Gitea runner

2023-04-23 10:29:18 -06:00 · 2023-04-23 10:29:18 -06:00 · 832894edfc
commit 832894edfc
parent feb6270952
8 changed files with 116 additions and 6 deletions
--- a/common/server/default.nix
+++ b/common/server/default.nix
@ -10,6 +10,7 @@
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
+    ./gitea-runner.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
--- a/common/server/gitea-runner.nix
+++ b/common/server/gitea-runner.nix
@ -0,0 +1,98 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.gitea-runner;
+in
+{
+  options.services.gitea-runner = {
+    enable = lib.mkEnableOption "Enables gitea runner";
+    dataDir = lib.mkOption {
+      default = "/var/lib/gitea-runner";
+      type = lib.types.str;
+      description = lib.mdDoc "gitea runner data directory.";
+    };
+    instanceUrl = lib.mkOption {
+      type = lib.types.str;
+    };
+    registrationTokenFile = lib.mkOption {
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+
+    users.users.gitea-runner = {
+      description = "Gitea Runner Service";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+      extraGroups = [
+        "docker" # allow creating docker containers
+      ];
+    };
+    users.groups.gitea-runner = { };
+
+    # registration token
+    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
+    age.secrets.gitea-runner-registration-token = {
+      file = ../../secrets/gitea-runner-registration-token.age;
+      owner = "gitea-runner";
+    };
+
+    systemd.services.gitea-runner = {
+      description = "Gitea Runner";
+
+      serviceConfig = {
+        WorkingDirectory = cfg.dataDir;
+        User = "gitea-runner";
+        Group = "gitea-runner";
+      };
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ gitea-actions-runner ];
+
+      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
+      script = ''
+        . ${cfg.registrationTokenFile}
+
+        if [[ ! -s .runner ]]; then
+          try=$((try + 1))
+          success=0
+
+          LOGFILE="$(mktemp)"
+
+          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
+          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
+          # the context of a single docker-compose, something similar could be done via healthchecks, but
+          # this is more flexible.
+          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
+            act_runner register \
+              --instance "${cfg.instanceUrl}" \
+              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
+              --name     "${config.networking.hostName}" \
+              --no-interactive > $LOGFILE 2>&1
+
+            cat $LOGFILE
+
+            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
+            if [[ $? -eq 0 ]]; then
+              echo "SUCCESS"
+              success=1
+            else
+              echo "Waiting to retry ..."
+              sleep 5
+            fi
+          done
+        fi
+
+        exec act_runner daemon
+      '';
+    };
+  };
+}
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@ -39,6 +39,9 @@ in
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
+        actions = {
+          ENABLED = true;
+        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@ -6,4 +6,8 @@
  ];

  networking.hostName = "phil";
+  services.gitea-runner = {
+    enable = true;
+    instanceUrl = "https://git.neet.dev";
+  };
 }
--- a/machines/phil/hardware-configuration.nix
+++ b/machines/phil/hardware-configuration.nix
@ -21,24 +21,24 @@
  boot.extraModulePackages = [ ];

  boot.initrd.luks.devices."enc-pv" = {
-    device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47";
+    device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
    allowDiscards = true;
  };

  fileSystems."/" =
    {
-      device = "/dev/mapper/vg-root";
+      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
      fsType = "btrfs";
    };

  fileSystems."/boot" =
    {
-      device = "/dev/disk/by-uuid/EC6B-53AA";
+      device = "/dev/disk/by-uuid/F185-C4E5";
      fsType = "vfat";
    };

  swapDevices =
-    [{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }];
+    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];

  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;

--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@ -8,12 +8,13 @@

  systemRoles = [
    "server"
+    "gitea-runner"
  ];

-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";

  remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
    clearnetHost = "unlock.phil.neet.dev";
  };
 }
--- a/secrets/gitea-runner-registration-token.age
+++ b/secrets/gitea-runner-registration-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -18,6 +18,9 @@ with roles;
  "hashed-robots-email-pw.age".publicKeys = email-server;
  "robots-email-pw.age".publicKeys = gitea;

+  # gitea
+  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
+
  # vpn
  "iodine.age".publicKeys = iodine;
  "pia-login.age".publicKeys = pia;