From 8c5cc2e1ff9896f770c95663bccf04b2bf807202 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Wed, 12 Feb 2025 22:30:23 +0000 Subject: [PATCH 1/3] feat: adding another runner to speed up deployment Closes #139 --- applications/git/forgejo_runner.nix | 56 ++++++++++++++-------------- machines/glados.nix | 5 +++ machines/wheatly.nix | 5 ++- secrets/forgejo/runners/ssh.age | Bin 1381 -> 1491 bytes secrets/forgejo/runners/token.age | 19 ---------- secrets/forgejo/runners/token1.age | Bin 0 -> 1138 bytes secrets/forgejo/runners/token2.age | 21 +++++++++++ secrets/secrets.nix | 6 ++- 8 files changed, 63 insertions(+), 49 deletions(-) delete mode 100644 secrets/forgejo/runners/token.age create mode 100644 secrets/forgejo/runners/token1.age create mode 100644 secrets/forgejo/runners/token2.age diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix index 29029cb..c43ecec 100644 --- a/applications/git/forgejo_runner.nix +++ b/applications/git/forgejo_runner.nix @@ -15,21 +15,23 @@ in { options.services.skynet."${name}" = { enable = mkEnableOption "Skynet ForgeJo Runner"; - runner = { - name = mkOption { - type = types.str; - default = config.networking.hostName; - }; + name = mkOption { + type = types.str; + default = config.networking.hostName; + }; - website = mkOption { - default = "https://forgejo.skynet.ie"; - type = types.str; - }; + website = mkOption { + default = "https://forgejo.skynet.ie"; + type = types.str; + }; - user = mkOption { - default = "gitea-runner"; - type = types.str; - }; + user = mkOption { + default = "gitea-runner"; + type = types.str; + }; + + secret = mkOption { + type = types.path; }; }; @@ -40,23 +42,23 @@ in { ]; age.secrets.forgejo_runner_token = { - file = ../../secrets/forgejo/runners/token.age; - owner = cfg.runner.user; - group = cfg.runner.user; + file = cfg.secret; + owner = cfg.user; + group = cfg.user; }; # make sure the ssh config stuff is in teh right palce systemd.tmpfiles.rules = [ - #"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}" - "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}" + #"d /home/${cfg.user} 0755 ${cfg.user} ${cfg.user}" + "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user} - ${./ssh_config}" ]; age.secrets.forgejo_runner_ssh = { file = ../../secrets/forgejo/runners/ssh.age; mode = "600"; - owner = "${cfg.runner.user}"; - group = "${cfg.runner.user}"; + owner = "${cfg.user}"; + group = "${cfg.user}"; symlink = false; - path = "/home/${cfg.runner.user}/.ssh/skynet/root"; + path = "/home/${cfg.user}/.ssh/skynet/root"; }; nix = { @@ -94,14 +96,14 @@ in { # give teh runner user a home to store teh ssh config stuff systemd.services.gitea-runner-default.serviceConfig = { DynamicUser = lib.mkForce false; - User = lib.mkForce cfg.runner.user; + User = lib.mkForce cfg.user; }; users = { - groups."${cfg.runner.user}" = {}; - users."${cfg.runner.user}" = { + groups."${cfg.user}" = {}; + users."