From 50614131d23cc712b65dc2177ddcdacf22ca8b9c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 30 Oct 2023 02:14:52 +0100 Subject: [PATCH] flora-6: disable migrated services, enable ci runner for forgejo actions https://forgejo.org/docs/latest/admin/actions --- hosts/flora-6/caddy.nix | 131 +---------------------- hosts/flora-6/flora-6.nix | 16 +-- hosts/flora-6/forgejo-actions-runner.nix | 35 ++++++ overlays/overrides.nix | 1 + secrets/forgejo-actions-runner-token.age | 21 ++++ secrets/secrets.nix | 1 + 6 files changed, 69 insertions(+), 136 deletions(-) create mode 100644 hosts/flora-6/forgejo-actions-runner.nix create mode 100644 secrets/forgejo-actions-runner-token.age diff --git a/hosts/flora-6/caddy.nix b/hosts/flora-6/caddy.nix index b5767853..1b45adde 100644 --- a/hosts/flora-6/caddy.nix +++ b/hosts/flora-6/caddy.nix @@ -4,24 +4,8 @@ pkgs, self, ... -}: let - maintenanceMode = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - root * /srv/www/pub.solar - - error * "Scheduled Maintenance" 503 - - handle_errors { - root * /srv/www/pub.solar - rewrite * /maintenance/index.html - file_server - } - ''; - }; -in { +}: +{ systemd.tmpfiles.rules = [ "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -" ]; @@ -35,88 +19,6 @@ in { grace_period 60s ''; virtualHosts = { - "pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - # Named matcher, used below for Mastodon webfinger - @query query resource=* - - # PubSolarOS images - handle /os/download/* { - root * /data/srv/www - file_server /os/download/* browse - } - # serve base domain pub.solar for mastodon.pub.solar - # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/ - handle /.well-known/host-meta { - redir https://mastodon.pub.solar{uri} - } - - # Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect - handle /.well-known/webfinger { - # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon - handle @query { - redir https://mastodon.pub.solar{uri} - } - respond 200 { - body `{ - "subject": "acct:admins@pub.solar", - "links": [ - { - "rel": "http://openid.net/specs/connect/1.0/issuer", - "href": "https://auth.pub.solar/realms/pub.solar" - } - ] - }` - } - } - - # redirect to statutes - redir /satzung https://cloud.pub.solar/s/2tRCP9aZFCiWxQy temporary - - # pub.solar website - handle { - root * /srv/www/pub.solar - try_files {path}.html {path} - file_server - } - # minimal error handling, respond with status code and text - handle_errors { - respond "{http.error.status_code} {http.error.status_text}" - } - ''; - }; - "www.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - redir https://pub.solar{uri} - ''; - }; - - "mastodon.pub.solar" = maintenanceMode; - - "auth.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - redir / /realms/pub.solar/account temporary - reverse_proxy :8080 - ''; - }; - "git.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - redir /user/login /user/oauth2/keycloak temporary - reverse_proxy :3000 - ''; - }; "ci.pub.solar" = { logFormat = lib.mkForce '' output discard @@ -125,35 +27,6 @@ in { reverse_proxy :4000 ''; }; - "stream.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy :5000 - ''; - }; - "list.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - handle_path /static/* { - root * /var/lib/mailman-web-static - file_server - } - - reverse_proxy :18507 - ''; - }; - "collabora.