From c86e22b2921af41440b9a46b02152f01efcdc1e1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 00:38:53 +0200 Subject: [PATCH 1/8] ci: update forgejo-runner to version 3.4.1 https://github.com/NixOS/nixpkgs/pull/301383 --- hosts/flora-6/apps/forgejo-actions-runner.nix | 2 +- overlays/default.nix | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix index d3f6aeb..891d778 100644 --- a/hosts/flora-6/apps/forgejo-actions-runner.nix +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -17,7 +17,7 @@ # https://forgejo.org/docs/latest/admin/actions/ # https://docs.gitea.com/usage/actions/quickstart services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances."flora-6" = { enable = true; name = config.networking.hostName; diff --git a/overlays/default.nix b/overlays/default.nix index 6b81e38..74cf409 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -13,6 +13,7 @@ }; in { + forgejo-runner = unstable.forgejo-runner; element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; }) ]; From 0e7dc95250105c0012cde1ab192f9499bda4ecc7 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 01:14:14 +0200 Subject: [PATCH 2/8] ci: remove broken purge config from check workflow --- .forgejo/workflows/check.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 0034e9e..f11a65b 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -34,10 +34,6 @@ jobs: gc-linux: true gc-max-store-size-linux: 10000000000 - purge: true - purge-prefixes: cache-${{ runner.os }}-nix-store- - purge-created: 42 - - name: Prepare cachix uses: https://github.com/cachix/cachix-action@v14 with: From d5fe65b60dd145b85f6f3fd2590b19d3bdd1c95d Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 02:18:10 +0200 Subject: [PATCH 3/8] ci: disable cachix daemon, spams logs with [2024-04-22 23:46:26][Info] Skipping /nix/store/w2zp8k8yy2avv5r92w0cpq9aixkir2sp-LocalSettings.php ... --- .forgejo/workflows/check.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index f11a65b..0a088ff 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -34,11 +34,17 @@ jobs: gc-linux: true gc-max-store-size-linux: 10000000000 + purge: true + purge-prefixes: cache-${{ runner.os }}-nix-store- + purge-created: 42 + purge-primary-key: never + - name: Prepare cachix uses: https://github.com/cachix/cachix-action@v14 with: name: pub-solar authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + useDaemon: false - name: Run flake checks run: | From c4d0d34807f98ab49d86c9c96d150d98ee8e6124 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 12:03:16 +0200 Subject: [PATCH 4/8] ci: revert cache-nix-action to version 4.0.3 --- .forgejo/workflows/check.yml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 0a088ff..5b75527 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -24,20 +24,20 @@ jobs: echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT - name: Restore and cache Nix store - uses: https://github.com/nix-community/cache-nix-action@v5 + uses: https://github.com/nix-community/cache-nix-action@v4.0.3 id: nix-store-cache with: - primary-key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }} - restore-prefixes-first-match: | + key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }} + restore-keys: | cache-${{ runner.os }}-nix-store- gc-linux: true gc-max-store-size-linux: 10000000000 - purge: true - purge-prefixes: cache-${{ runner.os }}-nix-store- - purge-created: 42 - purge-primary-key: never + purge-caches: true + purge-key: cache-${{ runner.os }}-nix-store- + purge-created: true + purge-created-max-age: 42 - name: Prepare cachix uses: https://github.com/cachix/cachix-action@v14 @@ -49,3 +49,12 @@ jobs: - name: Run flake checks run: | nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check + # Prevent cache garbage collection + for target in $(nix flake show --json --all-systems | jq ' + .["nixosConfigurations"] | + to_entries[] | + .key + ' | tr -d '"' + ); do + nix profile install --profile "/nix/var/nix/profiles/$target" ".#nixosConfigurations.${target}.config.system.build.toplevel" + done From 9541e5029ee4bbfd7275265e5b1d82638ee9ab96 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 14:50:48 +0200 Subject: [PATCH 5/8] flora-6: move forgejo-runner cache directory to /data --- hosts/flora-6/apps/forgejo-actions-runner.