From 289b58198c489fc20d0f3a546f5aa058b56d0457 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Sat, 22 Oct 2022 14:57:40 +0200 Subject: [PATCH 1/3] NixOS module for a drone ci runner in docker --- modules/docker-ci-runner/default.nix | 105 +++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 modules/docker-ci-runner/default.nix diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix new file mode 100644 index 00000000..2a32b8fa --- /dev/null +++ b/modules/docker-ci-runner/default.nix @@ -0,0 +1,105 @@ +{ lib, config, pkgs, self, ... }: + +with lib; +let + bootstrap = pkgs.writeScript "bootstrap.sh" '' + #!/usr/bin/env bash + + set -e + + apt update + apt install --yes curl git sudo xz-utils + + adduser --system --uid 999 build + chown build /nix + + sudo -u build curl -L https://nixos.org/nix/install > install + sudo -u build sh install + + echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile + + mkdir /etc/nix + echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf + + export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json" + mkdir -p $(dirname \\$nix_user_config_file) + echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file + chown -R build /home/build/ + + curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz + sudo install -t /usr/local/bin drone-runner-exec + + if [ ! -f /run/vars ]; then + exit 1 + fi + + cp -a /run/vars /run/runtime-vars + env | grep "DRONE" >> /run/runtime-vars + + su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars" + ''; + psCfg = config.pub-solar; + cfg = config.pub-solar.docker-ci-runner; +in +{ + options.pub-solar.docker-ci-runner = { + enable = lib.mkEnableOption "Enables a systemd service that runs drone-ci-runner"; + + enableKvm = lib.mkOption { + description = '' + Enable kvm support. + ''; + default = true; + type = types.bool; + }; + + nixCacheLocation = lib.mkOption { + description = '' + Location of nix cache that is shared between builds + ''; + type = types.path; + }; + + runnerEnvironment = lib.mkOption { + description = '' + Additional environment vars added to the vars file on container runtime + ''; + default = {}; + }; + + runnerVarsFile = lib.mkOption { + description = '' + Location of vars file passed to drone runner + ''; + type = types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + }; + + oci-containers = { + backend = "docker"; + containers."drone-exec-runner" = { + image = "debian"; + autoStart = true; + entrypoint = "bash"; + cmd = [ "/bootstrap.sh" ]; + + volumes = [ + "${cfg.runnerVarsFile}:/run/vars" + "${cfg.nixCacheLocation}:/nix" + "${bootstrap}:/bootstrap.sh" + ]; + + environment = cfg.runnerEnvironment; + + extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; + }; + }; + }; + }; +} From 5f6988291c0737ad229aac63c07554e5ca83d536 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Wed, 26 Oct 2022 22:04:48 +0200 Subject: [PATCH 2/3] Fix wording --- modules/docker-ci-runner/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix index 2a32b8fa..be7ecc47 100644 --- a/modules/docker-ci-runner/default.nix +++ b/modules/docker-ci-runner/default.nix @@ -43,7 +43,7 @@ let in { options.pub-solar.docker-ci-runner = { - enable = lib.mkEnableOption "Enables a systemd service that runs drone-ci-runner"; + enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user."; enableKvm = lib.mkOption { description = '' @@ -88,7 +88,7 @@ in autoStart = true; entrypoint = "bash"; cmd = [ "/bootstrap.sh" ]; - + volumes = [ "${cfg.runnerVarsFile}:/run/vars" "${cfg.nixCacheLocation}:/nix" @@ -96,7 +96,7 @@ in ]; environment = cfg.runnerEnvironment; - + extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; }; }; From 25ad234f2a1336e2d50a6a61165bb32b37756cdd Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Sun, 30 Oct 2022 21:37:24 +0100 Subject: [PATCH 3/3] add default for nix store path --- modules/docker-ci-runner/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix index be7ecc47..11998fd9 100644 --- a/modules/docker-ci-runner/default.nix +++ b/modules/docker-ci-runner/default.nix @@ -57,6 +57,7 @@ in description = '' Location of nix cache that is shared between builds ''; + default = "/var/lib/docker-ci-runner"; type = types.path; };