pub-solar/infra
6
1
Fork 3
Code Issues30 Pull requests8 Projects1 Releases Packages Wiki Activity Actions

forgejo: add actions runner on trinkgenossin

Browse source
This commit is contained in:
teutat3s 2025-02-17 17:52:31 +01:00
parent 736856cea6
commit d5743d75e0
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
4 changed files with 103 additions and 0 deletions

1
hosts/trinkgenossin/default.nix
View file

@ -7,6 +7,7 @@
./networking.nix
./wireguard.nix
./forgejo-actions-runner.nix
#./backups.nix
];
}

58
hosts/trinkgenossin/forgejo-actions-runner.nix Normal file
View file

@ -0,0 +1,58 @@
{
config,
pkgs,
lib,
flake,
...
}:
let
hostname = config.networking.hostName;
in
{
age.secrets."forgejo-actions-runner-token.age" = {
file = "${flake.self}/secrets/trinkgenossin-forgejo-actions-runner-token.age";
mode = "440";
};
# Trust docker bridge interface traffic
# Needed for the docker runner to communicate with the act_runner cache
networking.firewall.trustedInterfaces = [ "br-+" ];
users.users.gitea-runner = {
home = "/var/lib/gitea-runner/${hostname}";
useDefaultShell = true;
group = "gitea-runner";
# Required to interact with nix daemon
extraGroups = [ "wheel" ];
isSystemUser = true;
};
users.groups.gitea-runner = { };
systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
systemd.services."gitea-runner-${hostname}" = {
serviceConfig.DynamicUser = lib.mkForce false;
};
# forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/
# https://docs.gitea.com/usage/actions/quickstart
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances."${hostname}" = {
enable = true;
name = hostname;
url = "https://git.pub.solar";
tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
labels = [
# provide a debian 12 bookworm base with Node.js for actions
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# fake the ubuntu name, commonly used in actions examples
"ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# alpine with Node.js
"alpine-latest:docker://node:20-alpine"
];
};
};
}

1
secrets/secrets.nix
View file

@ -60,6 +60,7 @@ in
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"tankstelle-forgejo-actions-runner-token.age".publicKeys = tankstelleKeys ++ adminKeys;
"trinkgenossin-forgejo-actions-runner-token.age".publicKeys = trinkgenossinKeys ++ adminKeys;
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;

