From 3611243a7d2335a3dceeb0e2bc2f85341ce1ecac Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sat, 30 Sep 2023 23:12:41 -0600
Subject: [PATCH] wip

---
 .gitea/workflows/check-flake.yaml             | 24 +++++----
 common/server/default.nix                     |  1 -
 common/server/gitea-runner.nix                | 52 -------------------
 flake.lock                                    |  8 +--
 flake.nix                                     |  2 +-
 machines/phil/default.nix                     | 18 ++++++-
 machines/phil/properties.nix                  |  2 +-
 ...properties.nix => properties.nix.disabled} |  0
 machines/storage/s0/default.nix               | 21 ++++++--
 machines/storage/s0/properties.nix            |  1 +
 secrets/gitea-actions-runner-token.age        | 10 ++++
 secrets/secrets.nix                           |  3 ++
 12 files changed, 69 insertions(+), 73 deletions(-)
 delete mode 100644 common/server/gitea-runner.nix
 rename machines/router/{properties.nix => properties.nix.disabled} (100%)
 create mode 100644 secrets/gitea-actions-runner-token.age

diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml
index 95f84c1..1fa0d8f 100644
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -12,16 +12,16 @@ env:
 
 jobs:
   check-flake:
-    runs-on: nixos
+    runs-on: ubuntu-latest
     steps:
-      # - run: node --version
-      # - name: Install basic dependencies
-      #   run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
+      - run: node --version
+      - name: Install basic dependencies
+        run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
 
-      # - name: Install Nix
-      #   uses: https://github.com/cachix/install-nix-action@v20
-      #   with:
-      #     github_access_token: ${{ secrets.__GITHUB_TOKEN }}
+      - name: Install Nix
+        uses: https://github.com/cachix/install-nix-action@v20
+        with:
+          github_access_token: ${{ secrets.__GITHUB_TOKEN }}
 
       - name: Install dependencies
         run: nix profile install nixpkgs#nodejs-18_x
@@ -31,8 +31,12 @@ jobs:
         with:
           fetch-depth: 0
 
-      # - name: Get ENV var names
-      #   run: printenv | cut -d'=' -f1
+      - name: Get ENV var names
+        run: printenv | cut -d'=' -f1
+
+      - name: List files in the repository
+        run: |
+          ls ${{ gitea.workspace }}
 
       - name: Check Flake
         run: nix flake check --show-trace
\ No newline at end of file
diff --git a/common/server/default.nix b/common/server/default.nix
index c646555..362d1e9 100644
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -10,7 +10,6 @@
     ./matrix.nix
     ./zerobin.nix
     ./gitea.nix
-    ./gitea-runner.nix
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix
diff --git a/common/server/gitea-runner.nix b/common/server/gitea-runner.nix
deleted file mode 100644
index b57b056..0000000
--- a/common/server/gitea-runner.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  cfg = config.services.gitea-runner;
-in
-{
-  options.services.gitea-runner = {
-    enable = lib.mkEnableOption "Enables gitea runner";
-    dataDir = lib.mkOption {
-      default = "/var/lib/gitea-runner";
-      type = lib.types.str;
-      description = lib.mdDoc "gitea runner data directory.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    virtualisation.docker.enable = true;
-
-    users.users.gitea-runner = {
-      description = "Gitea Runner Service";
-      home = cfg.dataDir;
-      useDefaultShell = true;
-      group = "gitea-runner";
-      isSystemUser = true;
-      createHome = true;
-      extraGroups = [
-        "docker" # allow creating docker containers
-      ];
-    };
-    users.groups.gitea-runner = { };
-
-    systemd.services.gitea-runner = {
-      description = "Gitea Runner";
-
-      serviceConfig = {
-        WorkingDirectory = cfg.dataDir;
-        User = "gitea-runner";
-        Group = "gitea-runner";
-      };
-
-      requires = [ "network-online.target" ];
-      after = [ "network.target" "network-online.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      path = with pkgs; [ gitea-actions-runner ];
-
-      script = ''
-        exec act_runner daemon
-      '';
-    };
-  };
-}
diff --git a/flake.lock b/flake.lock
index b677064..f3a86dd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -185,16 +185,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1691888369,
-        "narHash": "sha256-fBS5YOyiziv7tmR+yCJHr1Tm15Ve4PO1syyJwE9Xnuc=",
+        "lastModified": 1695825837,
+        "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a4d0fe7270cc03eeb1aba4e8b343fe47bfd7c4d5",
+        "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "master",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 9c111d5..19b7a03 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/master";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
 
