2024-08-07 23:06:44 +00:00
14 changed files with 383 additions and 13 deletions
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@ -0,0 +1,53 @@
 name: Build_Deploy
 on:
  workflow_run:
    workflows: [ "Update_Flake" ]
    types:
      - completed
  push:
    paths:
      - applications/**/*
      - machines/**/*
      - secrets/**/*
      - flake.*
      - config/**/*
      - .forgejo/**/*
 jobs:
  linter:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix fmt -- --check .
  #if: github.repository == 'Skynet/nixos'
  build:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix develop
      - run: colmena build -v --on @active-dns
      - run: colmena build -v --on @active-core
      - run: colmena build -v --on @active
      - run: colmena build -v --on @active-ext
      - run: colmena build -v --on @active-gitlab
  deploy_dns:
    runs-on: nix
    needs: [ linter, build ]
    steps:
      - uses: actions/checkout@v4
      - run: colmena apply -v --on @active-dns --show-trace
        shell: bash
  deploy_active:
    strategy:
      matrix:
        batch: [ active-core, active, active-ext ]
    runs-on: nix
    needs: [ deploy_dns ]
    steps:
      - uses: actions/checkout@v4
      - run: colmena apply -v --on @${{ matrix.batch }} --show-trace
        shell: bash
--- a/.forgejo/workflows/update_input.yaml
+++ b/.forgejo/workflows/update_input.yaml
@ -0,0 +1,29 @@
 name: Update_Flake
 on:
  workflow_dispatch:
    inputs:
      input_to_update:
        description: 'Flake input to update'
        required: true
        type: string
 jobs:
  update:
    runs-on: nix
    permissions:
      # Give the default GITHUB_TOKEN write permission to commit and push the
      # added or changed files to the repository.
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.PIPELINE_TOKEN }}
      - run: nix flake lock --update-input "${{ inputs.input_to_update }}"
        shell: bash
      - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
        with:
          commit_message: "Updated flake for ${{ inputs.input_to_update }}"
--- a/.mailmap
+++ b/.mailmap
--- a/applications/git/forgejo.nix
+++ b/applications/git/forgejo.nix
@ -0,0 +1,113 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  name = "forgejo";
  cfg = config.services.skynet."${name}";
  domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
  domain_full = "${cfg.domain.sub}.${domain_base}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet Forgejo";
    domain = {
      tld = mkOption {
        type = types.str;
        default = "ie";
      };
      base = mkOption {
        type = types.str;
        default = "skynet";
      };
      sub = mkOption {
        type = types.str;
        default = name;
      };
    };
    forgejo = {
      port = mkOption {
        type = types.port;
        default = 3000;
      };
    };
  };
  config = mkIf cfg.enable {
    #    age.secrets.forgejo-mailer-password = {
    #      file = ../../secrets/forgejo/mailer-password.age;
    #      mode = "400";
    #      owner = "forgejo";
    #    };
    services.skynet.acme.domains = [
      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
    ];
    # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
    services.skynet.dns.records = [
      {
        record = cfg.domain.sub;
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];
    services.nginx.virtualHosts = {
      # main site
      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
        forceSSL = true;
        useACMEHost = "skynet";
        locations."/" = {
          proxyPass = "http://localhost:${toString cfg.forgejo.port}";
          extraConfig = ''
            client_max_body_size 1000M;
          '';
        };
      };
    };
    services.forgejo = {
      enable = true;
      package = pkgs.forgejo;
      database.type = "sqlite3";
      # Enable support for Git Large File Storage
      lfs.enable = true;
      settings = {
        server = {
          DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
          # You need to specify this to remove the port from URLs in the web UI.
          ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
          HTTP_PORT = cfg.forgejo.port;
        };
        # You can temporarily allow registration to create an admin user.
        service.DISABLE_REGISTRATION = true;
        # Add support for actions, based on act: https://github.com/nektos/act
        #          actions = {
        #            ENABLED = true;
        #            DEFAULT_ACTIONS_URL = "github";
        #          };
        # Sending emails is completely optional
        # You can send a test email from the web UI at:
        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
        #          mailer = {
        #            ENABLED = true;
        #            SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
        #            FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
        #            USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
        #          };
      };
      #        mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
    };
  };
 }
--- a/applications/git/forgejo_runner.nix
+++ b/applications/git/forgejo_runner.nix
@ -0,0 +1,145 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 with lib; let
  name = "forgejo_runner";
  cfg = config.services.skynet."${name}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet ForgeJo Runner";
    runner = {
      name = mkOption {
        type = types.str;
        default = config.networking.hostName;
      };
      website = mkOption {
        default = "https://forgejo.skynet.ie";
        type = types.str;
      };
      user = mkOption {
        default = "gitea-runner";
        type = types.str;
      };
    };
  };
  config = mkIf cfg.enable {
    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
    environment.systemPackages = with pkgs; [
      forgejo-actions-runner
    ];
    age.secrets.forgejo_runner_token = {
      file = ../../secrets/forgejo/runners/token.age;
      owner = cfg.runner.user;
      group = cfg.runner.user;
    };
    # make sure the ssh config stuff is in teh right palce
    systemd.tmpfiles.rules = [
      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
    ];
    age.secrets.forgejo_runner_ssh = {
      file = ../../secrets/forgejo/runners/ssh.age;
      mode = "600";
      owner = "${cfg.runner.user}";
      group = "${cfg.runner.user}";
      symlink = false;
      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
    };
    nix = {
