Gitea runner

common/server/default.nix

@@ -10,6 +10,7 @@
     ./matrix.nix
     ./zerobin.nix
     ./gitea.nix
+    ./gitea-runner.nix
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix

common/server/gitea-runner.nix

@@ -0,0 +1,98 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.gitea-runner;
+in
+{
+  options.services.gitea-runner = {
+    enable = lib.mkEnableOption "Enables gitea runner";
+    dataDir = lib.mkOption {
+      default = "/var/lib/gitea-runner";
+      type = lib.types.str;
+      description = lib.mdDoc "gitea runner data directory.";
+    };
+    instanceUrl = lib.mkOption {
+      type = lib.types.str;
+    };
+    registrationTokenFile = lib.mkOption {
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+
+    users.users.gitea-runner = {
+      description = "Gitea Runner Service";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+      extraGroups = [
+        "docker" # allow creating docker containers
+      ];
+    };
+    users.groups.gitea-runner = { };
+
+    # registration token
+    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
+    age.secrets.gitea-runner-registration-token = {
+      file = ../../secrets/gitea-runner-registration-token.age;
+      owner = "gitea-runner";
+    };
+
+    systemd.services.gitea-runner = {
+      description = "Gitea Runner";
+
+      serviceConfig = {
+        WorkingDirectory = cfg.dataDir;
+        User = "gitea-runner";
+        Group = "gitea-runner";
+      };
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ gitea-actions-runner ];
+
+      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
+      script = ''
+        . ${cfg.registrationTokenFile}
+
+        if [[ ! -s .runner ]]; then
+          try=$((try + 1))
+          success=0
+
+          LOGFILE="$(mktemp)"
+
+          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
+          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
+          # the context of a single docker-compose, something similar could be done via healthchecks, but
+          # this is more flexible.
+          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
+            act_runner register \
+              --instance "${cfg.instanceUrl}" \
+              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
+              --name     "${config.networking.hostName}" \
+              --no-interactive > $LOGFILE 2>&1
+
+            cat $LOGFILE
+
+            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
+            if [[ $? -eq 0 ]]; then
+              echo "SUCCESS"
+              success=1
+            else
+              echo "Waiting to retry ..."
+              sleep 5
+            fi
+          done
+        fi
+
+        exec act_runner daemon
+      '';
+    };
+  };
+}

common/server/gitea.nix

@@ -39,6 +39,9 @@ in
           USER = "robot@runyan.org";
           FROM = "no-reply@neet.dev";
         };
+        actions = {
+          ENABLED = true;
+        };
       };
       mailerPasswordFile = "/run/agenix/robots-email-pw";
     };

machines/phil/default.nix

@@ -6,4 +6,8 @@
   ];
 
   networking.hostName = "phil";
+  services.gitea-runner = {
+    enable = true;
+    instanceUrl = "https://git.neet.dev";
+  };
 }

machines/phil/hardware-configuration.nix

@@ -21,24 +21,24 @@
   boot.extraModulePackages = [ ];
 
   boot.initrd.luks.devices."enc-pv" = {
-    device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47";
+    device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
     allowDiscards = true;
   };
 
   fileSystems."/" =
     {
-      device = "/dev/mapper/vg-root";
+      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
       fsType = "btrfs";
     };
 
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-uuid/EC6B-53AA";
+      device = "/dev/disk/by-uuid/F185-C4E5";
       fsType = "vfat";
     };
 
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }];
+    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
 
   networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
 

machines/phil/properties.nix

@@ -8,12 +8,13 @@
 
   systemRoles = [
     "server"
+    "gitea-runner"
   ];
 
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
 
   remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
     clearnetHost = "unlock.phil.neet.dev";
   };
 }

secrets/secrets.nix

@@ -18,6 +18,9 @@ with roles;
   "hashed-robots-email-pw.age".publicKeys = email-server;
   "robots-email-pw.age".publicKeys = gitea;
 
+  # gitea
+  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
+
   # vpn
   "iodine.age".publicKeys = iodine;
   "pia-login.age".publicKeys = pia;