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy :9980 - ''; - }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index 00b0b8bf..ec401f59 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -17,21 +17,23 @@ in { ./caddy.nix ./drone.nix - ./keycloak.nix - ./gitea.nix - ./mailman.nix - ./owncast.nix - ./collabora.nix + # Disable services migrated to nachtigall.pub.solar + #./keycloak.nix + #./gitea.nix + #./mailman.nix + #./owncast.nix + #./collabora.nix + ./forgejo-actions-runner.nix profiles.base-user profiles.users.root # make sure to configure ssh keys profiles.users.barkeeper - "${latestModulesPath}/services/misc/gitea.nix" + "${latestModulesPath}/services/continuous-integration/gitea-actions-runner.nix" "${latestModulesPath}/services/web-servers/caddy/default.nix" ]; disabledModules = [ - "services/misc/gitea.nix" + "services/continuous-integration/gitea-actions-runner.nix" "services/web-servers/caddy/default.nix" ]; diff --git a/hosts/flora-6/forgejo-actions-runner.nix b/hosts/flora-6/forgejo-actions-runner.nix new file mode 100644 index 00000000..3cb09026 --- /dev/null +++ b/hosts/flora-6/forgejo-actions-runner.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + pkgs, + self, + ... +}: { + age.secrets.forgejo-actions-runner-token = { + file = "${self}/secrets/forgejo-actions-runner-token.age"; + mode = "644"; + }; + + # forgejo actions runner + # https://forgejo.org/docs/latest/admin/actions/ + # https://docs.gitea.com/usage/actions/quickstart + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances."flora-6" = { + enable = true; + name = config.networking.hostName; + url = "https://git.pub.solar"; + tokenFile = config.age.secrets.forgejo-actions-runner-token.path; + labels = [ + # provide a debian 12 bookworm base for actions + "debian-latest:docker://debian:bookworm" + # fake the ubuntu name, commonly used in actions examples + "ubuntu-latest:docker://debian:bookworm" + # alpine + "alpine-latest:docker://alpine:3.18" + # nix flakes enabled image from https://github.com/nix-community/docker-nixpkgs + "nix-flakes:docker://docker.nix-community.org/nixpkgs/nix-flakes:latest" + ]; + }; + }; +} diff --git a/overlays/overrides.nix b/overlays/overrides.nix index 40fe2f70..66e9fb3d 100644 --- a/overlays/overrides.nix +++ b/overlays/overrides.nix @@ -5,6 +5,7 @@ channels: final: prev: { (channels.latest) nixd docker_24 + forgejo-actions-runner ; inherit diff --git a/secrets/forgejo-actions-runner-token.age b/secrets/forgejo-actions-runner-token.age new file mode 100644 index 00000000..ebafa3eb --- /dev/null +++ b/secrets/forgejo-actions-runner-token.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw 7CK6vwqQdCeiK2obS3bzCWe1MoEP9BPjgps+1wzCHBU +sALt69KoZFofZKOXYTqM0Gm4lJS40p+UxXOyk8LnK1Q +-> ssh-ed25519 BVsyTA NkTGaO5gnVSYYKwFpNvCvXhfQcG0icksEi3egd8Xl1o +8OG4LyBknZeu7neQw6xQ+GaWv8OJUU0mj7enM8YiE64 +-> ssh-rsa kFDS0A +FugVBn+eYu3yHSHwdNhMb72E3hBceWgeW5vnIZroYA2gEBE6wAj5ZjbGEPOs5pYL +kLbP2WkMPpV0+TsNCVQPUgotpHrDbVR0Vw3Q3ijGa246aLsIV+b7BPnnLJtxPhOz +m2JtIxAGgxLDPr4XAIm2qPk1To4sk0J/pM3PpAp5yVTofVIVZ9Nf1D73uO+gIbrg +fVp0vng5o0JZqzj+NevD19zx+9MJW5xb1/DWCK3qfJ4OUh/SQl0CJs4Gu2VFUrFC +bhEYTo4gmr7CbN9CgPeKCRhwul7qzqnTvT1X//WW8qPooeghLkO6CtzP0t9Ws+nf +DwhLdbpG60cpRuOMrcaRd3GjtLANxjf+MN0YPAkBhVI/lj0omB+q8t7QsBBvKHQk +5F8op1IGcAHeqcbne1fQOm4EpUay7Ex4j0KtFvgtBw5y8OlyARar11Wg3g18bwWL +I6tjHaRDOE6j/KRmFEYM+1weoIMYrnWWQKa36J6Q76lQi5FSwLbngi37m3BRzfBH +/zqQYXyQwpY8mh84mL6o2W7AIK5Qu/QU46QK2vfMme7Epdh0qcSf+ryZ8uy5w46H +BtojVSczsHJpJPcAoOCREjtnveiVKvW0gIX633au6QuUK49+bqg56U8ISFLQIhOq +bkxaenVV1hWtDGLDAQIM8vlgW11/0H03hs2wN+2OCA8 +-> u,-grease skM= +dWVtDwW376N8q5dhF2o +--- 6y7OVwZ5GagxyqZeFw6ycJmo5ZM5iQoPlzMYmZMXTug +yv,uXV:GL1J[m(Ʌx9akьxO \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 99d220a3..489d39d8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -23,4 +23,5 @@ in { "mailman-core-secrets.age".publicKeys = deployKeys; "mailman-web-secrets.age".publicKeys = deployKeys; "mailman-db-secrets.age".publicKeys = deployKeys; + "forgejo-actions-runner-token.age".publicKeys = deployKeys; }