Attempt at using nixos CI builder

2023-10-18 20:57:06 -06:00
parent 63c0f52955
commit 299744c8c5
5 changed files with 75 additions and 45 deletions
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -18,5 +18,6 @@
    ./nextcloud.nix
    ./iodine.nix
    ./searx.nix
+    ./gitea-actions-runner.nix
  ];
 }
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
+# This is useful for providing a real Nix/OS builder to gitea.
+# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
+# Therefore, this should not be used to run untrusted code.
+# To enable, assign a machine the 'gitea-actions-runner' system role
+
+let
+  runnerRole = "gitea-actions-runner";
+  runners = config.machines.roles.${runnerRole};
+  thisMachineIsARunner = builtins.elem config.networking.hostName runners;
+in
+{
+  config = lib.mkIf thisMachineIsARunner {
+    containers.gitea-runner = {
+      ephemeral = true;
+      autoStart = true;
+
+      bindMounts =
+        {
+          "/run/agenix/gitea-actions-runner-token" = {
+            hostPath = "/run/agenix/gitea-actions-runner-token";
+            isReadOnly = true;
+          };
+          "/var/lib/private/gitea-runner" = {
+            hostPath = "/var/lib/private/gitea-runner";
+            isReadOnly = false;
+          };
+        };
+
+      extraFlags = [
+        # Allow podman
+        "--system-call-filter=@keyring"
+      ];
+
+      config = {
+        # TODO: figure out why importing 'allModules' fails
+        # imports = allModules;
+
+        # speeds up evaluation
+        nixpkgs.pkgs = pkgs;
+
+        environment.systemPackages = with pkgs; [
+          nodejs
+          git
+        ];
+
+        services.gitea-actions-runner.instances.inst = {
+          enable = true;
+          name = config.networking.hostName;
+          url = "https://git.neet.dev/";
+          tokenFile = "/run/agenix/gitea-actions-runner-token";
+          labels = [
+            "ubuntu-latest:docker://node:18-bullseye"
+            "nixos:host"
+          ];
+        };
+
+        virtualisation.podman.enable = true;
+        boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+        system.stateVersion = "23.05";
+      };
+    };
+
+    age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
+  };
+}