${cfg.user}" = { #isSystemUser = true; isNormalUser = true; - group = cfg.runner.user; + group = cfg.user; createHome = true; shell = pkgs.bash; }; @@ -118,8 +120,8 @@ in { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; - name = cfg.runner.name; - url = cfg.runner.website; + name = cfg.name; + url = cfg.website; tokenFile = config.age.secrets.forgejo_runner_token.path; labels = [ ## optionally provide native execution on the host: diff --git a/machines/glados.nix b/machines/glados.nix index 842da0c..5e499d8 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -28,6 +28,7 @@ in { imports = [ ../applications/git/gitlab.nix ../applications/git/forgejo.nix + ../applications/git/forgejo_runner.nix ]; deployment = { @@ -43,5 +44,9 @@ in { backup.enable = true; gitlab.enable = true; forgejo.enable = true; + forgejo_runner = { + enable = true; + secret = ../secrets/forgejo/runners/token2.age; + }; }; } diff --git a/machines/wheatly.nix b/machines/wheatly.nix index f38000b..cb9cdb6 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -39,6 +39,9 @@ in { services.skynet = { host = host; backup.enable = true; - forgejo_runner.enable = true; + forgejo_runner = { + enable = true; + secret = ../secrets/forgejo/runners/token1.age; + }; }; } diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age index 7a716d1b83c03bf40c05fa613d047819829ce36a..ffda5eb6e8a0c5b981cac03e17035e0102c69a43 100644 GIT binary patch delta 1406 zcmaFLb(wpDPJNVDcA`OcVP0lpNlA`{d3r@=c13}=Wm05bmX}wtxqnb#NvLUxi$QXb zFIQlqab#IlNO`iCr*pV*X^LTbfU#$Icz8vMS$=9zWKxx%UxcTnxsiFI1(&X!LUD11 zZfc5=si~o*f=NJCRDQZbL12YfQDB8*Xm(MOc6qp0qML=6X}OPcnqg#VWM-*fxl6jA zK|y$VX_i|#S6EtlsF8EIiCaZPRar=qwo!PAcR)yxSyn-1xsOv&d1|3$xv8^3N{XlF z#E;_P6^Z8FA$cyPnNCK=RjD4iMQ$beP8o$k`eqebUcM12C5|4J#=(y6*;~B-n%&H8Fs~lam z%REc93(Lxbf{I+DJS%)HgCi^gQ$sz1o$^Z!{e3M`oLpSF94$)IjeQbBlfuFRf~(A3 zwaWudojnrMQv59pGK}4gjSBoTy#14$G6E)_VU(y3H8G5EFLy~bHE^^j4AwXGERXax zO0vidam_HZa4Gb&NbyQc%?&d2&I#l)&MnHyND3@5GpI@nG&S?~Gz=;!GOx-t%k}Uq zb}uu^cg`s{^G^>-s&qw<0PnCOi=uLc%A(-J{3^%t^um;+NY_G3&-$W3m!zOf{alOk z{9Lp0f`Fiski@jiG@rb5uA;oa(mapk@&Z#&*WmR0Eb}bq3ZuYC18?`LQpW<55XY)~ z=a2v=Gar8gbnDVG6Ae=X74rR4a&o-^n)`JokA?? zgPc-Bg9BUwL%A$m%2SdIjZ!R<9YZ3LBHgo!Op6P`Lk*L1ioGq(Ow--WT+OpGj9nc~ z1JSK>F7yv^4^#;9Eis8SE;5OzFiUg|P0WbQFUxW%F)>TgHwf@|GPiVg_ILEj3XBRd zbma<8EORt8DX5QhGdGK>2zL(;&MGYR$qq?$^7X262`F~cPSbaB^fYs;GIT_@t~9F3 z$v9mh(ySuXD^1%n(Zn||D9_9(D$L8E(lXu6Bgd_(GFiXWJlokMr^F*a!oz|qC^EQM zJ2A)5&CJ_8#GpK|Fw(C$HK(ei-pAaj(8$ZZG~LZ7(A3+@#I3@WOIKG{At9rWW^z97zJ;cn(%$+j zMz3alymfJ%z25l`$2SLlUVAg}%F`3?uiUAxTR!`0;O^4JYma_CaATR)=T)Ly^;d4U zykwc*D7Ak{<+~*(>euC(@HHBT-ClV-o@xHktNiQjK3^(7aZ92x|IqE(e^Qd~U73;l zzvSKR$>u!jSEnlGSFC2@KGY@qs6xiYo=w?xZ^8uYLyMOMEOWnlxMK&axkSd~Os}O( zleV>;CgA{_hjv{L*%G&MeylS;a9n(BePzTg+9oG-^JJKU8z!4p)+AM?Y?DPhW= f4~5Mo3u==ex-xrBK3y>9MLgeP-T9mM^@afeh87SR delta 1296 zcmcc2{gi8hPQ7bpP+qb{Rho-)rlpyAslQ*2TVi2`Z%~!FXPJ+QSx`V#L~(|1qP~BG zCzn}Zu#rKKb5yQ{pI2yTkhg(Pgn3A0Ns7O5NnwqVFoUqd5#qZez`ubz8Tst=3QZ|6Ez2}8am@2e zHg*Y0bayHW@vKZr%=alwkBT((uFU7kG>R(o@C@|O*A6H%sPaj!GIDn|3e3$b^EB~G zE_6>e$#C_^i3-WI%t=O%0PnCOi=uLc($sKwDJ9H$^l1E-=A(|XsmiWEN+_plJ> z$nu=TGHug>GRvSaePiQvu7a{E56`ev6QlA{--3`Z=O|AOj83a-J_gbi~X|-UA&F! zJ;MVX!%`DneYs2v0#bsU13XgvGP0c`iZb=1+`~LV4U0`HJd3@(5{rzC%cH^qyc?EcP@B za^-;&M?Z()^~LaEYFNE3rMQ)_0P!9D6h)S$jf!NG&4>0G4%6xwJ7GwygFC)nDE>8 zRY{$iF0%`I4m%iddXQ8lpT^hqJpFIwmh~SLEqfVw{^V8tXvr0;z6VVIF3uWw&c5)=Kl4pT z_Z=$>jI@z(^Re}3-XyTHh@Wxl`qa0F?HT1F#C{%2UUS;B{fHwc&zrhi9Q!5Zw{^Zc z9JX*?Oqc1?^|1w;rM3i_vhI<}@SLV*62tVd&ZFYRH^%v<&TX1bZ_hZqP_IwhZIi5A zm2&@t4a*%y7Nb)atJPWLCc55R`L5&D*~S>t=}QtT4{f<7(R$2KGEymS%HALPYQI?P z-aT8lLVb(k!Y5l)6dAX~RNh)77?O$mE$I+?R6QtWCiU2AV>LmaG diff --git a/secrets/forgejo/runners/token.age b/secrets/forgejo/runners/token.age deleted file mode 100644 index 2bdb872..0000000 --- a/secrets/forgejo/runners/token.