From 968931ad05076f6892a01ca19c18036edc05ff5e Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Wed, 12 Feb 2025 22:30:23 +0000
Subject: [PATCH] feat: adding another runner to speed up deployment
Closes #139
---
applications/git/forgejo_runner.nix | 56 ++++++++++++++--------------
machines/glados.nix | 5 +++
machines/wheatly.nix | 5 ++-
secrets/forgejo/runners/ssh.age | Bin 1381 -> 1491 bytes
secrets/forgejo/runners/token.age | 19 ----------
secrets/forgejo/runners/token1.age | Bin 0 -> 1138 bytes
secrets/forgejo/runners/token2.age | 21 +++++++++++
secrets/secrets.nix | 6 ++-
8 files changed, 63 insertions(+), 49 deletions(-)
delete mode 100644 secrets/forgejo/runners/token.age
create mode 100644 secrets/forgejo/runners/token1.age
create mode 100644 secrets/forgejo/runners/token2.age
diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix
index 29029cb..c43ecec 100644
--- a/applications/git/forgejo_runner.nix
+++ b/applications/git/forgejo_runner.nix
@@ -15,21 +15,23 @@ in {
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet ForgeJo Runner";
- runner = {
- name = mkOption {
- type = types.str;
- default = config.networking.hostName;
- };
+ name = mkOption {
+ type = types.str;
+ default = config.networking.hostName;
+ };
- website = mkOption {
- default = "https://forgejo.skynet.ie";
- type = types.str;
- };
+ website = mkOption {
+ default = "https://forgejo.skynet.ie";
+ type = types.str;
+ };
- user = mkOption {
- default = "gitea-runner";
- type = types.str;
- };
+ user = mkOption {
+ default = "gitea-runner";
+ type = types.str;
+ };
+
+ secret = mkOption {
+ type = types.path;
};
};
@@ -40,23 +42,23 @@ in {
];
age.secrets.forgejo_runner_token = {
- file = ../../secrets/forgejo/runners/token.age;
- owner = cfg.runner.user;
- group = cfg.runner.user;
+ file = cfg.secret;
+ owner = cfg.user;
+ group = cfg.user;
};
# make sure the ssh config stuff is in teh right palce
systemd.tmpfiles.rules = [
- #"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
- "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
+ #"d /home/${cfg.user} 0755 ${cfg.user} ${cfg.user}"
+ "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user} - ${./ssh_config}"
];
age.secrets.forgejo_runner_ssh = {
file = ../../secrets/forgejo/runners/ssh.age;
mode = "600";
- owner = "${cfg.runner.user}";
- group = "${cfg.runner.user}";
+ owner = "${cfg.user}";
+ group = "${cfg.user}";
symlink = false;
- path = "/home/${cfg.runner.user}/.ssh/skynet/root";
+ path = "/home/${cfg.user}/.ssh/skynet/root";
};
nix = {
@@ -94,14 +96,14 @@ in {
# give teh runner user a home to store teh ssh config stuff
systemd.services.gitea-runner-default.serviceConfig = {
DynamicUser = lib.mkForce false;
- User = lib.mkForce cfg.runner.user;
+ User = lib.mkForce cfg.user;
};
users = {
- groups."${cfg.runner.user}" = {};
- users."${cfg.runner.user}" = {
+ groups."${cfg.user}" = {};
+ users."${cfg.user}" = {
#isSystemUser = true;
isNormalUser = true;
- group = cfg.runner.user;
+ group = cfg.user;
createHome = true;
shell = pkgs.bash;
};
