flora-6: disable migrated services, enable ci runner

for forgejo actions

https://forgejo.org/docs/latest/admin/actions

hosts/flora-6/caddy.nix

@@ -4,24 +4,8 @@
   pkgs,
   self,
   ...
-}: let
+}:
-  maintenanceMode = {
+{
-    logFormat = lib.mkForce ''
-      output discard
-    '';
-    extraConfig = ''
-      root * /srv/www/pub.solar
-
-      error * "Scheduled Maintenance" 503
-
-      handle_errors {
-        root * /srv/www/pub.solar
-        rewrite * /maintenance/index.html
-        file_server
-      }
-    '';
-  };
-in {
   systemd.tmpfiles.rules = [
     "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
   ];
@@ -35,88 +19,6 @@ in {
       grace_period 60s
     '';
     virtualHosts = {
-      "pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          # Named matcher, used below for Mastodon webfinger
-          @query query resource=*
-
-          # PubSolarOS images
-          handle /os/download/* {
-            root * /data/srv/www
-            file_server /os/download/* browse
-          }
-          # serve base domain pub.solar for mastodon.pub.solar
-          # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
-          handle /.well-known/host-meta {
-            redir https://mastodon.pub.solar{uri}
-          }
-
-          # Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect
-          handle /.well-known/webfinger {
-            # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
-            handle @query {
-              redir https://mastodon.pub.solar{uri}
-            }
-            respond 200 {
-              body `{
-                "subject": "acct:admins@pub.solar",
-                "links": [
-                  {
-                    "rel": "http://openid.net/specs/connect/1.0/issuer",
-                    "href": "https://auth.pub.solar/realms/pub.solar"
-                  }
-                ]
-              }`
-            }
-          }
-
-          # redirect to statutes
-          redir /satzung https://cloud.pub.solar/s/2tRCP9aZFCiWxQy temporary
-
-          # pub.solar website
-          handle {
-            root * /srv/www/pub.solar
-            try_files {path}.html {path}
-            file_server
-          }
-          # minimal error handling, respond with status code and text
-          handle_errors {
-            respond "{http.error.status_code} {http.error.status_text}"
-          }
-        '';
-      };
-      "www.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          redir https://pub.solar{uri}
-        '';
-      };
-
-      "mastodon.pub.solar" = maintenanceMode;
-
-      "auth.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          redir / /realms/pub.solar/account temporary
-          reverse_proxy :8080
-        '';
-      };
-      "git.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          redir /user/login /user/oauth2/keycloak temporary
-          reverse_proxy :3000
-        '';
-      };
       "ci.pub.solar" = {
         logFormat = lib.mkForce ''
           output discard
@@ -125,35 +27,6 @@ in {
           reverse_proxy :4000
         '';
       };
-      "stream.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          reverse_proxy :5000
-        '';
-      };
-      "list.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          handle_path /static/* {
-            root * /var/lib/mailman-web-static
-            file_server
-          }
-
-          reverse_proxy :18507
-        '';
-      };
-      "collabora.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          reverse_proxy :9980
-        '';
-      };
       "obs-portal.pub.solar" = {
         logFormat = lib.mkForce ''
           output discard

hosts/flora-6/flora-6.nix

@@ -17,21 +17,23 @@ in {
 
     ./caddy.nix
     ./drone.nix
-    ./keycloak.nix
+    # Disable services migrated to nachtigall.pub.solar
-    ./gitea.nix
+    #./keycloak.nix
-    ./mailman.nix
+    #./gitea.nix
-    ./owncast.nix
+    #./mailman.nix
-    ./collabora.nix
+    #./owncast.nix
+    #./collabora.nix
+    ./forgejo-actions-runner.nix
 
     profiles.base-user
     profiles.users.root # make sure to configure ssh keys
     profiles.users.barkeeper
 
