2024-05-31 14:49:21 +00:00
8 changed files with 96 additions and 31 deletions
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@ -1,44 +1,20 @@
 name: Flake checks
 on: [pull_request]
 env:
-  USER: ci
+  PATH: /run/current-system/sw/bin
+  HOME: /var/lib/gitea-runner/tankstelle

 jobs:
  Check:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
    steps:
+      - name: Enter ci devshell
+        run: |
+          nix --accept-flake-config --access-tokens '' develop .#ci
+
      - name: Check out repository code
        uses: https://code.forgejo.org/actions/checkout@v4

-      - uses: https://github.com/nixbuild/nix-quick-install-action@v27
-        with:
-          load_nixConfig: false
-          nix_conf: |
-            substituters = https://cache.nixos.org/ https://nix-community.cachix.org
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
-            keep-outputs = true
-
-      - name: Calculate flake.lock hash
-        id: flake-lock-hash
-        run: |
-          echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT
-
-      - name: Restore and cache Nix store
-        uses: https://github.com/nix-community/cache-nix-action@v4.0.3
-        id: nix-store-cache
-        with:
-          key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
-          restore-keys: |
-            cache-${{ runner.os }}-nix-store-
-
-          gc-linux: true
-          gc-max-store-size-linux: 10000000000
-
-          purge-caches: true
-          purge-key: cache-${{ runner.os }}-nix-store-
-          purge-created: true
-          purge-created-max-age: 42
-
      - name: Prepare cachix
        uses: https://github.com/cachix/cachix-action@v14
        with:
--- a/flake.nix
+++ b/flake.nix
@ -91,6 +91,11 @@
              jq
            ];
          };
+          devShells.ci = pkgs.mkShell {
+            buildInputs = with pkgs; [
+              nodejs
+            ];
+          };
        };

      flake =
--- a/hosts/tankstelle/configuration.nix
+++ b/hosts/tankstelle/configuration.nix
@ -13,5 +13,7 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

+  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+
  system.stateVersion = "23.11";
 }
--- a/hosts/tankstelle/default.nix
+++ b/hosts/tankstelle/default.nix
@ -6,6 +6,7 @@
    ./configuration.nix

    ./networking.nix
+    ./forgejo-actions-runner.nix
    #./wireguard.nix
    #./backups.nix
  ];
--- a/hosts/tankstelle/forgejo-actions-runner.nix
+++ b/hosts/tankstelle/forgejo-actions-runner.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  age.secrets.tankstelle-forgejo-actions-runner-token = {
+    file = "${flake.self}/secrets/tankstelle-forgejo-actions-runner-token.age";
+    mode = "440";
+  };
+
+  # Trust docker bridge interface traffic
+  # Needed for the docker runner to communicate with the act_runner cache
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
+  # forgejo actions runner
+  # https://forgejo.org/docs/latest/admin/actions/
+  # https://docs.gitea.com/usage/actions/quickstart
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances."tankstelle" = {
+      enable = true;
+      name = config.networking.hostName;
+      url = "https://git.pub.solar";
+      tokenFile = config.age.secrets.tankstelle-forgejo-actions-runner-token.path;
+      labels = [
+        "self-hosted:host://-self-hosted"
+      ];
+    };
+  };
+}
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -28,6 +28,7 @@
    networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];

    networking.hosts = {
+      "138.201.80.102" = [ "git.${config.pub-solar-os.networking.domain}" ];
      "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
      "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ];
    };
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -3,6 +3,7 @@ let

  nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
  flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
+  tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle";

  adminKeys = builtins.foldl' (
    keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
@ -10,6 +11,8 @@ let

  nachtigallKeys = [ nachtigall-host ];

+  tankstelleKeys = [ tankstelle-host ];
+
  flora6Keys = [ flora-6-host ];
 in
 {
@ -29,6 +32,7 @@ in
  "keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;