     flake-utils.url = "github:numtide/flake-utils";
 
diff --git a/machines/phil/default.nix b/machines/phil/default.nix
index 10e299f..887a1ab 100644
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@@ -6,5 +6,21 @@
   ];
 
   networking.hostName = "phil";
-  services.gitea-runner.enable = true;
+
+  services.gitea-actions-runner.instances.inst = {
+    enable = true;
+    name = config.networking.hostName;
+    url = "https://git.neet.dev/";
+    tokenFile = "/run/agenix/gitea-actions-runner-token";
+    labels = [
+      # provide a debian base with nodejs for actions
+      "debian-latest:docker://node:18-bullseye"
+      # fake the ubuntu name, because node provides no ubuntu builds
+      "ubuntu-latest:docker://node:18-bullseye"
+      # provide native execution on the host
+      #"native:host"
+    ];
+  };
+  virtualisation.docker.enable = true;
+  age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
 }
diff --git a/machines/phil/properties.nix b/machines/phil/properties.nix
index 519e9e5..622ac97 100644
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -8,8 +8,8 @@
 
   systemRoles = [
     "server"
-    "gitea-runner"
     "nix-builder"
+    "gitea-actions-runner"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
diff --git a/machines/router/properties.nix b/machines/router/properties.nix.disabled
similarity index 100%
rename from machines/router/properties.nix
rename to machines/router/properties.nix.disabled
diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix
index 3185229..eb2f74c 100644
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -9,9 +9,24 @@
 
   # system.autoUpgrade.enable = true;
 
-  # gitea runner and allow it to build ARM derivations
-  services.gitea-runner.enable = true;
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  # gitea runner and allow it to build ARM derivationsFV
+  services.gitea-actions-runner.instances.inst = {
+    enable = true;
+    name = config.networking.hostName;
+    url = "https://git.neet.dev/";
+    tokenFile = "/run/agenix/gitea-actions-runner-token";
+    labels = [
+      # provide a debian base with nodejs for actions
+      "debian-latest:docker://node:18-bullseye"
+      # fake the ubuntu name, because node provides no ubuntu builds
+      "ubuntu-latest:docker://node:18-bullseye"
+      # provide native execution on the host
+      #"native:host"
+    ];
+  };
+  virtualisation.docker.enable = true;
+  age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed?
   nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
 
   # binary cache
diff --git a/machines/storage/s0/properties.nix b/machines/storage/s0/properties.nix
index f420be7..c9e1e55 100644
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -10,6 +10,7 @@
     "server"
     "pia"
     "binary-cache"
+    "gitea-actions-runner"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
diff --git a/secrets/gitea-actions-runner-token.age b/secrets/gitea-actions-runner-token.age
new file mode 100644
index 0000000..76c4bdc
--- /dev/null
+++ b/secrets/gitea-actions-runner-token.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw H88561/4YspJuLV0lOA7mfeHjwL291W/N3HWmiq8E0M
+mqLeaNk2B2OUZo4NEDLicpSN9Qw1NAsLOSCb3Ar+iXA
+-> ssh-ed25519 dMQYog CUuZSrofDHbBLtxgc4kg2h3Qgs99c3oudBGGV0iP/24
+9D/ZjZqJh8XeUo/UFA6ojcJIlwUqYSg+Itx2vREXdas
+-> p-grease #!rAT w\]efbQ
+/WNOqhMfFrl1holyeok7pf/joMso1LtjbB00BeUGecVdkDhj71TxLgc+5tor/3D/
+FC65ymMPL2t1j/G+qcow19X6bjWkytY
+--- XDThYXsCIJLrOEBXbKwpnRSzvcBuVp+NiQ2Uung74fk
+—L93%g\šqcÃÂZÏ÷ÆH\ 7ß—Ü€Liµ¹W u¶â]¶ÇT=ÒHjl%—HÁfW=ðjþí£³Î“Ë­ÂáJ’–1aKéþ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index acf5a25..456fb03 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -43,4 +43,7 @@ with roles;
   # backups
   "backblaze-s3-backups.age".publicKeys = personal ++ server;
   "restic-password.age".publicKeys = personal ++ server;
+
+  # gitea actions runner
+  "gitea-actions-runner-token.age".publicKeys = gitea-actions-runner;
 }