From 2aabad4062b3e97cea95e8b490fac2d201019e22 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 7 Nov 2024 10:22:35 +0100 Subject: [PATCH] forgejo-actions-runner: init module, add to ryzensun --- modules/default.nix | 1 + modules/forgejo-actions-runner/default.nix | 58 +++++++++++++++++++++ secrets/forgejo-actions-runner-token.age | Bin 0 -> 580 bytes secrets/secrets.nix | 1 + 4 files changed, 60 insertions(+) create mode 100644 modules/forgejo-actions-runner/default.nix create mode 100644 secrets/forgejo-actions-runner-token.age diff --git a/modules/default.nix b/modules/default.nix index 4424dca8..2274ae30 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -10,6 +10,7 @@ desktop-extended = import ./desktop-extended; docker = import ./docker; #email = import ./email; + forgejo-actions-runner = import ./forgejo-actions-runner; #gaming = import ./gaming; graphical = import ./graphical; invoiceplane = import ./invoiceplane; diff --git a/modules/forgejo-actions-runner/default.nix b/modules/forgejo-actions-runner/default.nix new file mode 100644 index 00000000..6b983293 --- /dev/null +++ b/modules/forgejo-actions-runner/default.nix @@ -0,0 +1,58 @@ +{ + config, + pkgs, + lib, + flake, + ... +}: +let + hostname = config.networking.hostName; +in +{ + age.secrets."forgejo-actions-runner-token.age" = { + file = "${flake.self}/secrets/forgejo-actions-runner-token.age"; + mode = "440"; + }; + + # Trust docker bridge interface traffic + # Needed for the docker runner to communicate with the act_runner cache + networking.firewall.trustedInterfaces = [ "br-+" ]; + + users.users.gitea-runner = { + home = "/var/lib/gitea-runner/${hostname}"; + useDefaultShell = true; + group = "gitea-runner"; + # Required to interact with nix daemon + extraGroups = [ "wheel" ]; + isSystemUser = true; + }; + + users.groups.gitea-runner = { }; + + systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ]; + + systemd.services."gitea-runner-${hostname}" = { + serviceConfig.DynamicUser = lib.mkForce false; + }; + + # forgejo actions runner + # https://forgejo.org/docs/latest/admin/actions/ + # https://docs.gitea.com/usage/actions/quickstart + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances."${hostname}" = { + enable = true; + name = hostname; + url = "https://git.pub.solar"; + tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path; + labels = [ + # provide a debian 12 bookworm base with Node.js for actions + "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm" + # fake the ubuntu name, commonly used in actions examples + "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm" + # alpine with Node.js + "alpine-latest:docker://node:20-alpine" + ]; + }; + }; +} diff --git a/secrets/forgejo-actions-runner-token.age b/secrets/forgejo-actions-runner-token.age new file mode 100644 index 0000000000000000000000000000000000000000..02997e3b38ea3a1a72b76ad3c49c4328e2fa2e03 GIT binary patch literal 580 zcmZ9_y^fP`008id(S^j#;bI(E)S*GjpF*j*+@<9k3Z=9ZXrf7vZ@BVVphe?g;^^q= z;Nlb9rjz#s<`Nx@58&wJ;9y+u_X597;2~b>l!ts5W$BZw4A2IHkW;v-Ld0_cL0}`; z%ux%S!;VBJfz3$^%-1(oNshwG+RH}K+iY<%u7GDQWQ*9hk?BAKG;2CrO_e^5yY7H) z)+M0WnxHQ>rbl>7G}9!{PrJj8y}3~a)=LApHM>SyPTEAB&dv=sq15q6um!WG)(pGP zJ7ML|(VWvzPJu|*J(zUebrUwZn9@e!*aItN(UF6hAT zp0SD9O4IVtV|_!5-1+}4j~XNg1PSl??$EXHxbSN|8)U^?0^UZ+raR(LMKXwo{Nf_+ zhG5T^R&TY%NYFrGyRfKP!uZ>H*Cgkf-VX&$2RcZpGMTA7DU1qwE%I|_03iqhn`s^R z98Q+yOkI#6qxAB^@AQ$CGNcn2Nz$9f#BKtVz6gOo*LRa!Uv=^OQF;97=$(0$y?*xN zVfan@@b>31&Rza~RJ~ce`g`@_^rZQCyE?l+-SH8i6>t^xBmdh Cb-_0P literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4a263e54..eb525e2e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -26,6 +26,7 @@ in "mnx-bonanza-pf1.p12.age".publicKeys = allKeys; "docker-ci-runner-secrets.age".publicKeys = allKeys; "test-secret.age".publicKeys = [ users.teutat3s-5-nfc ]; + "forgejo-actions-runner-token.age".publicKeys = allKeys; "hosting-de-acme-secrets.age".publicKeys = [ machines.fae users.teutat3s