-    "${latestModulesPath}/services/misc/gitea.nix"
+    "${latestModulesPath}/services/continuous-integration/gitea-actions-runner.nix"
     "${latestModulesPath}/services/web-servers/caddy/default.nix"
   ];
   disabledModules = [
-    "services/misc/gitea.nix"
+    "services/continuous-integration/gitea-actions-runner.nix"
     "services/web-servers/caddy/default.nix"
   ];
 

hosts/flora-6/forgejo-actions-runner.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  self,
+  ...
+}: {
+  age.secrets.forgejo-actions-runner-token = {
+    file = "${self}/secrets/forgejo-actions-runner-token.age";
+    mode = "644";
+  };
+
+  # forgejo actions runner
+  # https://forgejo.org/docs/latest/admin/actions/
+  # https://docs.gitea.com/usage/actions/quickstart
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances."flora-6" = {
+      enable = true;
+      name = config.networking.hostName;
+      url = "https://git.pub.solar";
+      tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
+      labels = [
+        # provide a debian 12 bookworm base for actions
+        "debian-latest:docker://debian:bookworm"
+        # fake the ubuntu name, commonly used in actions examples
+        "ubuntu-latest:docker://debian:bookworm"
+        # alpine
+        "alpine-latest:docker://alpine:3.18"
+        # nix flakes enabled image from https://github.com/nix-community/docker-nixpkgs
+        "nix-flakes:docker://docker.nix-community.org/nixpkgs/nix-flakes:latest"
+      ];
+    };
+  };
+}

overlays/overrides.nix

@@ -5,6 +5,7 @@ channels: final: prev: {
     (channels.latest)
     nixd
     docker_24
+    forgejo-actions-runner
     ;
 
   inherit

secrets/forgejo-actions-runner-token.age

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 Y0ZZaw 7CK6vwqQdCeiK2obS3bzCWe1MoEP9BPjgps+1wzCHBU
+sALt69KoZFofZKOXYTqM0Gm4lJS40p+UxXOyk8LnK1Q
+-> ssh-ed25519 BVsyTA NkTGaO5gnVSYYKwFpNvCvXhfQcG0icksEi3egd8Xl1o
+8OG4LyBknZeu7neQw6xQ+GaWv8OJUU0mj7enM8YiE64
+-> ssh-rsa kFDS0A
+FugVBn+eYu3yHSHwdNhMb72E3hBceWgeW5vnIZroYA2gEBE6wAj5ZjbGEPOs5pYL
+kLbP2WkMPpV0+TsNCVQPUgotpHrDbVR0Vw3Q3ijGa246aLsIV+b7BPnnLJtxPhOz
+m2JtIxAGgxLDPr4XAIm2qPk1To4sk0J/pM3PpAp5yVTofVIVZ9Nf1D73uO+gIbrg
+fVp0vng5o0JZqzj+NevD19zx+9MJW5xb1/DWCK3qfJ4OUh/SQl0CJs4Gu2VFUrFC
+bhEYTo4gmr7CbN9CgPeKCRhwul7qzqnTvT1X//WW8qPooeghLkO6CtzP0t9Ws+nf
+DwhLdbpG60cpRuOMrcaRd3GjtLANxjf+MN0YPAkBhVI/lj0omB+q8t7QsBBvKHQk
+5F8op1IGcAHeqcbne1fQOm4EpUay7Ex4j0KtFvgtBw5y8OlyARar11Wg3g18bwWL
+I6tjHaRDOE6j/KRmFEYM+1weoIMYrnWWQKa36J6Q76lQi5FSwLbngi37m3BRzfBH
+/zqQYXyQwpY8mh84mL6o2W7AIK5Qu/QU46QK2vfMme7Epdh0qcSf+ryZ8uy5w46H
+BtojVSczsHJpJPcAoOCREjtnveiVKvW0gIX633au6QuUK49+bqg56U8ISFLQIhOq
+bkxaenVV1hWtDGLDAQIM8vlgW11/0H03hs2wN+2OCA8
+-> u,-grease skM=
+dWVtDwW376N8q5dhF2o
+--- 6y7OVwZ5GagxyqZeFw6ycJmo5ZM5iQoPlzMYmZMXTug
+‹y㎌„Ævâ<EFBFBD>,uX÷³Ÿü‹úùØV¶:GLÅ1Ôý´JÈ[m(Áðþ¡Â ¾¡É…µx9ak°¬áÉÑŒŠx±O뤜¢

secrets/secrets.nix

@@ -23,4 +23,5 @@ in {
   "mailman-core-secrets.age".publicKeys = deployKeys;
   "mailman-web-secrets.age".publicKeys = deployKeys;
   "mailman-db-secrets.age".publicKeys = deployKeys;
+  "forgejo-actions-runner-token.age".publicKeys = deployKeys;
 }