feat: basic forgejo setup

This commit is contained in:
silver 2024-08-07 21:52:50 +01:00
parent 97d1783561
commit f00ae5bd2d
Signed by: silver
GPG key ID: 54E2C71918E93B74
7 changed files with 212 additions and 42 deletions

View file

@ -39,18 +39,15 @@ in {
type = types.port; type = types.port;
default = 3000; default = 3000;
}; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# age.secrets.forgejo-mailer-password = {
# age.secrets.forgejo-mailer-password = { # file = ../../secrets/forgejo/mailer-password.age;
# file = ../../secrets/forgejo/mailer-password.age; # mode = "400";
# mode = "400"; # owner = "forgejo";
# owner = "forgejo"; # };
# };
services.skynet.acme.domains = [ services.skynet.acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
@ -79,9 +76,9 @@ in {
}; };
}; };
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.forgejo;
database.type = "sqlite3"; database.type = "sqlite3";
# Enable support for Git Large File Storage # Enable support for Git Large File Storage
lfs.enable = true; lfs.enable = true;
@ -96,21 +93,21 @@ in {
# You can temporarily allow registration to create an admin user. # You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
# Add support for actions, based on act: https://github.com/nektos/act # Add support for actions, based on act: https://github.com/nektos/act
# actions = { # actions = {
# ENABLED = true; # ENABLED = true;
# DEFAULT_ACTIONS_URL = "github"; # DEFAULT_ACTIONS_URL = "github";
# }; # };
# Sending emails is completely optional # Sending emails is completely optional
# You can send a test email from the web UI at: # You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration # Profile Picture > Site Administration > Configuration > Mailer Configuration
# mailer = { # mailer = {
# ENABLED = true; # ENABLED = true;
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}"; # SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; # FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; # USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# }; # };
}; };
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
}; };
}; };
} }

View file

@ -0,0 +1,145 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "forgejo_runner";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet ForgeJo Runner";
runner = {
name = mkOption {
type = types.str;
default = config.networking.hostName;
};
website = mkOption {
default = "https://forgejo.skynet.ie";
type = types.str;
};
user = mkOption {
default = "gitea-runner";
type = types.str;
};
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = with pkgs; [
forgejo-actions-runner
];
age.secrets.forgejo_runner_token = {
file = ../../secrets/forgejo/runners/token.age;
owner = cfg.runner.user;
group = cfg.runner.user;
};
# make sure the ssh config stuff is in teh right palce
systemd.tmpfiles.rules = [
#"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
"L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
];
age.secrets.forgejo_runner_ssh = {
file = ../../secrets/forgejo/runners/ssh.age;
mode = "600";
owner = "${cfg.runner.user}";
group = "${cfg.runner.user}";
symlink = false;
path = "/home/${cfg.runner.user}/.ssh/skynet/root";
};
nix = {
settings = {
trusted-users = [
# allow the runner to build nix stuff and to use the cache
"gitea-runner"
];
trusted-public-keys = [
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
trusted-substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
};
};
# very basic setup to always be watching for changes in teh cache
systemd.services.attic-uploader = {
enable = true;
serviceConfig = {
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
User = "root";
Restart = "always";
RestartSec = 1;
};
};
# give teh runner user a home to store teh ssh config stuff
systemd.services.gitea-runner-default.serviceConfig = {
DynamicUser = lib.mkForce false;
User = lib.mkForce cfg.runner.user;
};
users = {
groups."${cfg.runner.user}" = {};
users."${cfg.runner.user}" = {
#isSystemUser = true;
isNormalUser = true;
group = cfg.runner.user;
createHome = true;
shell = pkgs.bash;
};
};
# the actual runner
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = cfg.runner.name;
url = cfg.runner.website;
tokenFile = config.age.secrets.forgejo_runner_token.path;
labels = [
## optionally provide native execution on the host:
"nix:host"
"docker:docker://node:16-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
];
hostPackages = with pkgs; [
# default ones
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
# used in deployments
inputs.colmena.defaultPackage."x86_64-linux"
attic-client
nix
openssh
];
};
};
};
}

View file

@ -0,0 +1,5 @@
Host *.skynet.ie 193.1.99.* 193.1.96.165
User root
IdentityFile ~/.ssh/skynet/root
IdentitiesOnly yes

View file

@ -26,6 +26,7 @@ Notes:
in { in {
imports = [ imports = [
../applications/git/gitlab_runner.nix ../applications/git/gitlab_runner.nix
../applications/git/forgejo_runner.nix
]; ];
deployment = { deployment = {
@ -44,5 +45,7 @@ in {
enable = true; enable = true;
runner.name = "runner01"; runner.name = "runner01";
}; };
forgejo_runner.enable = true;
}; };
} }

Binary file not shown.

View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8
kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE
-> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU
dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M
-> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE
ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew
-> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU
WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0
-> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk
xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY
-> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk
Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI
-> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4
AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI
--- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c
å¯ñ„üzwyCÉ>þÖ¸Æ\k¡±êu/<2F>óí{z§©<>¢Õ®¼<C2AE>º<EFBFBD>ø£jDÇÐÒßã4õ{^mÃDsÝ妞ÂÎ#kiné“xo

View file

@ -134,6 +134,9 @@ in {
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
# for ldap # for ldap
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden; "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
# for use connectring to teh ldap # for use connectring to teh ldap