From c57ca6ab119defca7be507e16e19f37ef3559f9d Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Wed, 12 Feb 2025 22:30:23 +0000 Subject: [PATCH] feat: adding another runner to speed up deployment Closes #139 --- applications/git/forgejo_runner.nix | 56 ++++++++++++++-------------- machines/glados.nix | 5 +++ machines/wheatly.nix | 5 ++- secrets/forgejo/runners/ssh.age | Bin 1381 -> 1491 bytes secrets/forgejo/runners/token.age | 19 ---------- secrets/forgejo/runners/token1.age | Bin 0 -> 1138 bytes secrets/forgejo/runners/token2.age | 21 +++++++++++ secrets/secrets.nix | 6 ++- 8 files changed, 63 insertions(+), 49 deletions(-) delete mode 100644 secrets/forgejo/runners/token.age create mode 100644 secrets/forgejo/runners/token1.age create mode 100644 secrets/forgejo/runners/token2.age diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix index 29029cb..c43ecec 100644 --- a/applications/git/forgejo_runner.nix +++ b/applications/git/forgejo_runner.nix @@ -15,21 +15,23 @@ in { options.services.skynet."${name}" = { enable = mkEnableOption "Skynet ForgeJo Runner"; - runner = { - name = mkOption { - type = types.str; - default = config.networking.hostName; - }; + name = mkOption { + type = types.str; + default = config.networking.hostName; + }; - website = mkOption { - default = "https://forgejo.skynet.ie"; - type = types.str; - }; + website = mkOption { + default = "https://forgejo.skynet.ie"; + type = types.str; + }; - user = mkOption { - default = "gitea-runner"; - type = types.str; - }; + user = mkOption { + default = "gitea-runner"; + type = types.str; + }; + + secret = mkOption { + type = types.path; }; }; @@ -40,23 +42,23 @@ in { ]; age.secrets.forgejo_runner_token = { - file = ../../secrets/forgejo/runners/token.age; - owner = cfg.runner.user; - group = cfg.runner.user; + file = cfg.secret; + owner = cfg.user; + group = cfg.user; }; # make sure the ssh config stuff is in teh right palce systemd.tmpfiles.rules = [ - #"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}" - "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}" + #"d /home/${cfg.user} 0755 ${cfg.user} ${cfg.user}" + "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user} - ${./ssh_config}" ]; age.secrets.forgejo_runner_ssh = { file = ../../secrets/forgejo/runners/ssh.age; mode = "600"; - owner = "${cfg.runner.user}"; - group = "${cfg.runner.user}"; + owner = "${cfg.user}"; + group = "${cfg.user}"; symlink = false; - path = "/home/${cfg.runner.user}/.ssh/skynet/root"; + path = "/home/${cfg.user}/.ssh/skynet/root"; }; nix = { @@ -94,14 +96,14 @@ in { # give teh runner user a home to store teh ssh config stuff systemd.services.gitea-runner-default.serviceConfig = { DynamicUser = lib.mkForce false; - User = lib.mkForce cfg.runner.user; + User = lib.mkForce cfg.user; }; users = { - groups."${cfg.runner.user}" = {}; - users."${cfg.runner.user}" = { + groups."${cfg.user}" = {}; + users."${cfg.user}" = { #isSystemUser = true; isNormalUser = true; - group = cfg.runner.user; + group = cfg.user; createHome = true; shell = pkgs.bash; }; @@ -118,8 +120,8 @@ in { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; - name = cfg.runner.name; - url = cfg.runner.website; + name = cfg.name; + url = cfg.website; tokenFile = config.age.secrets.forgejo_runner_token.path; labels = [ ## optionally provide native execution on the host: diff --git a/machines/glados.nix b/machines/glados.nix index 842da0c..5e499d8 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -28,6 +28,7 @@ in { imports = [ ../applications/git/gitlab.nix ../applications/git/forgejo.nix + ../applications/git/forgejo_runner.nix ]; deployment = { @@ -43,5 +44,9 @@ in { backup.enable = true; gitlab.enable = true; forgejo.enable = true; + forgejo_runner = { + enable = true; + secret = ../secrets/forgejo/runners/token2.age; + }; }; } diff --git a/machines/wheatly.nix b/machines/wheatly.nix index f38000b..cb9cdb6 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -39,6 +39,9 @@ in { services.skynet = { host = host; backup.enable = true; - forgejo_runner.enable = true; + forgejo_runner = { + enable = true; + secret = ../secrets/forgejo/runners/token1.age; + }; }; } diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age index 7a716d1b83c03bf40c05fa613d047819829ce36a..ffda5eb6e8a0c5b981cac03e17035e0102c69a43 100644 GIT binary patch literal 1491 zcmZY8`;XHE00(eHFgoCf1`+}%j-WBzGPbU3*8<+rZQY}LwtEjQ(5_v#?$NGm*RD~> z1w?`xjfbK_Jjfvm7sQAlQ8^KFZ~-HRyNk*RifBAzL?VzFgQ7p5f59i;?>AqX=d4`4 zAh#u@EY??wGH+`ECTq93*(_N()&W5PYEA=^7RAhYqC(p%je40@lq%xl^>Rg*LMW4~ z3k1=0#VArqL9Ewapdu!c26HVVsTGKzCj+W1z{kO0CX>-wSmdZ2V??9bAnJ0sXk@zP zj2n58H%p{W$fS;?Dl%iyG6anfkQVk7ft;Evt5MC%N9|HZQw5)9N*DQ*!=pKUde&$q z8H*#MgyKmG7NoWoc2gSHKsCr?XW3wIy2fJm7R8%&+7(LHy=vL*01YlslYNTlE;T3{ ztP4aW%PLp^1rwORl15Bzzf`HAkX)lVq1t4aNP(;gl}Ip-SGXn|MQda^1gNl&2x!wa zD9WOsW`+%*X<)de6;v&amPS!Bo)78~G?7I}E)__)MHPre5Z3L*O&Fr`V32y3{ zxNwU`LY@F!WMhcE1o}aT6f1>djJp*7Uy}`lBY57NaspYu=H(zehBOj3D5&Kk4hAVF z@e+)98&QNMXs$*9p(<$tYqC&cNCmbVMG}HTL4Z)l3OmZeML-Zu$Za5sXPuGfN8sJE?7-OqdB8GZEsmKUq)1S4sYoOj% zLTOu~M7xs+<>pd}xR*?s5U<8EfP+N}STf7x{DKTMrA!K7s?87zL%a{hT|x=OF^HV5 zc^a{#pEOeu#hC+TXI6)4JVlpsVoUHUPMEdX<1x1j^>|`fSRnIB05>J*76v$_oX-X4 z^^8B05E^Q@lBC@c!tlnMK1}LtX8I=|Ur`X}4ex{A zEB+Q+wr*(lwPS;udRAVzarP*A^YAz1_)nw1kAJ&)(_6bI$dA;)!y~s(eSM(o=AnhA z@yV^f%o^xh{K@|I_5Gup->Eq}`oQ$$!Lu7?4vb99Khk~kqBeSIQJ;8va`zp!aAo|} z+Fj-PWWQ_f;}b706ZN5)b58Gg_y@hy+jHM?{N%h%TzLEL@PY?!Z5!G1`V*&w=K3|S^soC=>CG?NyZ*9vNtm&8 zBC&Qvm9xQ`Fe`t1)*Af%C98KHd&7!8^5OQa-MI&sethQ8j)hy(1rYA)!O)8av*gr6 z+m7!>E!Nj|w!>R^p{r{~=e1b1dyRGIujha>fB3*#*w5c*2OgXA1#xm<`#rl>d~k3< zaOj!(vq&$r_wb6I&-WNVlHXnJRhA>eiK%m*vEJotFE1XQOKqCJ{?AqJjXUq$XlzmT ZK2^Ai-%IqLm-b9;=oqvP936f>{V$RnB&q-a literal 1381 zcmZ9{`;XHE007_|9)g1eBFgcIFa$wZj&_f(8#z3-uIqYR+qKtq4-P}ub!~5tZtd1? z#gIVaA;ySA5sg7PAqt`r;glG`2ghA_h(;5@5Fe;;!NWsA;M7FapYJdD^6`?`E|vwY zS*a;%d8MjJfZ?>YKW5i;xn0b;Ajs*rbIyuM2JEQ9lm(xa4H)%TexHHRE82NGuE#44K0XeWK=x zTNzcd`!uP6k)WHf{N8dr!k2N{poD^6E6J=x6-Z}@QC*2*(-qKdRYG($Fu15{7} zya@nox~fh$nZS{VVwQV*ec2}IRKtz*L@gHp4MwtiETUG7iAmaWEB;c>kuODRKo^y+ zs0EiQ!n}u-*aXBy)lk}ou?WnSX+TafzA6`va$pEA2O1z*ilKz;V2W5+OE6jP|M)}= zB6EJXX*U%)sp~O{n<*R_NkTwp(-Y ziA11IWV1xIS3}*HA_X%Nr*wgC+6<9^Z=zQ9iCvOpw+gvNNtI+Kk*h$40(t^vQgDYD z9t&zL-pul9tSV*F&S+D$DXxqW!RZL#h#R046D${oxad;Zz&)f;#RQLxMv56$@fU@O zT9ng#nrW|#Nes^zwPKL*gF&qZq4`FR^k5u|q|G94IG~E*XE?y^mTVQnir}2+ahY|Z z!g5FkCvg~0Foie~P;{eM?xyr4oRj5Vb)uG6c&A9)gCP@3`x;3TY0^$dQ{@B;661a> z6GU~Yw;GDN@gyDKL>?tptdGd3bI(x1bDmw zMLoUwNKuPXNr4QMoFS=_3YAEV_NPS^Ms4lw?e;p8^6IjyPyo;{Z7L~mJlh~BS(Qzz zAeT#+-wTN`CmBV3x=lH^>yhDEW4~G1t;<8NRGt}J15UjepZVt5@s+pxTF>G@ zIR3=#=KFE?tWUR}1#TEkWAph3hW=UHQr~hVd7_Q}X}UU+KQL<3*8IL?PusHx9Gj2+ zyJ8wkOp}#zJ4p=*P z-&^DHo#Snj=`T8~x9-A+hCUuP=yb=NaBMYo&!L(7wHYlt4vJ%goh=Jev;P_v-adnG zIT5&T`mY-=PW@!=!Vk8N4s!jk_B;(;Ik>KJc-{a5O+GqL#$R0O>6vt6W2ABQPRnZ$ z(ziS~_W7Et%km#}2#c-U4<|cXzinxCo&IXWvepIL(eL+Pe`@sXrXFbLUcPyJ;QX8? zhn;iN4?q6Gu|I*Oe^1_cedOJJ%LW$pUmjSpsAZt1dGYo8aX4^#(&jTmvrk}K7w%nr ztFFAD@(elKz7ZhigGjtlGOZ%JwY0fNf^ ABme*a diff --git a/secrets/forgejo/runners/token.age b/secrets/forgejo/runners/token.age deleted file mode 100644 index 2bdb872..0000000 --- a/secrets/forgejo/runners/token.