@@ -118,8 +120,8 @@ in {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
- name = cfg.runner.name;
- url = cfg.runner.website;
+ name = cfg.name;
+ url = cfg.website;
tokenFile = config.age.secrets.forgejo_runner_token.path;
labels = [
## optionally provide native execution on the host:
diff --git a/machines/glados.nix b/machines/glados.nix
index 842da0c..5e499d8 100644
--- a/machines/glados.nix
+++ b/machines/glados.nix
@@ -28,6 +28,7 @@ in {
imports = [
../applications/git/gitlab.nix
../applications/git/forgejo.nix
+ ../applications/git/forgejo_runner.nix
];
deployment = {
@@ -43,5 +44,9 @@ in {
backup.enable = true;
gitlab.enable = true;
forgejo.enable = true;
+ forgejo_runner = {
+ enable = true;
+ secret = ../secrets/forgejo/runners/token2.age;
+ };
};
}
diff --git a/machines/wheatly.nix b/machines/wheatly.nix
index f38000b..cb9cdb6 100644
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@@ -39,6 +39,9 @@ in {
services.skynet = {
host = host;
backup.enable = true;
- forgejo_runner.enable = true;
+ forgejo_runner = {
+ enable = true;
+ secret = ../secrets/forgejo/runners/token1.age;
+ };
};
}
diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age
index 7a716d1b83c03bf40c05fa613d047819829ce36a..ffda5eb6e8a0c5b981cac03e17035e0102c69a43 100644
GIT binary patch
literal 1491
zcmZY8`;XHE00(eHFgoCf1`+}%j-WBzGPbU3*8<+rZQY}LwtEjQ(5_v#?$NGm*RD~>
z1w?`xjfbK_Jjfvm7sQAlQ8^KFZ~-HRyNk*RifBAzL?VzFgQ7p5f59i;?>AqX=d4`4
zAh#u@EY??wGH+`ECTq93*(_N()&W5PYEA=^7RAhYqC(p%je40@lq%xl^>Rg*LMW4~
z3k1=0#VArqL9Ewapdu!c26HVVsTGKzCj+W1z{kO0CX>-wSmdZ2V??9bAnJ0sXk@zP
zj2n58H%p{W$fS;?Dl%iyG6anfkQVk7ft;Evt5MC%N9|HZQw5)9N*DQ*!=pKUde&$q
z8H*#MgyKmG7NoWoc2gSHKsCr?XW3wIy2fJm7R8%&+7(LHy=vL*01YlslYNTlE;T3{
ztP4aW%PLp^1rwORl15Bzzf`HAkX)lVq1t4aNP(;gl}Ip-SGXn|MQda^1gNl&2x!wa
zD9WOsW`+%*X<)de6;v&amPS!Bo)78~G?7I}E)__)MHPre5Z3L*O&Fr`V3<xZ>2y3{
zxNwU`LY@F!WMhcE1o}aT6f1>djJp*7Uy}`lBY57NaspYu=H(zehBOj3D5&Kk4hAVF
z@e+)98&QNMXs$*9p(<$tYqC&cNCmbVMG}HTL4Z<Zmr;Xjfnd|$a)_R)2FG}cY2(wg
zh0-!2Yv#6`phW}I_y)`5@CF)`NiRc{Z8by_Yp^E8DJ4l4%f)b=H_3HUtp^I41O@Q~
zFA6TfqdUl)J>)l3OmZeML-Zu$Za5sXPuGfN8sJE?7-OqdB8GZEsmKUq)1S4sYoOj%
zLTOu~M7xs+<>pd}xR*?s5U<8EfP+N}STf7x{DKTMrA!K7s?87zL%a{hT|x=OF^HV5
zc^a{#pEOeu#hC+TXI6)4JVlpsVoUHUPMEdX<1x1j^>|`fSRnIB05>J*76v$_oX-X4
z^^8B05E^Q@lBC@c!tlnMK1<Q&#e%TU0I=zrnm61aZ_dGbiYQu8+8L=+b=aLx6ZSUB
z`vO&;(Jt6jSH<J3DgiMYKulCF(X`N2zz2t1NxMcia?vJNHI%T+-Ea_omG^~7C`A1C
zkpFhGTFru=MI;r=6f2d005;eN-==M15dn%d8-${OT#hLUY>}LtX8I=|Ur`X}4ex{A
zEB+Q+wr*(lwPS;udRAVzarP*A^YAz1_)nw1kAJ&)(_6bI$dA;)!y~s(eSM(o=AnhA
z@yV^f%o^xh{K@|I_5Gup->Eq}`oQ$$!Lu7?4vb99Khk~kqBeSIQJ;8va`zp!aAo|}
z+Fj-PWWQ_f;}b706ZN5)b58Gg_y@hy+jHM?{N%<LSDzj{5I^9b_-y-$*{(&U{xb3A
z%$JToePO+OY~H&gp04wOzdLpfWQRMiPj#P54|JRxdveM+h+paxdeNgtI(z`$^=Kzr
z+;@D{R~t^;ydVB@?8>h%TzLEL@PY?!Z5!G1`V*&w=K3|S^soC=>CG?NyZ*9vNtm&8
zBC&Qvm9xQ`Fe`t1)*Af%C98KHd&7!8^5OQa-MI&sethQ8j)hy(1rYA)!O)8av*gr6
z+m7!>E!Nj|w!>R^p{r{~=e1b1dyRGIujha>fB3*#*w5c*2OgXA1#xm<`#rl>d~k3<
zaOj!(vq&$r_wb6I&-WNVlHXnJRhA>eiK%m*vEJotFE1XQOKqCJ{?AqJjXUq$XlzmT
ZK2^Ai-%IqLm-b9;=oqvP936f>{V$RnB&q-a
literal 1381
zcmZ9{`;XHE007_|9)g1eBFgcIFa$wZj&_f(8#z3-uIqYR+qKtq4-P}ub!~5tZtd1?