      settings = {
        trusted-users = [
          # allow the runner to build nix stuff and to use the cache
          "gitea-runner"
        ];
        trusted-public-keys = [
          "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        ];
        substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
        trusted-substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
      };
    };
    # very basic setup to always be watching for changes in teh cache
    systemd.services.attic-uploader = {
      enable = true;
      serviceConfig = {
        ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
        User = "root";
        Restart = "always";
        RestartSec = 1;
      };
    };
    # give teh runner user a home to store teh ssh config stuff
    systemd.services.gitea-runner-default.serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = lib.mkForce cfg.runner.user;
    };
    users = {
      groups."${cfg.runner.user}" = {};
      users."${cfg.runner.user}" = {
        #isSystemUser = true;
        isNormalUser = true;
        group = cfg.runner.user;
        createHome = true;
        shell = pkgs.bash;
      };
    };
    # the actual runner
    services.gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = cfg.runner.name;
        url = cfg.runner.website;
        tokenFile = config.age.secrets.forgejo_runner_token.path;
        labels = [
          ## optionally provide native execution on the host:
          "nix:host"
          "docker:docker://node:16-bullseye"
          "ubuntu-latest:docker://node:16-bullseye"
        ];
        hostPackages = with pkgs; [
          # default ones
          bash
          coreutils
          curl
          gawk
          gitMinimal
          gnused
          nodejs
          wget
          # used in deployments
          inputs.colmena.defaultPackage."x86_64-linux"
          attic-client
          nix
          openssh
        ];
      };
    };
  };
 }
--- a/applications/git/gitlab.nix
+++ b/applications/git/gitlab.nix
@ -56,32 +56,32 @@ in {
    # grep -r --exclude-dir={docker,containers,log,sys,nix,proc}  gitlab /
    age.secrets.gitlab_pw = {
-      file = ../secrets/gitlab/pw.age;
+      file = ../../secrets/gitlab/pw.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_db = {
-      file = ../secrets/gitlab/secrets_db.age;
+      file = ../../secrets/gitlab/secrets_db.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_secret = {
-      file = ../secrets/gitlab/secrets_secret.age;
+      file = ../../secrets/gitlab/secrets_secret.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_otp = {
-      file = ../secrets/gitlab/secrets_otp.age;
+      file = ../../secrets/gitlab/secrets_otp.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_jws = {
-      file = ../secrets/gitlab/secrets_jws.age;
+      file = ../../secrets/gitlab/secrets_jws.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_db_pw = {
-      file = ../secrets/gitlab/db_pw.age;
+      file = ../../secrets/gitlab/db_pw.age;
      owner = cfg.user;
      group = cfg.user;
    };
--- a/applications/git/gitlab_runner.nix
+++ b/applications/git/gitlab_runner.nix
@ -51,8 +51,8 @@ in {
      pkgs.gitlab-runner
    ];
-    age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
+    age.secrets.runner_01_nix.file = ../../secrets/gitlab/runners/runner01.age;
-    age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age;
+    age.secrets.runner_02_general.file = ../../secrets/gitlab/runners/runner02.age;
    boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
    virtualisation.docker.enable = true;
--- a/applications/git/ssh_config
+++ b/applications/git/ssh_config
@ -0,0 +1,5 @@
 Host *.skynet.ie 193.1.99.* 193.1.96.165
   User root
   IdentityFile ~/.ssh/skynet/root
   IdentitiesOnly yes
--- a/flake.lock
+++ b/flake.lock
@ -779,11 +779,11 @@
    },
    "nixpkgs_8": {
      "locked": {
-        "lastModified": 1721379653,
+        "lastModified": 1722813957,
-        "narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=",
+        "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374",
+        "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
        "type": "github"
      },
      "original": {
--- a/machines/glados.nix
+++ b/machines/glados.nix
@ -26,7 +26,8 @@ Notes:    Each user has roughly 20gb os storage
  };
 in {
  imports = [
-    ../applications/gitlab.nix
+    ../applications/git/gitlab.nix
    ../applications/git/forgejo.nix
  ];
  deployment = {
@ -41,5 +42,6 @@ in {
    host = host;
    backup.enable = true;
    gitlab.enable = true;
    forgejo.enable = true;
  };
 }
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@ -25,7 +25,8 @@ Notes:
  };
 in {
  imports = [
-    ../applications/gitlab_runner.nix
+    ../applications/git/gitlab_runner.nix
    ../applications/git/forgejo_runner.nix
  ];
  deployment = {
@ -44,5 +45,7 @@ in {
      enable = true;
      runner.name = "runner01";
    };
    forgejo_runner.enable = true;
  };
 }
--- a/secrets/forgejo/runners/ssh.age
+++ b/secrets/forgejo/runners/ssh.age
--- a/secrets/forgejo/runners/token.age
+++ b/secrets/forgejo/runners/token.age
@ -0,0 +1,17 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8
 kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE
 -> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU
 dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M
 -> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE
 ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew
 -> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU
 WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0
 -> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk
 xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY
 -> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk
 Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI
 -> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4
 AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI
 --- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c
 å¯ñ„üzwyCÉ>þÖ¸Æ\k¡±êu/<2F>óí{z§©€<>¢Õ®¼<C2AE>º<EFBFBD>ø£jDÇÐÒßã4õ{^mÃDsÝå¦žÂÎ#kiné“xo
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -134,6 +134,9 @@ in {
  "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
  "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
  "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
  "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
  # for ldap
  "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
  # for use connectring to teh ldap