feat: basic forgejo setup
This commit is contained in:
parent
97d1783561
commit
f00ae5bd2d
7 changed files with 212 additions and 42 deletions
|
@ -39,18 +39,15 @@ in {
|
||||||
type = types.port;
|
type = types.port;
|
||||||
default = 3000;
|
default = 3000;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
# age.secrets.forgejo-mailer-password = {
|
||||||
# age.secrets.forgejo-mailer-password = {
|
# file = ../../secrets/forgejo/mailer-password.age;
|
||||||
# file = ../../secrets/forgejo/mailer-password.age;
|
# mode = "400";
|
||||||
# mode = "400";
|
# owner = "forgejo";
|
||||||
# owner = "forgejo";
|
# };
|
||||||
# };
|
|
||||||
|
|
||||||
services.skynet.acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
@ -79,9 +76,9 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
package = pkgs.forgejo;
|
||||||
database.type = "sqlite3";
|
database.type = "sqlite3";
|
||||||
# Enable support for Git Large File Storage
|
# Enable support for Git Large File Storage
|
||||||
lfs.enable = true;
|
lfs.enable = true;
|
||||||
|
@ -96,21 +93,21 @@ in {
|
||||||
# You can temporarily allow registration to create an admin user.
|
# You can temporarily allow registration to create an admin user.
|
||||||
service.DISABLE_REGISTRATION = true;
|
service.DISABLE_REGISTRATION = true;
|
||||||
# Add support for actions, based on act: https://github.com/nektos/act
|
# Add support for actions, based on act: https://github.com/nektos/act
|
||||||
# actions = {
|
# actions = {
|
||||||
# ENABLED = true;
|
# ENABLED = true;
|
||||||
# DEFAULT_ACTIONS_URL = "github";
|
# DEFAULT_ACTIONS_URL = "github";
|
||||||
# };
|
# };
|
||||||
# Sending emails is completely optional
|
# Sending emails is completely optional
|
||||||
# You can send a test email from the web UI at:
|
# You can send a test email from the web UI at:
|
||||||
# Profile Picture > Site Administration > Configuration > Mailer Configuration
|
# Profile Picture > Site Administration > Configuration > Mailer Configuration
|
||||||
# mailer = {
|
# mailer = {
|
||||||
# ENABLED = true;
|
# ENABLED = true;
|
||||||
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
|
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
# };
|
# };
|
||||||
};
|
};
|
||||||
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
|
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
145
applications/git/forgejo_runner.nix
Normal file
145
applications/git/forgejo_runner.nix
Normal file
|
@ -0,0 +1,145 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "forgejo_runner";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet ForgeJo Runner";
|
||||||
|
|
||||||
|
runner = {
|
||||||
|
name = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = config.networking.hostName;
|
||||||
|
};
|
||||||
|
|
||||||
|
website = mkOption {
|
||||||
|
default = "https://forgejo.skynet.ie";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
default = "gitea-runner";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
forgejo-actions-runner
|
||||||
|
];
|
||||||
|
|
||||||
|
age.secrets.forgejo_runner_token = {
|
||||||
|
file = ../../secrets/forgejo/runners/token.age;
|
||||||
|
owner = cfg.runner.user;
|
||||||
|
group = cfg.runner.user;
|
||||||
|
};
|
||||||
|
|
||||||
|
# make sure the ssh config stuff is in teh right palce
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
#"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
|
||||||
|
"L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
|
||||||
|
];
|
||||||
|
age.secrets.forgejo_runner_ssh = {
|
||||||
|
file = ../../secrets/forgejo/runners/ssh.age;
|
||||||
|
mode = "600";
|
||||||
|
owner = "${cfg.runner.user}";
|
||||||
|
group = "${cfg.runner.user}";
|
||||||
|
symlink = false;
|
||||||
|
path = "/home/${cfg.runner.user}/.ssh/skynet/root";
|
||||||
|
};
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
trusted-users = [
|
||||||
|
# allow the runner to build nix stuff and to use the cache
|
||||||
|
"gitea-runner"
|
||||||
|
];
|
||||||
|
trusted-public-keys = [
|
||||||
|
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
|
||||||
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||||
|
];
|
||||||
|
substituters = [
|
||||||
|
"https://nix-cache.skynet.ie/skynet-cache/"
|
||||||
|
"https://cache.nixos.org/"
|
||||||
|
];
|
||||||
|
trusted-substituters = [
|
||||||
|
"https://nix-cache.skynet.ie/skynet-cache/"
|
||||||
|
"https://cache.nixos.org/"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# very basic setup to always be watching for changes in teh cache