43
secrets/trinkgenossin-forgejo-actions-runner-token.age Normal file
View file

@ -0,0 +1,43 @@
age-encryption.org/v1
-> ssh-ed25519 NID4eA G60TNVhWvI+QzXInAd8kg8j0+EE1cR+6atLIiw1VyDs
KCBzEW/BYOof8NBZcr12iMddmd5Tig8YuGIG6jGG1pg
-> ssh-ed25519 uYcDNw mqqw6npuWLyo++kS8jR/5Q6lfL6li9AM3obvA+nXSRg
8WKsgwSxkgRDDZfGIMqbEhZHFVDQEcn7Sfe2rwIIvDY
-> ssh-rsa f5THog
Ili0z1+VgwarPNwCFymp0e6slngNzePjqxrIGpwKyN2o4nVnlxDfSFz0CShdBIRf
IzOFJmxjjAfSFMvC79py9lb9mP1fcLx08TKMHQUHZY0yjSPtpN94dVTVPOtXVcB0
PTeUUD/95Toij0JNhkS95TAcd95h6ha5SH0OtcojqAKqRKZSymR1zWNh64KG50tr
OE2uHCySjHGPQ+mczguKfSO1803yuG+ACf9GJmykXIPhi9AY6AuQOfOvvBoe883z
YKhPbbhfQ2gI9JmQdRb43vznGIjbG++EDuSpbNBWcLpKuOGbNvZTKzDHFFvu/wau
nKAg+SsIGwS5jyYSPG6w0JA2i54u0GcbJJep1aqnvZHmgV2FZ/QXOCe7G4tnHguP
QyHaTk4c0sWW+qS+3mDvctpUGpIr/By4xg5txNSiO7kG2cKkLfU34bmaL3kE91RU
qvyUSu0qSoq40HKQfj+DUyJ4qKb4Nj3fabY2l9oQr+ztp1yZuQd9A+wvzOvcKw8G
PWCHkRT7DLsa9DqsZvOGDWpV99OHH43xUszq8kezO+bygTQkdqrBB/0z74WfcUl/
D6TPx6VMS3UWiMWHMknwSwmqffSK0TT3q0CxwFl45JhRKSp3tUM4dfRa11PEBkbU
5fWizRSBqrTdHabwU4bhsUi45SGxfPT0oEc1xHpx7g8
-> ssh-rsa kFDS0A
L9sqpzeiodEU1RVAmkqdqGWyOU3sSTy6ncNWA8P0CRlOakDTqJNbZf/XzfbT0SSN
AA2wZ37+bdWAR64aW0wugbUQOhnhzDoSpxqIxT77eucc3I+tP+cwyNo5hRXHRe68
T8qjBxG8iGSdqgzQ+Tkskfy38A6bV6zhUDpBNTeXY3UdtyxgjicLq5WZ0Yx38e+1
/wdqpTC/OOJpnTb60s1iR5zAgeqh0y/QR2iGqYyt3h1nt2LRru4iUPa/9rPqSrVu
f35HeHQEEYTdWFyqc6PM0753f75mtg5EAj1mdv4o1TAoYf0ck2AGSbLSNEJCh+GU
hu20PVEG8OwbB8IvwE3DH2Qt8MXSDS3+6hiLyXJbK5U58Tm+h51B7MISCSOw9S0S
8ctDipFxYZwc7PAckEHndDl8OYe2yp9W5j0gwTyHV1so9hwEpXEHJ1abgUlBAQGI
Lm2J2C4/hz5oyzAIkOiYzkJ7gBiVZi8wI97EXiq0BFGvmdkn1VLn3XtTYahXdNzi
Gz4vp5J9NLhtJhrETkcX4r0EUYv+j4er3RNALvWzlTmZ3EEoA4ptugGF8SLweiZX
zZrWcE/moeilnC8bmzf1hnCOwE6fQHWultbZbPKQNbim1BrZC6C8bvYiFY1AkR/W
UDjSRA7Hydb2wqGkElDdjRk7Ezbth5sA3sZManG01XM
-> piv-p256 vRzPNw AxYR6N9jLofIa1qwSR9Ft7N9ITC01Us0uPwjQHx6YqTG
rRuEsVxmefZ1EZcH6lbUSvPEKsNGA0KnLCrHDng8gGM
-> piv-p256 zqq/iw As0et/SUsQcWKnGWCaEHs8Al3o7hghcIhAlttuUEmJTw
pXIrNBmaNq6DZ27F8vASQIOCqEQMA/AWkl4Jtcbasdo
-> ssh-ed25519 YFSOsg xC7ALIoz9Shq+6AFye6OUenRhsHXKvKNCpz8RjEbxVE
PVUuHJVa/BSASGS7JUE6lHYop8tAi+LOkJo/iDNatHQ
-> ssh-ed25519 iHV63A zKjNyuhtPAMTyd+9jGYaD4wkx4NO8MlDGw+cHqg+8Fo
8Zlli5FfeSM862nKQVe8hBpl3dEozghw6Tnw+/xCD38
-> ssh-ed25519 BVsyTA 2LOd7Ef2fIDA1UC0bob18itdA6MaIng1onJPVYrRnV4
Lkm42Jw4N+442LsFUSyIhnlvFySfeHbS42OhHv6wCPU
-> ssh-ed25519 +3V2lQ 0xjkyKGk+tCmBgYOrDfnK3Pq+++ZcbUCTtdCJEmgXkU
1BqLJpq7z85P0thWO1IY4ZfHCbHRSOMdKIyfUs3QI5c
--- kht+vkycoDy8VjM63ohrTYHSfNz15+UzrNEVirhbMsk
ülóÉQÙÌ*qGâqJ°bWúPD2ê yÚaÐó]ëÎâ!Ð^<5E>%€<>ã³!v_3…ž™à€ùâïpÉèr#ÈzÔåIÝd