feat: basic forgejo setup

2024-08-07 21:52:50 +01:00 · 2024-08-07 21:52:50 +01:00 · f00ae5bd2d
commit f00ae5bd2d
parent 97d1783561
7 changed files with 212 additions and 42 deletions
--- a/applications/git/forgejo.nix
+++ b/applications/git/forgejo.nix
@ -35,22 +35,19 @@ in {
    };
    forgejo = {
-          port = mkOption {
+      port = mkOption {
-            type = types.port;
+        type = types.port;
-            default = 3000;
+        default = 3000;
-          };
+      };
    };
  };
  config = mkIf cfg.enable {
-
+    #    age.secrets.forgejo-mailer-password = {
-#    age.secrets.forgejo-mailer-password = {
+    #      file = ../../secrets/forgejo/mailer-password.age;
-#      file = ../../secrets/forgejo/mailer-password.age;
+    #      mode = "400";
-#      mode = "400";
+    #      owner = "forgejo";
-#      owner = "forgejo";
+    #    };
 #    };
    services.skynet.acme.domains = [
      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
@ -79,38 +76,38 @@ in {
      };
    };
    services.forgejo = {
-        enable = true;
+      enable = true;
-        database.type = "sqlite3";
+      package = pkgs.forgejo;
-        # Enable support for Git Large File Storage
+      database.type = "sqlite3";
-        lfs.enable = true;
+      # Enable support for Git Large File Storage
-        settings = {
+      lfs.enable = true;
-          server = {
+      settings = {
-            DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
+        server = {
-            # You need to specify this to remove the port from URLs in the web UI.
+          DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
-            ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
+          # You need to specify this to remove the port from URLs in the web UI.
-            HTTP_PORT = cfg.forgejo.port;
+          ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
-          };
+          HTTP_PORT = cfg.forgejo.port;
          # You can temporarily allow registration to create an admin user.
          service.DISABLE_REGISTRATION = true;
          # Add support for actions, based on act: https://github.com/nektos/act
 #          actions = {
 #            ENABLED = true;
 #            DEFAULT_ACTIONS_URL = "github";
 #          };
          # Sending emails is completely optional
          # You can send a test email from the web UI at:
          # Profile Picture > Site Administration > Configuration >  Mailer Configuration
 #          mailer = {
 #            ENABLED = true;
 #            SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
 #            FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
 #            USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
 #          };
        };
-#        mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+
        # You can temporarily allow registration to create an admin user.
        service.DISABLE_REGISTRATION = true;
        # Add support for actions, based on act: https://github.com/nektos/act
        #          actions = {
        #            ENABLED = true;
        #            DEFAULT_ACTIONS_URL = "github";
        #          };
        # Sending emails is completely optional
        # You can send a test email from the web UI at:
        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
        #          mailer = {
        #            ENABLED = true;
        #            SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
        #            FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
        #            USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
        #          };
      };
      #        mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
    };
  };
 }
--- a/applications/git/forgejo_runner.nix
+++ b/applications/git/forgejo_runner.nix
@ -0,0 +1,145 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 with lib; let
  name = "forgejo_runner";
  cfg = config.services.skynet."${name}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet ForgeJo Runner";
    runner = {
      name = mkOption {
        type = types.str;
        default = config.networking.hostName;
      };
      website = mkOption {
        default = "https://forgejo.skynet.ie";
        type = types.str;
      };
      user = mkOption {
        default = "gitea-runner";
        type = types.str;
      };
    };
  };
  config = mkIf cfg.enable {
    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
    environment.systemPackages = with pkgs; [
      forgejo-actions-runner
    ];
    age.secrets.forgejo_runner_token = {
      file = ../../secrets/forgejo/runners/token.age;
      owner = cfg.runner.user;
      group = cfg.runner.user;
    };
    # make sure the ssh config stuff is in teh right palce
    systemd.tmpfiles.rules = [
      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
    ];
    age.secrets.forgejo_runner_ssh = {
      file = ../../secrets/forgejo/runners/ssh.age;
      mode = "600";
      owner = "${cfg.runner.user}";
      group = "${cfg.runner.user}";
      symlink = false;
      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
    };
    nix = {
      settings = {
        trusted-users = [
          # allow the runner to build nix stuff and to use the cache
          "gitea-runner"
        ];
        trusted-public-keys = [
          "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        ];
        substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
        trusted-substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
      };
    };
    # very basic setup to always be watching for changes in teh cache
    systemd.services.attic-uploader = {
      enable = true;
      serviceConfig = {
        ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
        User = "root";
        Restart = "always";
        RestartSec = 1;
      };
    };
    # give teh runner user a home to store teh ssh config stuff
    systemd.services.gitea-runner-default.serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = lib.mkForce cfg.runner.user;
    };
    users = {
      groups."${cfg.runner.user}" = {};
      users."${cfg.runner.user}" = {
        #isSystemUser = true;
        isNormalUser = true;
        group = cfg.runner.user;
        createHome = true;
        shell = pkgs.bash;
      };
    };
    # the actual runner
    services.gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = cfg.runner.name;
        url = cfg.runner.website;
        tokenFile = config.age.secrets.forgejo_runner_token.path;
        labels = [
          ## optionally provide native execution on the host:
          "nix:host"
          "docker:docker://node:16-bullseye"
          "ubuntu-latest:docker://node:16-bullseye"
        ];
        hostPackages = with pkgs; [
          # default ones
          bash
          coreutils
          curl
          gawk
          gitMinimal
          gnused
          nodejs
          wget
          # used in deployments
          inputs.colmena.defaultPackage."x86_64-linux"
          attic-client
          nix
          openssh
        ];
      };
    };
  };
 }
--- a/applications/git/ssh_config
+++ b/applications/git/ssh_config
@ -0,0 +1,5 @@
 Host *.skynet.ie 193.1.99.* 193.1.96.165
   User root
   IdentityFile ~/.ssh/skynet/root
   IdentitiesOnly yes
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@ -26,6 +26,7 @@ Notes:
 in {
  imports = [
    ../applications/git/gitlab_runner.nix
    ../applications/git/forgejo_runner.nix
  ];
  deployment = {
@ -44,5 +45,7 @@ in {
      enable = true;
      runner.name = "runner01";
    };
    forgejo_runner.enable = true;
  };
 }
--- a/secrets/forgejo/runners/ssh.age
+++ b/secrets/forgejo/runners/ssh.age
--- a/secrets/forgejo/runners/token.age
+++ b/secrets/forgejo/runners/token.age
@ -0,0 +1,17 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8
 kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE
 -> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU
 dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M
 -> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE
 ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew
 -> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU
 WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0
 -> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk
 xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY
 -> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk
 Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI
 -> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4
 AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI
 --- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c
 å¯ñ„üzwyCÉ>þÖ¸Æ\k¡±êu/<2F>óí{z§©€<>¢Õ®¼<C2AE>º<EFBFBD>ø£jDÇÐÒßã4õ{^mÃDsÝå¦žÂÎ#kiné“xo
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -134,6 +134,9 @@ in {
  "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
  "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
  "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
  "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
  # for ldap
  "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
  # for use connectring to teh ldap