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM -K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y --> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI -Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g --> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI -U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI --> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg -PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8 --> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI -DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4 --> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc -m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I --> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4 -zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU --> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA -ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA ---- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo -zlȑ LC$?Hc|۹.-j l}9:KӮU^IO6 \ No newline at end of file diff --git a/secrets/forgejo/runners/token1.age b/secrets/forgejo/runners/token1.age new file mode 100644 index 0000000000000000000000000000000000000000..50ad61e1019d108e153f0a30a0a6bd6fa460a806 GIT binary patch literal 1138 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Gb||gb5!v5N-8eP z$TBuAu1YN|$urMQ4=we{t;#9Sb~nliD$Ub2H8eIX^eM>-b>;H5a1A!IOw$fDN;kDI zG4S?F2{5xX^)pGzEb?~=bn++*Dou4uu1pLHaYeVyB%mrPKV8AY!=x%Z%sV49+n~ZM zBE2Hr-^iuZ!^y3*z~3!1#K6?l+$}AwFt4mA%#q8(E7-&@C@s*`*ef`>!oxp3JIgXp z-`6WU(Z|f(Ff!T9Lf_r5vNFj#JR9A%6i0)ypmc=-=ZqBRDg#5aynt*|e|L|_3 z63gUr4-*TQsw`u}%5-$wO#Ms89O)Vk=^YWqs4a`$h91Q}ha(xT6 zb3(H$$_&tLE3`=UN>5kts7lRn$_WZIH})zBH#c+)cGV9t%P+$)jmpipNOjD1^v0Ia^;vT5rr=L^ewg}6p~XMl44~HRp91xUcV47|ik&_rzQD~lTnvzuH8;D_BX;hVyak_$!VY;E8K~Ys`u6|}nMQL_! zNK|E!cVwxdae8@4W^sXmuaAYFet^4=vm;lQsaHs3W~Nb&d%1p*pSyXMV^v~OW@2W! zdwHlyq_&U0dtiiRP;f!2ejt~wuC9WwpKnA^UXnqcvv+_|rfX5DM@F!*zNKMWvRS!V zNTyj?MPWp?Q%;D1aXwebR#!12;aRy)j@jI5TFapBl_(LgRo7)Je_iv%-V2qrcV@Ch xOV3Z=Bi;4z?=L>D``4l-Zn@m>u{<~1_wvTvI-e><57$oH)YpsZI#%dE1^_c)ahw1E literal 0 HcmV?d00001 diff --git a/secrets/forgejo/runners/token2.age b/secrets/forgejo/runners/token2.age new file mode 100644 index 0000000..3c1c894 --- /dev/null +++ b/secrets/forgejo/runners/token2.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY +ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw +-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y +iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4 +-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18 +Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo +-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk +E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI +-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw +IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio +-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M +mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4 +-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc +YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY +-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM +qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA +-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE +sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c +--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc +!Vp-p|_to Ukt`@ xzWں