z#gIVaA;ySA5sg7PAqt`r;glG`2ghA_h(;5@5Fe;;!NWsA;M7FapYJdD^6`?`E|vwY
zS*a;%d8MjJfZ?>YKW5i;xn0b;Ajs*rbIyuM2JEQ9lm(xa4<U-*3)d;K80M=o!B{YE
z#5`UmZl!dY-~lRy+q`tQ3uKT?$wzi25=<0~rC>H)%TexHHRE82NGuE#44K0XeWK=x
zTNzcd`!uP6k)WHf{N8dr!k2N{poD^6E6J=x6-Z}@QC*2*(-qKdRYG($<H>Fu15{7}
zya@nox~fh$nZS{VVwQV*ec2}IRKtz*L@gHp4MwtiETUG7iAmaWEB;c>kuODRKo^y+
zs0EiQ!n}u-*aXBy)lk}ou?WnSX+TafzA6`va$pEA2O1z*ilKz;V2W5+OE6jP|M)}=
zB6EJXX*U%)sp~O{<ZE=Sk`iKU!409V98#x&sEL-Lu;u~t-9$(dY>n<*R_NkTwp(-Y
ziA11IWV1xIS3}*HA_X%Nr*wgC+6<9^Z=zQ9iCvOpw+gvNNtI+Kk*h$40(t^vQgDYD
z9t&zL-pul9tSV*F&S+D$DXxqW!RZL#h#R046D${oxad;Zz&)f;#RQLxMv56$@fU@O
zT9ng#nrW|#Nes^zwPKL*gF&qZq4`FR^k5u|q|G94IG~E*XE?y^mTVQnir}2+ahY|Z
z!g5FkCvg~0Foie~P;{eM?xyr4oRj5Vb)uG6c&A9)gCP@3`x;3TY0^$dQ{@B;661a>
z6GU~Yw;GDN@gyDKL>?t<P$iyYka#3V$^|5)DL@9}A_=DsHE=!J#cM9Nnc?WJP~Iv`
z)Q~F0VzeC(qiChBhzOuY^O|XtQV~{!^MGH7CrQ--sw`ElHFey>ptdGd3bI(x1bDmw
zMLoUwNKuPXNr4QMoFS=_3YAEV_NPS^Ms4lw?e;p8^6IjyPyo;{Z7L~mJlh~BS(Qzz
zAeT#+-wTN`CmBV3x=lH^>yhDEW4~G1t;<8NRGt}J15UjepZVt5@s+pxTF><NUz>G@
zIR3=#=KFE?tWUR}1#TEkWAph3hW=UHQr~hVd7_Q}X}UU+KQL<3*8IL?PusHx9Gj2+
zyJ8wkO<NLqM_hgEIGDY;{JHlY`g!;KOF!QHX2Zb)M}`11^O9$T3CM@{<dM-Mm-^Qo
zv1VL{KRh)&^2hld=_^CF3<Y<t{cc6Z(YNaB&XciC*QRe9TkyuV&mJ^>p}#zJ4p=*P
z-&^DHo#Snj=`T8~x9-A+hCUuP=yb=NaBMYo&!L(7wHYlt4vJ%goh=Jev;P_v-adnG
zIT5&T`mY-=PW@!=!Vk8N4s!jk_B;(;Ik>KJc-{a5O+GqL#$R0O>6vt6W2ABQPRnZ$
z(ziS~_W7Et%km#}2#c-U4<|cXzinxCo&IXWvepIL(eL+Pe`@sXrXFbLUcPyJ;QX8?
