3EupcS4hlLpeNCW1DXF4R2+cmBQOewfeafI4 +uVaMuNqTW60B+9j7c6asvSHcAVP8S6BTcrJiaLETiSU +-> ssh-rsa kFDS0A +ZBLNf1RAI2+dXsXR8ns3taqHIM2yqslWOvSUM93droVVN6fkq/O9QUx0f6iljQW6 +wRY2iqqjzBYs6kysf21jsryGGhhVNB70QAeGDZWoeB2YmpnlvMRumqqG6S77K6kc +D0oKXkuYx9J62BBI6gJk3+yJgEK3WHBvgBzD5rqgW2kJVWFLyU7C/rJH78UKvX2r +r4PDQCEeJ4wnRyV0ox4z3f0XfLoHiwXE2oWGgrfs6/+Pw3AKdENbbNVRIyrzJci4 +nhxDd1miMChsQylKnfB8C60J9rhVFfP0/G8EXqhi2KbHfPeC4fHPjUxVbi2v74Ag +NaRgxZOMpVPgGxlnHCz4ELuGn1LsMuBJCic/Z0PNMr86SC9hFnCyaWqXxKaYLj38 +USJq+F9RC7529En7XT+jOifDB29DS4GL8gCvwizd8j8wfeFm4w6qXS8rS5+9BbcD +Ghf1Zzmbdm0R2lO4aV/APyCyK5NW0k068T7V710x+KvyRREvChkYEN87VvK5kYcC +uYZvbcGJgMQrEiwVN11H2oxHPpj4oB7NiSb3mpDkaniXS5ijhEl10C6OzuEk1Hm2 +ybYXLspzlOZujVoGqrscoKTTzirvnO0B1YirPieTX6ym51rvnO6SPiT5bYGL5DNQ +E6PDUz5kOwD9IQyF/a88CxBg/BFqSrSlvli+bdgfM7c +-> piv-p256 vRzPNw AgAstuXfEQ+zPDSJmDRlieeY7h93S7AOX1LmWNZq8SOA +umkx7AnExb+OuxVtTnJsr0Vymhlt9PBYkRt+5FxgLA0 +-> piv-p256 zqq/iw A8mFVtYM8mpj1iBqeQfvGavOahp0oNsT3j1i5YDYDfD2 +dZrDkvAHopEFTQgCdUkDNHPjLVhMAO4YJJE+cLuaxd4 +-> ssh-ed25519 YFSOsg 4h3HGQqPiwWUJkgZP9eMuiKxoZq9+YCDqj5L28mdIBE +ppHBGJJzaf0fJZ24MZBRQ3v561f3J+CuDX7tatfD3G4 +-> ssh-ed25519 iHV63A rikUwY2DW9GQLopMcdPK8eZ1YjeKTp9z5cRqzDOs4mU +kYn3dNGNhIDr3KIPEFZZj9zsqHZn7JDT67jtdljOVyo +-> ssh-ed25519 BVsyTA 3GMMwNFuwx7ECwKWqS9GnIV5MuZY1jxi5KDKY1j3tSs +gWEkAMLnOI/7gKKfuJE3vU6+e6XpnNwQfIJQ0UFoC6w +-> ssh-ed25519 +3V2lQ YemOcrH319bbQJp+LnugOh2ed/Pwgfla+C3BU6cIaUQ +gFTDAi8TFTRCmGkcSN8lFJPQctHLUC75xl7oJOdsYuw +--- jd2QVeVcxn06ET1m3jMx8encjGlV51Vz7UO2MQq9weI +/LB$&q-]He\niT-zǵv2Nl^+Wj6 gieUk!mxW \ No newline at end of file