|
||||||
|
systemd.services.attic-uploader = {
|
||||||
|
enable = true;
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
|
||||||
|
User = "root";
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = 1;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# give teh runner user a home to store teh ssh config stuff
|
||||||
|
systemd.services.gitea-runner-default.serviceConfig = {
|
||||||
|
DynamicUser = lib.mkForce false;
|
||||||
|
User = lib.mkForce cfg.runner.user;
|
||||||
|
};
|
||||||
|
users = {
|
||||||
|
groups."${cfg.runner.user}" = {};
|
||||||
|
users."${cfg.runner.user}" = {
|
||||||
|
#isSystemUser = true;
|
||||||
|
isNormalUser = true;
|
||||||
|
group = cfg.runner.user;
|
||||||
|
createHome = true;
|
||||||
|
shell = pkgs.bash;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# the actual runner
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
instances.default = {
|
||||||
|
enable = true;
|
||||||
|
name = cfg.runner.name;
|
||||||
|
url = cfg.runner.website;
|
||||||
|
tokenFile = config.age.secrets.forgejo_runner_token.path;
|
||||||
|
labels = [
|
||||||
|
## optionally provide native execution on the host:
|
||||||
|
"nix:host"
|
||||||
|
"docker:docker://node:16-bullseye"
|
||||||
|
"ubuntu-latest:docker://node:16-bullseye"
|
||||||
|
];
|
||||||
|
|
||||||
|
hostPackages = with pkgs; [
|
||||||
|
# default ones
|
||||||
|
bash
|
||||||
|
coreutils
|
||||||
|
curl
|
||||||
|
gawk
|
||||||
|
gitMinimal
|
||||||
|
gnused
|
||||||
|
nodejs
|
||||||
|
wget
|
||||||
|
|
||||||
|
# used in deployments
|
||||||
|
inputs.colmena.defaultPackage."x86_64-linux"
|
||||||
|
attic-client
|
||||||
|
nix
|
||||||
|
openssh
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
5
applications/git/ssh_config
Normal file
5
applications/git/ssh_config
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
Host *.skynet.ie 193.1.99.* 193.1.96.165
|
||||||
|
User root
|
||||||
|
IdentityFile ~/.ssh/skynet/root
|
||||||
|
IdentitiesOnly yes
|
||||||
|
|
|
@ -26,6 +26,7 @@ Notes:
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/git/gitlab_runner.nix
|
../applications/git/gitlab_runner.nix
|
||||||
|
../applications/git/forgejo_runner.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
|
@ -44,5 +45,7 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
runner.name = "runner01";
|
runner.name = "runner01";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
forgejo_runner.enable = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
BIN
secrets/forgejo/runners/ssh.age
Normal file
BIN
secrets/forgejo/runners/ssh.age
Normal file
Binary file not shown.
17
secrets/forgejo/runners/token.age
Normal file
17
secrets/forgejo/runners/token.age
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8
|
||||||
|
kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE
|
||||||
|
-> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU
|
||||||
|
dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M
|
||||||
|
-> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE
|
||||||
|
ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew
|
||||||
|
-> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU
|
||||||
|
WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0
|
||||||
|
-> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk
|
||||||
|
xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY
|
||||||
|
-> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk
|
||||||
|
Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI
|
||||||
|
-> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4
|
||||||
|
AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI
|
||||||
|
--- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c
|
||||||
|
å¯ñ„üzwyCÉ>þÖ¸Æ\k¡±êu/<2F>óí{z§©€<>¢Õ®¼<C2AE>º<EFBFBD>ø£jDÇÐÒßã4õ{^mÃDsÝ妞ÂÎ#kiné“xo
|
|
@ -134,6 +134,9 @@ in {
|
||||||
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
|
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
|
||||||
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
|
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
|
||||||
|
|
||||||
|
"forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
|
||||||
|
"forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
|
||||||
|
|
||||||
# for ldap
|
# for ldap
|
||||||
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
|
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
|
||||||
# for use connectring to teh ldap
|
# for use connectring to teh ldap
|
||||||
|
|
Loading…
Reference in a new issue