From 832894edfcd8470b19af23ce2de555fd22a67a7d Mon Sep 17 00:00:00 2001 From: Zuckerberg Date: Sun, 23 Apr 2023 10:29:18 -0600 Subject: [PATCH] Gitea runner --- common/server/default.nix | 1 + common/server/gitea-runner.nix | 98 ++++++++++++++++++++ common/server/gitea.nix | 3 + machines/phil/default.nix | 4 + machines/phil/hardware-configuration.nix | 8 +- machines/phil/properties.nix | 5 +- secrets/gitea-runner-registration-token.age | Bin 0 -> 536 bytes secrets/secrets.nix | 3 + 8 files changed, 116 insertions(+), 6 deletions(-) create mode 100644 common/server/gitea-runner.nix create mode 100644 secrets/gitea-runner-registration-token.age diff --git a/common/server/default.nix b/common/server/default.nix index 362d1e9..c646555 100644 --- a/common/server/default.nix +++ b/common/server/default.nix @@ -10,6 +10,7 @@ ./matrix.nix ./zerobin.nix ./gitea.nix + ./gitea-runner.nix ./privatebin/privatebin.nix ./radio.nix ./samba.nix diff --git a/common/server/gitea-runner.nix b/common/server/gitea-runner.nix new file mode 100644 index 0000000..f5f4a17 --- /dev/null +++ b/common/server/gitea-runner.nix @@ -0,0 +1,98 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.gitea-runner; +in +{ + options.services.gitea-runner = { + enable = lib.mkEnableOption "Enables gitea runner"; + dataDir = lib.mkOption { + default = "/var/lib/gitea-runner"; + type = lib.types.str; + description = lib.mdDoc "gitea runner data directory."; + }; + instanceUrl = lib.mkOption { + type = lib.types.str; + }; + registrationTokenFile = lib.mkOption { + type = lib.types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.docker.enable = true; + + users.users.gitea-runner = { + description = "Gitea Runner Service"; + home = cfg.dataDir; + useDefaultShell = true; + group = "gitea-runner"; + isSystemUser = true; + createHome = true; + extraGroups = [ + "docker" # allow creating docker containers + ]; + }; + users.groups.gitea-runner = { }; + + # registration token + services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token"; + age.secrets.gitea-runner-registration-token = { + file = ../../secrets/gitea-runner-registration-token.age; + owner = "gitea-runner"; + }; + + systemd.services.gitea-runner = { + description = "Gitea Runner"; + + serviceConfig = { + WorkingDirectory = cfg.dataDir; + User = "gitea-runner"; + Group = "gitea-runner"; + }; + + requires = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ gitea-actions-runner ]; + + # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh + script = '' + . ${cfg.registrationTokenFile} + + if [[ ! -s .runner ]]; then + try=$((try + 1)) + success=0 + + LOGFILE="$(mktemp)" + + # The point of this loop is to make it simple, when running both act_runner and gitea in docker, + # for the act_runner to wait a moment for gitea to become available before erroring out. Within + # the context of a single docker-compose, something similar could be done via healthchecks, but + # this is more flexible. + while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do + act_runner register \ + --instance "${cfg.instanceUrl}" \ + --token "$GITEA_RUNNER_REGISTRATION_TOKEN" \ + --name "${config.networking.hostName}" \ + --no-interactive > $LOGFILE 2>&1 + + cat $LOGFILE + + cat $LOGFILE | grep 'Runner registered successfully' > /dev/null + if [[ $? -eq 0 ]]; then + echo "SUCCESS" + success=1 + else + echo "Waiting to retry ..." + sleep 5 + fi + done + fi + + exec act_runner daemon + ''; + }; + }; +} diff --git a/common/server/gitea.nix b/common/server/gitea.nix index 31ee0a7..2c741a0 100644 --- a/common/server/gitea.nix +++ b/common/server/gitea.nix @@ -39,6 +39,9 @@ in USER = "robot@runyan.org"; FROM = "no-reply@neet.dev"; }; + actions = { + ENABLED = true; + }; }; mailerPasswordFile = "/run/agenix/robots-email-pw"; }; diff --git a/machines/phil/default.nix b/machines/phil/default.nix index 8dac03c..5cc61c7 100644 --- a/machines/phil/default.nix +++ b/machines/phil/default.nix @@ -6,4 +6,8 @@ ]; networking.hostName = "phil"; + services.gitea-runner = { + enable = true; + instanceUrl = "https://git.neet.dev"; + }; } diff --git a/machines/phil/hardware-configuration.nix b/machines/phil/hardware-configuration.nix index 4ab0cd6..6f7efe3 100644 --- a/machines/phil/hardware-configuration.nix +++ b/machines/phil/hardware-configuration.nix @@ -21,24 +21,24 @@ boot.extraModulePackages = [ ]; boot.initrd.luks.devices."enc-pv" = { - device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47"; + device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194"; allowDiscards = true; }; fileSystems."/" = { - device = "/dev/mapper/vg-root"; + device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9"; fsType = "btrfs"; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/EC6B-53AA"; + device = "/dev/disk/by-uuid/F185-C4E5"; fsType = "vfat"; }; swapDevices = - [{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }]; + [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }]; networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; diff --git a/machines/phil/properties.nix b/machines/phil/properties.nix index 7fbaf25..c7f1d07 100644 --- a/machines/phil/properties.nix +++ b/machines/phil/properties.nix @@ -8,12 +8,13 @@ systemRoles = [ "server" + "gitea-runner" ]; - hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr"; + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2"; remoteUnlock = { - hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN"; + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd"; clearnetHost = "unlock.phil.neet.dev"; }; } diff --git a/secrets/gitea-runner-registration-token.age b/secrets/gitea-runner-registration-token.age new file mode 100644 index 0000000000000000000000000000000000000000..bf56a8416723941961527b4fc26ecccaa3e734f0 GIT binary patch literal 536 zcmZ9_yNlCs003a;;Nl=oVtgQSM@*WwX-eTBP0}RIrA_)vAL$9&CTY^NO`1oWCZZq+ zf=b4Q-XFc>(5AI9H+TLtXIllMV|J z71U8Msxj3FKCEJ#fP#jiWn^+nEda$fXa%4}%I*;b{r}C76wR~XM2Ye^8P|p_o~Lsi z49%n!CuZ{5PTXKLqfHvXWhc`@(-oi!D@75`tOpn%Rt=PA2I{mfi2YD)rz_e`XfPB>yFq=F*}xJ zE^SvR)*L8)jYbIwK@d1=05Ns?MVhFYL`JdN6L%aIx{JBzIhrK`Rx8Tw^?6s-Lumj0 z@b+?T<=&&Sdt2R)N5A|yeEO34^y}x{&bPNG&YV0S;8&l0FyhC~PU*<^3kNOzVAnfd zc(MKD^0m*K%jLtBSDWX4|9P|j^~Rm+r)K!AR_pNe);nx>kEfBF54Ml>y!ShP;rZ(; Fe*qvL!tDS6 literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7fe5b8d..bb1df05 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,9 @@ with roles; "hashed-robots-email-pw.age".publicKeys = email-server; "robots-email-pw.age".publicKeys = gitea; + # gitea + "gitea-runner-registration-token.age".publicKeys = gitea-runner; + # vpn "iodine.age".publicKeys = iodine; "pia-login.age".publicKeys = pia;