2024-08-07 20:52:50 +00:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
inputs,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
with lib; let
|
|
|
|
name = "forgejo_runner";
|
|
|
|
cfg = config.services.skynet."${name}";
|
|
|
|
in {
|
|
|
|
imports = [
|
|
|
|
];
|
|
|
|
|
|
|
|
options.services.skynet."${name}" = {
|
|
|
|
enable = mkEnableOption "Skynet ForgeJo Runner";
|
|
|
|
|
|
|
|
runner = {
|
|
|
|
name = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = config.networking.hostName;
|
|
|
|
};
|
|
|
|
|
|
|
|
website = mkOption {
|
|
|
|
default = "https://forgejo.skynet.ie";
|
|
|
|
type = types.str;
|
|
|
|
};
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
default = "gitea-runner";
|
|
|
|
type = types.str;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
forgejo-actions-runner
|
|
|
|
];
|
|
|
|
|
|
|
|
age.secrets.forgejo_runner_token = {
|
|
|
|
file = ../../secrets/forgejo/runners/token.age;
|
|
|
|
owner = cfg.runner.user;
|
|
|
|
group = cfg.runner.user;
|
|
|
|
};
|
|
|
|
|
|
|
|
# make sure the ssh config stuff is in teh right palce
|
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
#"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
|
|
|
|
"L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
|
|
|
|
];
|
|
|
|
age.secrets.forgejo_runner_ssh = {
|
|
|
|
file = ../../secrets/forgejo/runners/ssh.age;
|
|
|
|
mode = "600";
|
|
|
|
owner = "${cfg.runner.user}";
|
|
|
|
group = "${cfg.runner.user}";
|
|
|
|
symlink = false;
|
|
|
|
path = "/home/${cfg.runner.user}/.ssh/skynet/root";
|
|
|
|
};
|
|
|
|
|
|
|
|
nix = {
|
|
|
|
settings = {
|
|
|
|
trusted-users = [
|
|
|
|
# allow the runner to build nix stuff and to use the cache
|
|
|
|
"gitea-runner"
|
|
|
|
];
|
|
|
|
trusted-public-keys = [
|
|
|
|
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
|
|
|
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
|
|
|
];
|
|
|
|
substituters = [
|
|
|
|
"https://nix-cache.skynet.ie/skynet-cache/"
|
|
|
|
"https://cache.nixos.org/"
|
|
|
|
];
|
|
|
|
trusted-substituters = [
|
|
|
|
"https://nix-cache.skynet.ie/skynet-cache/"
|
|
|
|
"https://cache.nixos.org/"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# very basic setup to always be watching for changes in teh cache
|
|
|
|
systemd.services.attic-uploader = {
|
|
|
|
enable = true;
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
|
|
|
|
User = "root";
|
|
|
|
Restart = "always";
|
|
|
|
RestartSec = 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# give teh runner user a home to store teh ssh config stuff
|
|
|
|
systemd.services.gitea-runner-default.serviceConfig = {
|
|
|
|
DynamicUser = lib.mkForce false;
|
|
|
|
User = lib.mkForce cfg.runner.user;
|
|
|
|
};
|
|
|
|
users = {
|
|
|
|
groups."${cfg.runner.user}" = {};
|
|
|
|
users."${cfg.runner.user}" = {
|
|
|
|
#isSystemUser = true;
|
|
|
|
isNormalUser = true;
|
|
|
|
group = cfg.runner.user;
|
|
|
|
createHome = true;
|
|
|
|
shell = pkgs.bash;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-10-04 11:00:48 +00:00
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
|
|
|
|
virtualisation.docker.enable = true;
|
|
|
|
|
|
|
|
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
|
|
|
|
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
|
|
|
|
|
2024-08-07 20:52:50 +00:00
|
|
|
# the actual runner
|
|
|
|
services.gitea-actions-runner = {
|
|
|
|
package = pkgs.forgejo-actions-runner;
|
|
|
|
instances.default = {
|
|
|
|
enable = true;
|
|
|
|
name = cfg.runner.name;
|
|
|
|
url = cfg.runner.website;
|
|
|
|
tokenFile = config.age.secrets.forgejo_runner_token.path;
|
|
|
|
labels = [
|
|
|
|
## optionally provide native execution on the host:
|
|
|
|
"nix:host"
|
2024-10-04 11:00:48 +00:00
|
|
|
"docker:docker://node:22-bookworm"
|
|
|
|
"ubuntu-latest:docker://node:22-bookworm"
|
2024-08-07 20:52:50 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
hostPackages = with pkgs; [
|
|
|
|
# default ones
|
|
|
|
bash
|
|
|
|
coreutils
|
|
|
|
curl
|
|
|
|
gawk
|
2024-10-04 11:00:48 +00:00
|
|
|
git
|
2024-08-07 20:52:50 +00:00
|
|
|
gnused
|
|
|
|
nodejs
|
|
|
|
wget
|
|
|
|
|
2024-08-11 03:13:25 +00:00
|
|
|
# useful to have in path
|
|
|
|
jq
|
|
|
|
which
|
|
|
|
dpkg
|
|
|
|
zip
|
2024-08-11 19:38:20 +00:00
|
|
|
git-lfs
|
2024-08-11 03:13:25 +00:00
|
|
|
|
2024-08-07 20:52:50 +00:00
|
|
|
# used in deployments
|
|
|
|
inputs.colmena.defaultPackage."x86_64-linux"
|
|
|
|
attic-client
|
|
|
|
nix
|
|
|
|
openssh
|
2024-10-04 11:00:48 +00:00
|
|
|
sudo
|
2024-08-07 20:52:50 +00:00
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|