Fix CI builder

.gitea/workflows/check-flake.yaml

@@ -4,45 +4,21 @@ on: [push]
 
 env:
   DEBIAN_FRONTEND: noninteractive
-  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+  PATH: /run/current-system/sw/bin/
 
 jobs:
   check-flake:
-    runs-on: ubuntu-latest
+    runs-on: nixos
     steps:
-      - name: Install Nix
-        uses: https://github.com/cachix/install-nix-action@v23
-        with:
-          github_access_token: ${{ secrets.__GITHUB_TOKEN }}
-          extra_nix_config: |
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
-            substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000
-
       - name: Checkout the repository
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - run: |
+          pwd
+          ls -lah .
+          whoami
+
       - name: Check Flake
-        run: |
+        run: nix flake check --show-trace
-          # Can only build x84_64 for now, so pick out those specifically
-          # nix flake check --show-trace
-
-          nix build .#nixosConfigurations."ray".config.system.build.toplevel
-          nix build .#nixosConfigurations."s0".config.system.build.toplevel
-          nix build .#nixosConfigurations."ponyo".config.system.build.toplevel
-          nix build .#nixosConfigurations."zoidberg".config.system.build.toplevel
-
-      - name: Setup SSH For Pushing to Binary Cache
-        run: |
-          # Set up push key with ssh-agent
-          echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519
-          chmod 600 ./.id_ed25519
-          eval $(ssh-agent -a $SSH_AUTH_SOCK)
-          ssh-add ./.id_ed25519
-          # Add Binary Cache as known host
-          mkdir -p ~/.ssh
-          echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts
-
-      - name: Copy all built derivations to remote cache
-        run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/*

common/server/default.nix

@@ -18,5 +18,6 @@
     ./nextcloud.nix
     ./iodine.nix
     ./searx.nix
+    ./gitea-actions-runner.nix
   ];
 }

common/server/gitea-actions-runner.nix

@@ -0,0 +1,136 @@
+{ config, pkgs, lib, allModules, ... }:
+
+# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
+# This is useful for providing a real Nix/OS builder to gitea.
+# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
+# Therefore, this should not be used to run untrusted code.
+# To enable, assign a machine the 'gitea-actions-runner' system role
+
+# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
+
+let
+  runnerRole = "gitea-actions-runner";
+  runners = config.machines.roles.${runnerRole};
+  thisMachineIsARunner = builtins.elem config.networking.hostName runners;
+
+  containerName = "gitea-runner";
+in
+{
+  config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
+    # containers.${containerName} = {
+    #   ephemeral = true;
+    #   autoStart = true;
+
+    #   # for podman
+    #   enableTun = true;
+
+    #   # privateNetwork = true;
+    #   # hostAddress = "172.16.101.1";
+    #   # localAddress = "172.16.101.2";
+
+    #   bindMounts =
+    #     {
+    #       "/run/agenix/gitea-actions-runner-token" = {
+    #         hostPath = "/run/agenix/gitea-actions-runner-token";
+    #         isReadOnly = true;
+    #       };
+    #       "/var/lib/gitea-runner" = {
+    #         hostPath = "/var/lib/gitea-runner";
+    #         isReadOnly = false;
+    #       };
+    #     };
+
+    #   extraFlags = [
+    #     # Allow podman
+    #     ''--system-call-filter=thisystemcalldoesnotexistforsure''
+    #   ];
+
+    #   additionalCapabilities = [
+    #     "CAP_SYS_ADMIN"
+    #   ];
+
+    #   config = {
+    #     imports = allModules;
+
+    #     # speeds up evaluation
+    #     nixpkgs.pkgs = pkgs;
+
+    #     networking.hostName = lib.mkForce containerName;
+
+    #     # don't use remote builders
+    #     nix.distributedBuilds = lib.mkForce false;
+
+    #     environment.systemPackages = with pkgs; [
+    #       git
+    #       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
+    #       nodejs
+    #     ];
+
+    #     services.gitea-actions-runner.instances.inst = {
+    #       enable = true;
+    #       name = config.networking.hostName;
+    #       url = "https://git.neet.dev/";
+    #       tokenFile = "/run/agenix/gitea-actions-runner-token";
+    #       labels = [
+    #         "ubuntu-latest:docker://node:18-bullseye"
+    #         "nixos:host"
+    #       ];
+    #     };
+
+    #     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
+    #     systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
+    #     users.users.gitea-runner = {
+    #       home = "/var/lib/gitea-runner";
+    #       group = "gitea-runner";
+    #       isSystemUser = true;
+    #       createHome = true;
+    #     };
+    #     users.groups.gitea-runner = { };
+
+    #     virtualisation.podman.enable = true;
+    #     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+    #   };
+    # };
+
+    # networking.nat.enable = true;
+    # networking.nat.internalInterfaces = [
+    #   "ve-${containerName}"
+    # ];
+    # networking.ip_forward = true;
+
+    # don't use remote builders
+    nix.distributedBuilds = lib.mkForce false;
+
+    services.gitea-actions-runner.instances.inst = {
+      enable = true;
+      name = config.networking.hostName;
+      url = "https://git.neet.dev/";
+      tokenFile = "/run/agenix/gitea-actions-runner-token";
+      labels = [
+        "ubuntu-latest:docker://node:18-bullseye"
+        "nixos:host"
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [
+      git
+      # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
+      nodejs
+    ];
+
+    # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
+    systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
+    users.users.gitea-runner = {
+      home = "/var/lib/gitea-runner";
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+    };
+    users.groups.gitea-runner = { };
+
+    virtualisation.podman.enable = true;
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+    age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
+  };
+}

machines/phil/default.nix

@@ -6,17 +6,4 @@
   ];
 
   networking.hostName = "phil";
-
-  services.gitea-actions-runner.instances.inst = {
-    enable = true;
-    name = config.networking.hostName;
-    url = "https://git.neet.dev/";
-    tokenFile = "/run/agenix/gitea-actions-runner-token";
-    labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-    ];
-  };
-  virtualisation.docker.enable = true;
-  age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
 }

machines/storage/s0/default.nix

@@ -9,20 +9,6 @@
 
   # system.autoUpgrade.enable = true;
 
-  # gitea runner and allow it to build ARM derivationsFV
-  services.gitea-actions-runner.instances.inst = {
-    enable = true;
-    name = config.networking.hostName;
-    url = "https://git.neet.dev/";
-    tokenFile = "/run/agenix/gitea-actions-runner-token";
-    labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-    ];
-  };
-  virtualisation.podman.enable = true;
-  age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age;
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed?
   nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
 
   # binary cache

machines/zoidberg/default.nix

@@ -63,7 +63,7 @@
   };
 
   # Login into X11 plasma so barrier works well
-  services.xserver.displayManager.defaultSession = "Plasma (X11)";
+  services.xserver.displayManager.defaultSession = "plasma";
 
   users.users.cris = {
     isNormalUser = true;
@@ -85,7 +85,7 @@
   # Auto login into Plasma in john zoidberg account
   # services.xserver.displayManager.sddm.settings = {
   #   Autologin = {
-  #     Session = "Plasma (X11)";
+  #     Session = "plasma";
   #     User = "john";
   #   };
   # };