diff --git a/applications/git/forgejo.nix b/applications/git/forgejo.nix index fc6e19a..fdf7b97 100644 --- a/applications/git/forgejo.nix +++ b/applications/git/forgejo.nix @@ -35,22 +35,19 @@ in { }; forgejo = { - port = mkOption { - type = types.port; - default = 3000; - }; - - + port = mkOption { + type = types.port; + default = 3000; + }; }; }; config = mkIf cfg.enable { - -# age.secrets.forgejo-mailer-password = { -# file = ../../secrets/forgejo/mailer-password.age; -# mode = "400"; -# owner = "forgejo"; -# }; + # age.secrets.forgejo-mailer-password = { + # file = ../../secrets/forgejo/mailer-password.age; + # mode = "400"; + # owner = "forgejo"; + # }; services.skynet.acme.domains = [ "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" @@ -79,38 +76,38 @@ in { }; }; - services.forgejo = { - enable = true; - database.type = "sqlite3"; - # Enable support for Git Large File Storage - lfs.enable = true; - settings = { - server = { - DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; - # You need to specify this to remove the port from URLs in the web UI. - ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/"; - HTTP_PORT = cfg.forgejo.port; - }; - - # You can temporarily allow registration to create an admin user. - service.DISABLE_REGISTRATION = true; - # Add support for actions, based on act: https://github.com/nektos/act -# actions = { -# ENABLED = true; -# DEFAULT_ACTIONS_URL = "github"; -# }; - # Sending emails is completely optional - # You can send a test email from the web UI at: - # Profile Picture > Site Administration > Configuration > Mailer Configuration -# mailer = { -# ENABLED = true; -# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}"; -# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; -# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; -# }; + enable = true; + package = pkgs.forgejo; + database.type = "sqlite3"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/"; + HTTP_PORT = cfg.forgejo.port; }; -# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; + + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "github"; + # }; + # Sending emails is completely optional + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + # mailer = { + # ENABLED = true; + # SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}"; + # FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; + # USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; + # }; }; + # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; + }; }; } diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix new file mode 100644 index 0000000..cb99dae --- /dev/null +++ b/applications/git/forgejo_runner.nix @@ -0,0 +1,145 @@ +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + name = "forgejo_runner"; + cfg = config.services.skynet."${name}"; +in { + imports = [ + ]; + + options.services.skynet."${name}" = { + enable = mkEnableOption "Skynet ForgeJo Runner"; + + runner = { + name = mkOption { + type = types.str; + default = config.networking.hostName; + }; + + website = mkOption { + default = "https://forgejo.skynet.ie"; + type = types.str; + }; + + user = mkOption { + default = "gitea-runner"; + type = types.str; + }; + }; + }; + + config = mkIf cfg.enable { + # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner. + environment.systemPackages = with pkgs; [ + forgejo-actions-runner + ]; + + age.secrets.forgejo_runner_token = { + file = ../../secrets/forgejo/runners/token.age; + owner = cfg.runner.user; + group = cfg.runner.user; + }; + + # make sure the ssh config stuff is in teh right palce + systemd.tmpfiles.rules = [ + #"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}" + "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}" + ]; + age.secrets.forgejo_runner_ssh = { + file = ../../secrets/forgejo/runners/ssh.age; + mode = "600"; + owner = "${cfg.runner.user}"; + group = "${cfg.runner.user}"; + symlink = false; + path = "/home/${cfg.runner.user}/.ssh/skynet/root"; + }; + + nix = { + settings = { + trusted-users = [ + # allow the runner to build nix stuff and to use the cache + "gitea-runner" + ]; + trusted-public-keys = [ + "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + substituters = [ + "https://nix-cache.skynet.ie/skynet-cache/" + "https://cache.nixos.org/" + ]; + trusted-substituters = [ + "https://nix-cache.skynet.ie/skynet-cache/" + "https://cache.nixos.org/" + ]; + }; + }; + + # very basic setup to always be watching for changes in teh cache + systemd.services.attic-uploader = { + enable = true; + serviceConfig = { + ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache"; + User = "root"; + Restart = "always"; + RestartSec = 1; + }; + }; + + # give teh runner user a home to store teh ssh config stuff + systemd.services.gitea-runner-default.serviceConfig = { + DynamicUser = lib.mkForce false; + User = lib.mkForce cfg.runner.user; + }; + users = { + groups."${cfg.runner.user}" = {}; + users."${cfg.runner.user}" = { + #isSystemUser = true; + isNormalUser = true; + group = cfg.runner.user; + createHome = true; + shell = pkgs.bash; + }; + }; + + # the actual runner + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = cfg.runner.name; + url = cfg.runner.website; + tokenFile = config.age.secrets.forgejo_runner_token.path; + labels = [ + ## optionally provide native execution on the host: + "nix:host" + "docker:docker://node:16-bullseye" + "ubuntu-latest:docker://node:16-bullseye" + ]; + + hostPackages = with pkgs; [ + # default ones + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + + # used in deployments + inputs.colmena.defaultPackage."x86_64-linux" + attic-client + nix + openssh + ]; + }; + }; + }; +} diff --git a/applications/git/ssh_config b/applications/git/ssh_config new file mode 100644 index 0000000..70bbef0 --- /dev/null +++ b/applications/git/ssh_config @@ -0,0 +1,5 @@ +Host *.skynet.ie 193.1.99.* 193.1.96.165 + User root + IdentityFile ~/.ssh/skynet/root + IdentitiesOnly yes + diff --git a/machines/wheatly.nix b/machines/wheatly.nix index 35f1f0f..6d78395 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -26,6 +26,7 @@ Notes: in { imports = [ ../applications/git/gitlab_runner.nix + ../applications/git/forgejo_runner.nix ]; deployment = { @@ -44,5 +45,7 @@ in { enable = true; runner.name = "runner01"; }; + + forgejo_runner.enable = true; }; } diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age new file mode 100644 index 0000000..c30e3ba Binary files /dev/null and b/secrets/forgejo/runners/ssh.age differ diff --git a/secrets/forgejo/runners/token.age b/secrets/forgejo/runners/token.age new file mode 100644 index 0000000..03ac739 --- /dev/null +++ b/secrets/forgejo/runners/token.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8 +kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE +-> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU +dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M +-> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE +ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew +-> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU +WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0 +-> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk +xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY +-> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk +Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI +-> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4 +AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI +--- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c +zwyC>ָ\ku/{zծjD4{^mDs妞#kinxo \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fa93261..b0f3be3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -134,6 +134,9 @@ in { "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners; + # for ldap "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden; # for use connectring to teh ldap