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM -K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y --> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI -Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g --> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI -U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI --> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg -PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8 --> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI -DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4 --> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc -m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I --> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4 -zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU --> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA -ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA ---- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo -zlȑ LC$?Hc|۹.-j l}9:KӮU^IO6 \ No newline at end of file diff --git a/secrets/forgejo/runners/token1.age b/secrets/forgejo/runners/token1.age new file mode 100644 index 0000000000000000000000000000000000000000..50ad61e1019d108e153f0a30a0a6bd6fa460a806 GIT binary patch literal 1138 zcmZY7yX)(800nR-hYmUja^Ws@aws+V<{eNWX{^*((f3IQsbgJXIBw zKJeBCbiLAkFJTlnWhfZqdkt3u8tvy+&he5A=rAfdbR*g;-66FjGHB3xEi@Q!vv>p1 zHxT8{tXI=k2P7ix)?}eD8iP}gQB@}cCd0?@`c!V4MX}GQ8+@-dR4B)fO-^CL7N$X> z^7%*tX2(Mok$^o@JC|NRV={JN1%SkM%FJN3Y0*R6ujXmR_XBEuG!{9X9is@hP|l^rjYn5;cLRn$VWM>Q7j+#yP{w(r_ny12k*qvCxNUx;cxG?D0M+-%)xb`yR4Ymmk~G9K<~^@ z3HI=@^eR)TG(KE7$WiXSV&rE&DPS;y65UQf8iI@%zoZ3vh41|i=!t12yGGe=wY5&Z z@X1x9S)wslq2em9c(P5KtI61qd@YE`G9>N7t=zFWTjMZXJd#tA$4_Sb4zY@h6;Oao zad@SXoUfZ1jK{z(+|$sIH6D2F)_6hdP7{m9a|Ogeh1+RgLa8-$d1;--cH?vajr(hQ zIm26pQXySbR?IBJWy?uZq!4?kRYfvmCf7^dv={q5<}4IVG;G@3okQqxx8-uaRkyZT zd2qGb=t#=9os{fQhz5~Q^n{fXx1q6fwy|ZM*OAx0EdToP?O#9q_N6yv_lf>& z$vu1Z;iI2F`)Pdtw=Z6P@99_Z4^Kb+ER$_Hh7L*hSq OC;a>ChmXI3{`?;^U~!xP literal 0 HcmV?d00001 diff --git a/secrets/forgejo/runners/token2.age b/secrets/forgejo/runners/token2.age new file mode 100644 index 0000000..3c1c894 --- /dev/null +++ b/secrets/forgejo/runners/token2.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY +ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw +-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y +iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4 +-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18 +Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo +-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk +E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI +-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw +IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio +-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M +mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4 +-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc +YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY +-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM +qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA +-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE +sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c +--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc +!Vp-p|_to Ukt`@ xzWں GF=]iY;YOi}J/, \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ca7480f..cad986a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -77,6 +77,7 @@ let gitlab_runners = [ wheatly + glados ]; grafana = [ @@ -117,7 +118,8 @@ in { "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; - "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners; "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners; # for ldap @@ -130,7 +132,7 @@ in { "backup/restic_pw.age".publicKeys = users ++ restic; # discord bot and discord - "discord/token.age".publicKeys = users ++ discord; + "discord/token1.age".publicKeys = users ++ discord; # email stuff "email/details.age".publicKeys = users ++ ldap ++ discord;