diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml index 6b3a98e..c334957 100644 --- a/.gitea/workflows/check-flake.yaml +++ b/.gitea/workflows/check-flake.yaml @@ -4,19 +4,14 @@ on: [push] env: DEBIAN_FRONTEND: noninteractive - SSH_AUTH_SOCK: /tmp/ssh_agent.sock jobs: check-flake: - runs-on: ubuntu-latest + runs-on: nixos steps: - - name: Install Nix - uses: https://github.com/cachix/install-nix-action@v23 - with: - github_access_token: ${{ secrets.__GITHUB_TOKEN }} - extra_nix_config: | - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= - substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000 + + - name: Install dependencies + run: nix profile install nixpkgs#nodejs-18_x - name: Checkout the repository uses: actions/checkout@v3 @@ -24,25 +19,4 @@ jobs: fetch-depth: 0 - name: Check Flake - run: | - # Can only build x84_64 for now, so pick out those specifically - # nix flake check --show-trace - - nix build .#nixosConfigurations."ray".config.system.build.toplevel - nix build .#nixosConfigurations."s0".config.system.build.toplevel - nix build .#nixosConfigurations."ponyo".config.system.build.toplevel - nix build .#nixosConfigurations."zoidberg".config.system.build.toplevel - - - name: Setup SSH For Pushing to Binary Cache - run: | - # Set up push key with ssh-agent - echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519 - chmod 600 ./.id_ed25519 - eval $(ssh-agent -a $SSH_AUTH_SOCK) - ssh-add ./.id_ed25519 - # Add Binary Cache as known host - mkdir -p ~/.ssh - echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts - - - name: Copy all built derivations to remote cache - run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/* \ No newline at end of file + run: nix flake check --show-trace \ No newline at end of file diff --git a/common/server/default.nix b/common/server/default.nix index 362d1e9..840f835 100644 --- a/common/server/default.nix +++ b/common/server/default.nix @@ -18,5 +18,6 @@ ./nextcloud.nix ./iodine.nix ./searx.nix + ./gitea-actions-runner.nix ]; } diff --git a/common/server/gitea-actions-runner.nix b/common/server/gitea-actions-runner.nix new file mode 100644 index 0000000..08d96ce --- /dev/null +++ b/common/server/gitea-actions-runner.nix @@ -0,0 +1,69 @@ +{ config, pkgs, lib, ... }: + +# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container +# This is useful for providing a real Nix/OS builder to gitea. +# Warning, NixOS containers are not secure. For example, the container shares the /nix/store +# Therefore, this should not be used to run untrusted code. +# To enable, assign a machine the 'gitea-actions-runner' system role + +let + runnerRole = "gitea-actions-runner"; + runners = config.machines.roles.${runnerRole}; + thisMachineIsARunner = builtins.elem config.networking.hostName runners; +in +{ + config = lib.mkIf thisMachineIsARunner { + containers.gitea-runner = { + ephemeral = true; + autoStart = true; + + bindMounts = + { + "/run/agenix/gitea-actions-runner-token" = { + hostPath = "/run/agenix/gitea-actions-runner-token"; + isReadOnly = true; + }; + "/var/lib/private/gitea-runner" = { + hostPath = "/var/lib/private/gitea-runner"; + isReadOnly = false; + }; + }; + + extraFlags = [ + # Allow podman + "--system-call-filter=@keyring" + ]; + + config = { + # TODO: figure out why importing 'allModules' fails + # imports = allModules; + + # speeds up evaluation + nixpkgs.pkgs = pkgs; + + environment.systemPackages = with pkgs; [ + nodejs + git + ]; + + services.gitea-actions-runner.instances.inst = { + enable = true; + name = config.networking.hostName; + url = "https://git.neet.dev/"; + tokenFile = "/run/agenix/gitea-actions-runner-token"; + labels = [ + "ubuntu-latest:docker://node:18-bullseye" + "nixos:host" + ]; + }; + + virtualisation.podman.enable = true; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + system.stateVersion = "23.05"; + }; + }; + + age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; + }; +} diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix index 0afc8c7..e2ffdda 100644 --- a/machines/storage/s0/default.nix +++ b/machines/storage/s0/default.nix @@ -9,20 +9,6 @@ # system.autoUpgrade.enable = true; - # gitea runner and allow it to build ARM derivationsFV - services.gitea-actions-runner.instances.inst = { - enable = true; - name = config.networking.hostName; - url = "https://git.neet.dev/"; - tokenFile = "/run/agenix/gitea-actions-runner-token"; - labels = [ - "debian-latest:docker://catthehacker/ubuntu:act-latest" - "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" - ]; - }; - virtualisation.podman.enable = true; - age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed? nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache # binary cache diff --git a/secrets/gitea-actions-runner-token.age b/secrets/gitea-actions-runner-token.age index a10a9dc..10adf5c 100644 Binary files a/secrets/gitea-actions-runner-token.age and b/secrets/gitea-actions-runner-token.age differ