  "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys;
+  "tankstelle-forgejo-actions-runner-token.age".publicKeys = tankstelleKeys ++ adminKeys;
  "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
  "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
  "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
--- a/secrets/tankstelle-forgejo-actions-runner-token.age
+++ b/secrets/tankstelle-forgejo-actions-runner-token.age
@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 1X0eLA g7MuhjaILdtN30lT0abiBuT2i2SxE4wzwHffPMbPaxA
+5iZOxlFLUaKUhqvGSiyyVy7jrbGcN8Q4DX4xXImDDZM
+-> ssh-ed25519 uYcDNw NUtdv3ykepvWklorbni0lMPb31hpHDhVktV6AkqY0Fs
+anEK08Yr7WY6xmovVJjxXqy/Z47CU6sUFs/1tZHqHos
+-> ssh-rsa f5THog
+nCjbVlM7V+AT20HSV7Z9miLlFzVRruxIrPavIrDNLRLnjDn8dkgu2ZnymnXHf9El
+GA/tmjF86OKCCOS7AjdSZ0RZIjgOfU/EseWdmaaS5iR6PjDJmuJuGtCwDKloddwO
+wS2VeU3tQzF6ayGPFirWYQVOwMCVahe6DB3d+ataXSprhb9DtMxAb7FQ07zl3rrO
+VXE82wA4qnwWyLAvZ96XdXYGBpO2vzxEgYzXa1gbHEY38BMUgELyhJJX0c2hEVwv
+jT7h4ex4NUK3f3t2JXw/Waz5hHpRYFuzF7u4rZjXZbiW0sgcXHZKF11AEUxASsUl
+yul5EEaPI34ISnwpWWuPAuDBskQzgJooeKGi9bQDed8otLy33NxyYgtR1Av4x1cC
+PjtkDxuvIooGp1uKgMFdoyWMB+pyd5MOeyqKXl0drTzILBET1quLBDuyAntvGriS
+c8Cj05YpLEh/gmPZ3KzLyGaKcELL8YYco+NkUwr1LNe/OEMbHcLc9q5fVfsN5BYz
+w1hQ24c8JGW1/1DFG+R0+MfcF4jFVyiqk9ctRlKqoA8dnFmkMDlK6ETj191y8baZ
+DtMNPTOeLDmxFc3O0vjAWFV3Is5X3EupcS4hlLpeNCW1DXF4R2+cmBQOewfeafI4
+uVaMuNqTW60B+9j7c6asvSHcAVP8S6BTcrJiaLETiSU
+-> ssh-rsa kFDS0A
+ZBLNf1RAI2+dXsXR8ns3taqHIM2yqslWOvSUM93droVVN6fkq/O9QUx0f6iljQW6
+wRY2iqqjzBYs6kysf21jsryGGhhVNB70QAeGDZWoeB2YmpnlvMRumqqG6S77K6kc
+D0oKXkuYx9J62BBI6gJk3+yJgEK3WHBvgBzD5rqgW2kJVWFLyU7C/rJH78UKvX2r
+r4PDQCEeJ4wnRyV0ox4z3f0XfLoHiwXE2oWGgrfs6/+Pw3AKdENbbNVRIyrzJci4
+nhxDd1miMChsQylKnfB8C60J9rhVFfP0/G8EXqhi2KbHfPeC4fHPjUxVbi2v74Ag
+NaRgxZOMpVPgGxlnHCz4ELuGn1LsMuBJCic/Z0PNMr86SC9hFnCyaWqXxKaYLj38
+USJq+F9RC7529En7XT+jOifDB29DS4GL8gCvwizd8j8wfeFm4w6qXS8rS5+9BbcD
+Ghf1Zzmbdm0R2lO4aV/APyCyK5NW0k068T7V710x+KvyRREvChkYEN87VvK5kYcC
+uYZvbcGJgMQrEiwVN11H2oxHPpj4oB7NiSb3mpDkaniXS5ijhEl10C6OzuEk1Hm2
+ybYXLspzlOZujVoGqrscoKTTzirvnO0B1YirPieTX6ym51rvnO6SPiT5bYGL5DNQ
+E6PDUz5kOwD9IQyF/a88CxBg/BFqSrSlvli+bdgfM7c
+-> piv-p256 vRzPNw AgAstuXfEQ+zPDSJmDRlieeY7h93S7AOX1LmWNZq8SOA
+umkx7AnExb+OuxVtTnJsr0Vymhlt9PBYkRt+5FxgLA0
+-> piv-p256 zqq/iw A8mFVtYM8mpj1iBqeQfvGavOahp0oNsT3j1i5YDYDfD2
+dZrDkvAHopEFTQgCdUkDNHPjLVhMAO4YJJE+cLuaxd4
+-> ssh-ed25519 YFSOsg 4h3HGQqPiwWUJkgZP9eMuiKxoZq9+YCDqj5L28mdIBE
+ppHBGJJzaf0fJZ24MZBRQ3v561f3J+CuDX7tatfD3G4
+-> ssh-ed25519 iHV63A rikUwY2DW9GQLopMcdPK8eZ1YjeKTp9z5cRqzDOs4mU
+kYn3dNGNhIDr3KIPEFZZj9zsqHZn7JDT67jtdljOVyo
+-> ssh-ed25519 BVsyTA 3GMMwNFuwx7ECwKWqS9GnIV5MuZY1jxi5KDKY1j3tSs
+gWEkAMLnOI/7gKKfuJE3vU6+e6XpnNwQfIJQ0UFoC6w
+-> ssh-ed25519 +3V2lQ YemOcrH319bbQJp+LnugOh2ed/Pwgfla+C3BU6cIaUQ
+gFTDAi8TFTRCmGkcSN8lFJPQctHLUC75xl7oJOdsYuw
+--- jd2QVeVcxn06ET1m3jMx8encjGlV51Vz7UO2MQq9weI
+/L‡ÿµB$ž<08>&q-] îÿŽHe\niT¤Àˆ-z„‚Çµ·—v2Nl^à+äÁÁÈõWjç6
®gieUÑk!—ÚÖÁú’³ïámxWõÌ