GF=]iY;YOi}J/, \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ca7480f..cad986a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -77,6 +77,7 @@ let gitlab_runners = [ wheatly + glados ]; grafana = [ @@ -117,7 +118,8 @@ in { "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; - "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners; "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners; # for ldap @@ -130,7 +132,7 @@ in { "backup/restic_pw.age".publicKeys = users ++ restic; # discord bot and discord - "discord/token.age".publicKeys = users ++ discord; + "discord/token1.age".publicKeys = users ++ discord; # email stuff "email/details.age".publicKeys = users ++ ldap ++ discord; From 2c92c8cb196936325d16eea2938bb6638838c8ac Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Fri, 14 Feb 2025 11:52:13 +0000 Subject: [PATCH 2/3] doc: updated the servers list --- ITD/Server_Inventory.csv | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ITD/Server_Inventory.csv b/ITD/Server_Inventory.csv index dfbc30d..f4c6ed9 100644 --- a/ITD/Server_Inventory.csv +++ b/ITD/Server_Inventory.csv @@ -14,11 +14,14 @@ SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ) SKYNET00013,neuromancer,Active,193.1.99.080,Nixos-24.05,Local Backup Server SKYNET00014,cadie,Active,193.1.99.077,Nixos-24.05,"Services VM, has nextcloud to start with" SKYNET00015,marvin,Active,193.1.99.081,Nixos-24.05,Trainee testing server -SKYNET00016,optimus,Active,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon) -SKYNET00017,bumblebee,Active,193.1.99.091,Debian-12,Game server - Minecraft +SKYNET00016,optimus,Retired,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon) +SKYNET00017,bumblebee,Retired,193.1.99.091,Debian-12,Game server - Minecraft SKYNET00018,calculon,Active,193.1.99.082,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver" SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic SKYNET00020,ariia,Active,193.1.99.083,Nixos-24.05,"Metrics, Grafana and Prometheus" SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host -SKYNET00023,optimus-test,Active,193.1.99.085,Nixos,Testing flake for Pelecian \ No newline at end of file +SKYNET00023,optimus-test,Retired,193.1.99.085,Nixos,Testing flake for Pelecian +SKYNET00024,optimus,Active,193.1.99.090,Nixos,Games server manager (replaced SKYNET00016) +SKYNET00025,bumblebee,Active,193.1.99.091,Nixos,Game server - Minecraft (replaced SKYNET00017) +SKYNET00027,Raspberry Pi,Active,193.1.99.085,Raspbian,Proxmox Qurom server \ No newline at end of file From dc921841b4aeeea65199a42250ad9a50ab975b38 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Fri, 14 Feb 2025 11:52:37 +0000 Subject: [PATCH 3/3] doc: add teh pending port request for teh forgejo runner --- ITD/Firewall_Rules.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ITD/Firewall_Rules.csv b/ITD/Firewall_Rules.csv index 1563996..b8b1b97 100644 --- a/ITD/Firewall_Rules.csv +++ b/ITD/Firewall_Rules.csv @@ -43,4 +43,5 @@ SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020," SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server ,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet' -SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server. \ No newline at end of file +SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server. +,Add,,Pending,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server \ No newline at end of file