zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Fix CI builder
All checks were successful
Check Flake / check-flake (push) Successful in 1m5s
Details

Browse Source
This commit is contained in:
Zuckerberg 2023-10-18 20:57:06 -06:00
parent 63c0f52955
commit 8dfba8646c
7 changed files with 147 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.gitea/workflows/check-flake.yaml
View File

@ -4,45 +4,21 @@ on: [push]
env:
DEBIAN_FRONTEND: noninteractive
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PATH: /run/current-system/sw/bin/
jobs:
check-flake:
runs-on: ubuntu-latest
runs-on: nixos
steps:
- name: Install Nix
uses: https://github.com/cachix/install-nix-action@v23
with:
github_access_token: ${{ secrets.__GITHUB_TOKEN }}
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000
- name: Checkout the repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- run: |
pwd
ls -lah .
whoami
- name: Check Flake
run: |
# Can only build x84_64 for now, so pick out those specifically
# nix flake check --show-trace
nix build .#nixosConfigurations."ray".config.system.build.toplevel
nix build .#nixosConfigurations."s0".config.system.build.toplevel
nix build .#nixosConfigurations."ponyo".config.system.build.toplevel
nix build .#nixosConfigurations."zoidberg".config.system.build.toplevel
- name: Setup SSH For Pushing to Binary Cache
run: |
# Set up push key with ssh-agent
echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519
chmod 600 ./.id_ed25519
eval $(ssh-agent -a $SSH_AUTH_SOCK)
ssh-add ./.id_ed25519
# Add Binary Cache as known host
mkdir -p ~/.ssh
echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts
- name: Copy all built derivations to remote cache
run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/*
run: nix flake check --show-trace

1
common/server/default.nix
View File

@ -18,5 +18,6 @@
./nextcloud.nix
./iodine.nix
./searx.nix
./gitea-actions-runner.nix
];
}

136
common/server/gitea-actions-runner.nix Normal file
View File

@ -0,0 +1,136 @@
{ config, pkgs, lib, allModules, ... }:
# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
# This is useful for providing a real Nix/OS builder to gitea.
# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
# Therefore, this should not be used to run untrusted code.
# To enable, assign a machine the 'gitea-actions-runner' system role
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let
runnerRole = "gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
containerName = "gitea-runner";
in
{
config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
# containers.${containerName} = {
# ephemeral = true;
# autoStart = true;
# # for podman
# enableTun = true;
# # privateNetwork = true;
# # hostAddress = "172.16.101.1";
# # localAddress = "172.16.101.2";
# bindMounts =
# {
# "/run/agenix/gitea-actions-runner-token" = {
# hostPath = "/run/agenix/gitea-actions-runner-token";
# isReadOnly = true;
# };
# "/var/lib/gitea-runner" = {
# hostPath = "/var/lib/gitea-runner";
# isReadOnly = false;
# };
# };
# extraFlags = [
# # Allow podman
# ''--system-call-filter=thisystemcalldoesnotexistforsure''
# ];
# additionalCapabilities = [
# "CAP_SYS_ADMIN"
# ];
# config = {
# imports = allModules;
# # speeds up evaluation
# nixpkgs.pkgs = pkgs;
# networking.hostName = lib.mkForce containerName;
# # don't use remote builders
# nix.distributedBuilds = lib.mkForce false;
# environment.systemPackages = with pkgs; [
# git
# # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
# nodejs
# ];
# services.gitea-actions-runner.instances.inst = {
# enable = true;
# name = config.networking.hostName;
# url = "https://git.neet.dev/";
# tokenFile = "/run/agenix/gitea-actions-runner-token";
# labels = [
# "ubuntu-latest:docker://node:18-bullseye"
# "nixos:host"
# ];
# };
# # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
# systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
# users.users.gitea-runner = {
# home = "/var/lib/gitea-runner";
# group = "gitea-runner";
# isSystemUser = true;
# createHome = true;
# };
# users.groups.gitea-runner = { };
# virtualisation.podman.enable = true;
# boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# };
# };
# networking.nat.enable = true;
# networking.nat.internalInterfaces = [
# "ve-${containerName}"
# ];
# networking.ip_forward = true;
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"ubuntu-latest:docker://node:18-bullseye"
"nixos:host"
];
};
environment.systemPackages = with pkgs; [
git
# Gitea Actions rely heavily on node. Include it because it would be installed anyway.
nodejs
];
# To allow building on the host, must override the the service's config so it doesn't use a dynamic user
systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
users.users.gitea-runner = {
home = "/var/lib/gitea-runner";
group = "gitea-runner";
isSystemUser = true;
createHome = true;
};
users.groups.gitea-runner = { };
virtualisation.podman.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
};
}

13
machines/phil/default.nix
View File

@ -6,17 +6,4 @@
];
networking.hostName = "phil";
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"debian-latest:docker://catthehacker/ubuntu:act-latest"
"ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
];
};
virtualisation.docker.enable = true;
age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
}

14
machines/storage/s0/default.nix
View File

@ -9,20 +9,6 @@
# system.autoUpgrade.enable = true;
# gitea runner and allow it to build ARM derivationsFV
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"debian-latest:docker://catthehacker/ubuntu:act-latest"
"ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
];
};
virtualisation.podman.enable = true;
age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed?
nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
# binary cache

4
machines/zoidberg/default.nix
View File

@ -63,7 +63,7 @@
};
# Login into X11 plasma so barrier works well
services.xserver.displayManager.defaultSession = "Plasma (X11)";
services.xserver.displayManager.defaultSession = "plasma";
users.users.cris = {
isNormalUser = true;
@ -85,7 +85,7 @@
# Auto login into Plasma in john zoidberg account
# services.xserver.displayManager.sddm.settings = {
# Autologin = {
# Session = "Plasma (X11)";
# Session = "plasma";
# User = "john";
# };
# };

BIN
secrets/gitea-actions-runner-token.age
View File

Binary file not shown.