Merge pull request 'feat: adding another runner to speed up deployment' (#140) from #139_more-runners into main

Reviewed-on: #140

ITD/Firewall_Rules.csv

@@ -43,4 +43,5 @@ SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"
 SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
 SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
 ,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
-SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server.
+SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server.
+SKYNET_FIREWALL_00035,Add,i25-02-14_114,Complete,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server

ITD/Server_Inventory.csv

@@ -14,11 +14,14 @@ SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
 SKYNET00013,neuromancer,Active,193.1.99.080,Nixos-24.05,Local Backup Server
 SKYNET00014,cadie,Active,193.1.99.077,Nixos-24.05,"Services VM, has nextcloud to start with"
 SKYNET00015,marvin,Active,193.1.99.081,Nixos-24.05,Trainee testing server
-SKYNET00016,optimus,Active,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon)
-SKYNET00017,bumblebee,Active,193.1.99.091,Debian-12,Game server - Minecraft
+SKYNET00016,optimus,Retired,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon)
+SKYNET00017,bumblebee,Retired,193.1.99.091,Debian-12,Game server - Minecraft
 SKYNET00018,calculon,Active,193.1.99.082,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
 SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
 SKYNET00020,ariia,Active,193.1.99.083,Nixos-24.05,"Metrics, Grafana and Prometheus"
 SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
 SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host
-SKYNET00023,optimus-test,Active,193.1.99.085,Nixos,Testing flake for Pelecian
+SKYNET00023,optimus-test,Retired,193.1.99.085,Nixos,Testing flake for Pelecian
+SKYNET00024,optimus,Active,193.1.99.090,Nixos,Games server manager (replaced SKYNET00016)
+SKYNET00025,bumblebee,Active,193.1.99.091,Nixos,Game server - Minecraft (replaced SKYNET00017)
+SKYNET00027,vision,Active,193.1.99.085,Raspbian,Proxmox Qurom server

applications/git/forgejo_runner.nix

@@ -15,21 +15,23 @@ in {
   options.services.skynet."${name}" = {
     enable = mkEnableOption "Skynet ForgeJo Runner";
 
-    runner = {
-      name = mkOption {
-        type = types.str;
-        default = config.networking.hostName;
-      };
+    name = mkOption {
+      type = types.str;
+      default = config.networking.hostName;
+    };
 
-      website = mkOption {
-        default = "https://forgejo.skynet.ie";
-        type = types.str;
-      };
+    website = mkOption {
+      default = "https://forgejo.skynet.ie";
+      type = types.str;
+    };
 
-      user = mkOption {
-        default = "gitea-runner";
-        type = types.str;
-      };
+    user = mkOption {
+      default = "gitea-runner";
+      type = types.str;
+    };
+
+    secret = mkOption {
+      type = types.path;
     };
   };
 
@@ -40,23 +42,23 @@ in {
     ];
 
     age.secrets.forgejo_runner_token = {
-      file = ../../secrets/forgejo/runners/token.age;
-      owner = cfg.runner.user;
-      group = cfg.runner.user;
+      file = cfg.secret;
+      owner = cfg.user;
+      group = cfg.user;
     };
 
     # make sure the ssh config stuff is in teh right palce
     systemd.tmpfiles.rules = [
-      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
-      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
+      #"d  /home/${cfg.user}             0755 ${cfg.user} ${cfg.user}"
+      "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user}  -   ${./ssh_config}"
     ];
     age.secrets.forgejo_runner_ssh = {
       file = ../../secrets/forgejo/runners/ssh.age;
       mode = "600";
-      owner = "${cfg.runner.user}";
-      group = "${cfg.runner.user}";
+      owner = "${cfg.user}";
+      group = "${cfg.user}";
       symlink = false;
-      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
+      path = "/home/${cfg.user}/.ssh/skynet/root";
     };
 
     nix = {
@@ -94,14 +96,14 @@ in {
     # give teh runner user a home to store teh ssh config stuff
     systemd.services.gitea-runner-default.serviceConfig = {
       DynamicUser = lib.mkForce false;
-      User = lib.mkForce cfg.runner.user;
+      User = lib.mkForce cfg.user;
     };
     users = {
-      groups."${cfg.runner.user}" = {};
-      users."${cfg.runner.user}" = {
+      groups."${cfg.user}" = {};
+      users."${cfg.user}" = {
         #isSystemUser = true;
         isNormalUser = true;
-        group = cfg.runner.user;
+        group = cfg.user;
         createHome = true;
         shell = pkgs.bash;
       };
@@ -118,8 +120,8 @@ in {
       package = pkgs.forgejo-actions-runner;
       instances.default = {
         enable = true;
-        name = cfg.runner.name;
-        url = cfg.runner.website;
+        name = cfg.name;
+        url = cfg.website;
         tokenFile = config.age.secrets.forgejo_runner_token.path;
         labels = [
           ## optionally provide native execution on the host:

machines/glados.nix

@@ -28,6 +28,7 @@ in {
   imports = [
     ../applications/git/gitlab.nix
     ../applications/git/forgejo.nix
+    ../applications/git/forgejo_runner.nix
   ];
 
   deployment = {
@@ -43,5 +44,9 @@ in {
     backup.enable = true;
     gitlab.enable = true;
     forgejo.enable = true;
+    forgejo_runner = {
+      enable = true;
+      secret = ../secrets/forgejo/runners/token2.age;
+    };
   };
 }

machines/wheatly.nix

@@ -39,6 +39,9 @@ in {
   services.skynet = {
     host = host;
     backup.enable = true;
-    forgejo_runner.enable = true;
+    forgejo_runner = {
+      enable = true;
+      secret = ../secrets/forgejo/runners/token1.age;
+    };
   };
 }

secrets/forgejo/runners/token.age

@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM
-K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y
--> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI
-Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g
--> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI
-U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI
--> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg
-PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8
--> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI
-DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4
--> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc
-m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I
--> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4
-zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU
--> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA
-ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA
---- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo
-Á¡þzòõ´lÐþÈ‘ L‚´C$’ì?Hc´®ìì|¥çÛ¹„.-øýÜå¡jõ	©lÂ}9:KÓ®U…Á^§<>í¯Ì“ôŽIO6µ

secrets/forgejo/runners/token2.age

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY
+ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw
+-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y
+iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4
+-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18
+Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo
+-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk
+E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI
+-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw
+IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio
+-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M
+mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4
+-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc
+YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY
+-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM
+qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA
+-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE
+sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c
+--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc
+!VpÒ-p®<70>|ô†ùÞÞ_toüÎáUÈkÝïútÓ`˜@
¼ÞxzWÚº³•G<E280A2>üîF÷=Ë]i»YÌ;YOiéÌ}¤J™÷/Ö,

secrets/secrets.nix

@@ -77,6 +77,7 @@ let
 
   gitlab_runners = [
     wheatly
+    glados
   ];
 
   grafana = [
@@ -117,7 +118,8 @@ in {
   "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
   "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
 
-  "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
+  "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners;
+  "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners;
   "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
 
   # for ldap
@@ -130,7 +132,7 @@ in {
   "backup/restic_pw.age".publicKeys = users ++ restic;
 
   # discord bot and discord
-  "discord/token.age".publicKeys = users ++ discord;
+  "discord/token1.age".publicKeys = users ++ discord;
 
   # email stuff
   "email/details.age".publicKeys = users ++ ldap ++ discord;