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix index 891d778..6dc25da 100644 --- a/hosts/flora-6/apps/forgejo-actions-runner.nix +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -13,6 +13,9 @@ # Needed for the docker runner to communicate with the act_runner cache networking.firewall.trustedInterfaces = [ "br-+" ]; + systemd.services."gitea-runner-flora\\x2d6".serviceConfig = { + CacheDirectory = "/data/gitea-actions-runner"; + }; # forgejo actions runner # https://forgejo.org/docs/latest/admin/actions/ # https://docs.gitea.com/usage/actions/quickstart @@ -23,6 +26,15 @@ name = config.networking.hostName; url = "https://git.pub.solar"; tokenFile = config.age.secrets.forgejo-actions-runner-token.path; + settings = { + cache = { + enabled = true; + dir = "/data/gitea-actions-runner/actcache"; + host = ""; + port = 0; + external_server = ""; + }; + }; labels = [ # provide a debian 12 bookworm base with Node.js for actions "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm" From fa9ce9d4356569f9e35aee8be78f16deba47dff8 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 15:42:33 +0200 Subject: [PATCH 6/8] gitea-actions-runner: don't run as systemd DynamicUser to enable usage of cache outside of /var/lib/private --- hosts/flora-6/apps/forgejo-actions-runner.nix | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix index 6dc25da..045f0c2 100644 --- a/hosts/flora-6/apps/forgejo-actions-runner.nix +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -13,9 +13,24 @@ # Needed for the docker runner to communicate with the act_runner cache networking.firewall.trustedInterfaces = [ "br-+" ]; - systemd.services."gitea-runner-flora\\x2d6".serviceConfig = { - CacheDirectory = "/data/gitea-actions-runner"; + users.users.gitea-runner = { + home = "/var/lib/gitea-runner/flora-6"; + useDefaultShell = true; + group = "gitea-runner"; + isSystemUser = true; }; + + users.groups.gitea-runner = {}; + + systemd.services."gitea-runner-flora\\x2d6".serviceConfig = { + DynamicUser = lib.mkForce false; + }; + + systemd.tmpfiles.rules = [ + "d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -" + "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" + ]; + # forgejo actions runner # https://forgejo.org/docs/latest/admin/actions/ # https://docs.gitea.com/usage/actions/quickstart From 60aef1d03844072fab7d9d68c8a10340fe4f0bff Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 16:00:16 +0200 Subject: [PATCH 7/8] ci: prevent nix garbage collection --- .forgejo/workflows/check.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 5b75527..f18c8bd 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -48,13 +48,14 @@ jobs: - name: Run flake checks run: | - nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check - # Prevent cache garbage collection + # Prevent cache garbage collection by creating GC roots for target in $(nix flake show --json --all-systems | jq ' .["nixosConfigurations"] | to_entries[] | .key ' | tr -d '"' ); do - nix profile install --profile "/nix/var/nix/profiles/$target" ".#nixosConfigurations.${target}.config.system.build.toplevel" + nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \ + build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel" done + nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check From c580fe0fbbe9af298b4d6d4a925b70ad574c6ae5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 23 Apr 2024 16:32:11 +0200 Subject: [PATCH 8/8] ci: prevent flake inputs from GC as well --- .forgejo/workflows/check.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index f18c8bd..0968832 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -58,4 +58,14 @@ jobs: nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \ build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel" done + nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check + + # Add GC roots for flake inputs, too + # https://github.com/NixOS/nix/issues/4250#issuecomment-1146878407 + mkdir --parents "$NIX_USER_PROFILE_DIR" + gc_root_prefix="$NIX_USER_PROFILE_DIR"/infra-flake- + echo "Adding gcroots flake inputs with prefix $gc_root_prefix ..." + nix flake archive --json 2>/dev/null | jq --raw-output '.inputs | to_entries[] | "ln --force --symbolic --no-target-directory "+.value.path+" \"'"$gc_root_prefix"'"+.key+"\""' | while read -r line; do + eval "$line" + done