zhn;iN4?q6Gu|I*Oe^1_cedOJJ%LW$pUmjSpsAZt1dGYo8aX4^#(&jTmvrk}K7w%nr
ztFFA<mYf1#eSZB?XU7n{^1`aV)cEcVgOBbaE>D@(elKz7ZhigGjtlGOZ%JwY0fNf^
ABme*a
diff --git a/secrets/forgejo/runners/token.age b/secrets/forgejo/runners/token.age
deleted file mode 100644
index 2bdb872..0000000
--- a/secrets/forgejo/runners/token.age
+++ /dev/null
@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM
-K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y
--> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI
-Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g
--> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI
-U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI
--> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg
-PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8
--> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI
-DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4
--> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc
-m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I
--> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4
-zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU
--> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA
-ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA
---- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo
-���z����l��ȑ L��C$��?Hc�����|��۹�.-�������j� ���l�}�9:�KӮU��^����������IO6�
\ No newline at end of file
diff --git a/secrets/forgejo/runners/token1.age b/secrets/forgejo/runners/token1.age
new file mode 100644
index 0000000000000000000000000000000000000000..50ad61e1019d108e153f0a30a0a6bd6fa460a806
GIT binary patch
literal 1138
zcmZY7yX)(800nR-hYmUja^Ws@aws+V<{eNWX<kj!yqdO2o$`JsP1-aM@Q3K4f`g+j
zf|HAb;N6^^l?x6ci0J0zDhU4O-oM~;IOn)=xC|@59naUauHLHK7`lPk^4<C6k}Sgj
z!Er#(58&LZ%zPtzms^sd=w%9<YekmvzEjGn=yMS%%&uDC00oV5&G!6kL-9L;jur+I
z;}iyO)IcX_T*bV!)i{HdZe|w>{^*((f3IQsbgJXIBw<s2*d%EV4}={Lv4(J+#0uS6
z6H*JtaZ-q)rn<EUW+uryOf@3|N9CPANLrj{bOmkY+*Jq?I6gr^qB@S==9u4W0R!L6
zcz#|b!D@m5QRz9ZiIS7RT0CYhPAVDi$SLMf9enTvA<k#oo`K|`Qm8XYIh8slfqqM>
zKJeBCbiLAkFJTlnWhfZqdkt3u8tvy+&he5A=rAfdbR*g;-66FjGHB3xEi@Q!vv>p1
zHxT8{tXI=k2P7ix)?}eD8iP}gQB@}cCd0?@`c!V4MX}GQ8+@-dR4B)fO-^CL7N$X>
z^7%*tX2(Mok$^o@JC|NRV={JN1%SkM%FJN3Y0*<J&>R6ujXm<GvZg{NXEx=4%1L|}
zTC`&erCuBN+UC$wZ9gx#9I5NY0aK>R_XBEuG!{9X9is@hP|l^rjYn5;cLRn$V<x*T
zZ>WM>Q7j+#yP{w(r_ny12k*qvCxNU<ZjA>x;cxG?D0M+-%)xb`yR4Ymmk~G9K<~^@
z3HI=@^eR)TG(KE7$WiXSV&rE&DPS;y65UQf8iI@%zoZ3vh41|i=!t12yGGe=wY5&Z
z@X1x9S)wslq2em9c(P5KtI61qd@YE`G9>N7t=zFWTjMZXJd#tA$4_Sb4zY@h6;Oao
zad@SXoUfZ1jK{z(+|$sIH6D2F)_6hdP7{m9a|Ogeh1+RgLa8-$d1;--cH?vajr(hQ
zIm26pQXySbR?IBJWy?uZq!4?kRYfvmCf7^dv={q5<}4IVG;G@3okQqxx8-uaRkyZT
zd2qGb=t#=9os{fQhz5~Q^n{fXx1q6fwy<Edo>|ZM*OAx0EdToP?O#9q_N6yv_lf>&
z$vu1Z;iI2F`)Pdtw=Z6P@99_Z4^Kb+<G+7jk$?Z?^!fMCKlrCF^X>ER$_Hh7L*hSq
OC;a>ChmXI3{`?;^U~!xP
literal 0
HcmV?d00001
diff --git a/secrets/forgejo/runners/token2.age b/secrets/forgejo/runners/token2.age
new file mode 100644
index 0000000..3c1c894
--- /dev/null
+++ b/secrets/forgejo/runners/token2.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY
+ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw
+-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y
+iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4
+-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18
+Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo
+-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk
+E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI
+-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw
+IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio
+-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M
+mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4
+-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc
+YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY
+-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM
+qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA
+-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE
+sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c
+--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc
+!Vp�-p��|����_to������U�k����t�`�@�
���xzW�ں����G���F�=�]i�Y�;YOi���}�J��/�,
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ca7480f..cad986a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -77,6 +77,7 @@ let
gitlab_runners = [
wheatly
+ glados
];
grafana = [
@@ -117,7 +118,8 @@ in {
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
- "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
+ "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners;
+ "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
# for ldap
@@ -130,7 +132,7 @@ in {
"backup/restic_pw.age".publicKeys = users ++ restic;
# discord bot and discord
- "discord/token.age".publicKeys = users ++ discord;
+ "discord/token1.age".publicKeys = users ++ discord;
# email stuff
"email/details.age".publicKeys = users ++ ldap ++ discord;